On 02/03/2014 12:26 PM, S. Dale Morrey wrote:
> Interesting, I'm going to have to try that. I move SSH to a random port
> off in the boonies, that alone eliminated bruteforce attempts on my end.
> Still passwords are so 1970s. Certs are where all the cool kids are
> stashing their goodies now days :)
Recent versions of openssh allow to configure options on a per-host or
per-subnet basis. For example, here's an extract from my sshd_config:
PasswordAuthentication no
Match Address 192.168.*,127.*
PasswordAuthentication yes
X11Forwarding yes
AllowTcpForwarding yes
That bans password logins except from private IP addresses (VPN in my case).
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
