Re: Ideas for stopping ssh brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, Jul 22, 2008, D Steward wrote:
>On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote:
>> When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-)
>
>Yup.
>Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter
>various subnets to stay safe. :(

If you do not allow password authentication and use good pass
phrases on your identity, the only thing really gained by
restricting on IP ranges is restricting the number of reject
messages in your log files.  The fail2ban program does a nice job
of limiting the number of rejection messages in the logs.

Another possibility is to set up OpenVPN on your system, which
authenticates on ssl certificates and works nicely even from
dynamic IPs behind NAT.  Then you can ssh into the private LAN
behind your firewall via OpenVPN.

Bill
-- 
INTERNET:   bill@xxxxxxxxxxxxx  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

Foreign aid might be defined as a transfer from poor people in rich
countries to rich people in poor countries -- Douglas Casey
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux