On Fri, Feb 23, 2007 at 07:02:26PM -0700, Bryan O'Neal wrote: > I port translate SSH and direct forward to a single box which I can use > to get to the rest of my network. I only allow access from my home > network and my company network. I can VPN into my company if I need to > get home while on the road. I do like password authentication because I > often have to call some one (like my wife or my most trusted co worker) > and walk them through a connection when I need information and do not > have network access. It is easy to change a password, it is harder to > fedex a thumb drive from the middle of the outback. You can leave thumb drives or diskettes with your wife and coworkers. They'll still need your password to use the key, and you can still change keys when you get back. Just a tiny bit of preparation... > On my windows boxes I eliminate brute force attacks by having it lock > out any account for 2 seconds after a wrong password and 15 minuets > after 10 wrong passwords. But I don't know how to configure this on > Linux? I don't know of any apples to apples way, but I bet the same goal can be met somehow. Using BSDs PF rules (similar to ipchains) it would be something like this: table persist block in quick from pass in log on $ext_if inet proto tcp from any to any port ssh \ flags S/SA keep state \ (max-src-conn-rate 10/60, overload flush global) which says... 1. block IP addresses in table evil-hosts 2. let people in for ssh and establish state, more than 10 connections in 60 seconds puts you in a table and drops your connection. There's probably something very much like that capability in ipchains. Since I use PK auth it's not really needed, but I use it sometimes to stop the script kids from filling up my logs. It's nice to see in the logs: attempt, attempt, attempt, ... *plonk*, where'd they go? :-) -- Darrin Chandler | Phoenix BSD Users Group dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ http://www.stilyagin.com/darrin/ | --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss