On 02/03/2014 12:26 PM, S. Dale Morrey wrote: > Interesting, I'm going to have to try that. I move SSH to a random port > off in the boonies, that alone eliminated bruteforce attempts on my end. > Still passwords are so 1970s. Certs are where all the cool kids are > stashing their goodies now days :)
Recent versions of openssh allow to configure options on a per-host or per-subnet basis. For example, here's an extract from my sshd_config: PasswordAuthentication no Match Address 192.168.*,127.* PasswordAuthentication yes X11Forwarding yes AllowTcpForwarding yes That bans password logins except from private IP addresses (VPN in my case). /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */