On Wed, 2014-11-19 at 11:58 +0000, Patrick O'Callaghan wrote: > If the main concern is ssh hacking, you might consider denyhosts (yum > install denyhosts). It's easy to set up and seems to be effective. The > logs make fascinating (and scary) reading. To my mind, something like this ought to be part of the SSHD configuration - a configurable quota of allowed connection attempts to the daemon within a certain time period from the same source. Notch up say, three failed logins, and you can't login from that address for an hour. And not require some external thing to protect it. Likewise, I think that sort of thing (configurable quota filter) should be a standard part of the firewall that you already have, where you can apply a simple connection limiter to particular ports of your choosing (SSH, HTTP, etc). Naturally, to avoid accidental denial of services, a firewall needs to be able to differentiate between multiple okay connections (e.g. browsing a webserver) and multiple not-okay connections (e.g. not accepted SSH login attempts), not just dumbly throttle so-many connections per minute. And, theoretically, that shouldn't be impossible (using lack of response, or particular denial responses from known services being a trigger it can use). Of course a hack attempt could be made from a plethora of addresses, to try and get past that type of entry guard, but each one should fail and get ignored. You need a really good passphrase, and hopefully a paired certificate, to stand against any external hack attempt, that's the real defense. The statistics of guessing a good passphrase should be astronomical. You don't know how many letters and/or numbers that I've used, whether it's a real word, or several words. Nor do you know if my password is the same now, as it was two days ago, or three minutes ago. Your previous discarded attempts maybe shouldn't be discarded, but tried several times. So to guess the actual one you've got nothing to work with. To put that another way, how well can *you* pick all the winning numbers in a lottery? And would anyone be able to win it if we didn't know how many numbers to pick, nor within what range? -- tim@localhost ~]$ uname -rsvp Linux 3.17.2-200.fc20.i686 #1 SMP Tue Nov 4 18:28:00 UTC 2014 i686 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org