On Mon, July 21, 2008 6:47 pm, Bill Campbell wrote: > On Tue, Jul 22, 2008, D Steward wrote: >>On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote: >>> When using denyhosts, you'll want to keep your IP's in hosts.allow so >>> even if you're "banned" you can still get access. :-) >> >>Yup. >>Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter >>various subnets to stay safe. :( > > If you do not allow password authentication and use good pass > phrases on your identity, the only thing really gained by > restricting on IP ranges is restricting the number of reject > messages in your log files. The fail2ban program does a nice job > of limiting the number of rejection messages in the logs. > > Another possibility is to set up OpenVPN on your system, which > authenticates on ssl certificates and works nicely even from > dynamic IPs behind NAT. Then you can ssh into the private LAN > behind your firewall via OpenVPN. > > Bill > -- > INTERNET: bill@xxxxxxxxxxxxx Bill Campbell; Celestial Software LLC > URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way > Voice: (206) 236-1676 Mercer Island, WA 98040-0820 > Fax: (206) 232-9186 > > Foreign aid might be defined as a transfer from poor people in rich > countries to rich people in poor countries -- Douglas Casey > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > Bill, we have been looking at implementing OpenVPN to allow access to the internal LAN. For a firewall, we basically have iptables with 2 nics doing NAT. So would the OpenVPN server live inside of our private network and just do some forwards with iptables on the firewall or would it be better to implement it with by itself with 2 nics one on the public and one on the private? _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos