Re: Ideas for stopping ssh brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, July 21, 2008 6:47 pm, Bill Campbell wrote:
> On Tue, Jul 22, 2008, D Steward wrote:
>>On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote:
>>> When using denyhosts, you'll want to keep your IP's in hosts.allow so
>>> even if you're "banned" you can still get access. :-)
>>
>>Yup.
>>Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter
>>various subnets to stay safe. :(
>
> If you do not allow password authentication and use good pass
> phrases on your identity, the only thing really gained by
> restricting on IP ranges is restricting the number of reject
> messages in your log files.  The fail2ban program does a nice job
> of limiting the number of rejection messages in the logs.
>
> Another possibility is to set up OpenVPN on your system, which
> authenticates on ssl certificates and works nicely even from
> dynamic IPs behind NAT.  Then you can ssh into the private LAN
> behind your firewall via OpenVPN.
>
> Bill
> --
> INTERNET:   bill@xxxxxxxxxxxxx  Bill Campbell; Celestial Software LLC
> URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
> Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
> Fax:            (206) 232-9186
>
> Foreign aid might be defined as a transfer from poor people in rich
> countries to rich people in poor countries -- Douglas Casey
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
Bill,

we have been looking at implementing OpenVPN to allow access to the
internal LAN. For a firewall, we basically have iptables with 2 nics doing
NAT. So would the OpenVPN server live inside of our private network and
just do some forwards with iptables on the firewall or would it be better
to implement it with by itself with 2 nics one on the public and one on
the private?

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux