On Tue, Apr 11, 2006 at 09:11:54PM -0700, Richard Wilson wrote:
> Thus an upgrade shouldn't mess with your rules but should preserve them
> and add capabilities.  Some of the new capabilities that have shown up
> include a throttling mechanism that almost makes it safe to open inbound
> SSH on an Internet facing server.  Basically you can permit X number of
> login attempts from IP Y during delta time Z and then block all access
> from IP Y if it's fails more than X times for time period A.  X, Y, Z
> and A are all values you can set.  There are other enhancements as well,
> that one sticks in my mind.

I think leaving ssh open to the internet is pretty safe if you have
sane settings and good passwords.

I played with the pf version of the throttling mechanism you mention,
and while it's fun to watch people blacklist themselves it gets old
after a while. I ended up taking it out after realizing that they
just weren't going to brute-force their way in unless you have bad
passwords.

But that mechanism can be a great thing to help with DoS attacks, and
other things as well.

-- 
Darrin Chandler            |  Phoenix BSD Users Group
dwchandler@stilyagin.com   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss