On Tue, Apr 11, 2006 at 09:11:54PM -0700, Richard Wilson wrote:
> Thus an upgrade shouldn't mess with your rules but should preserve them
> and add capabilities. Some of the new capabilities that have shown up
> include a throttling mechanism that almost makes it safe to open inbound
> SSH on an Internet facing server. Basically you can permit X number of
> login attempts from IP Y during delta time Z and then block all access
> from IP Y if it's fails more than X times for time period A. X, Y, Z
> and A are all values you can set. There are other enhancements as well,
> that one sticks in my mind.
I think leaving ssh open to the internet is pretty safe if you have
sane settings and good passwords.
I played with the pf version of the throttling mechanism you mention,
and while it's fun to watch people blacklist themselves it gets old
after a while. I ended up taking it out after realizing that they
just weren't going to brute-force their way in unless you have bad
passwords.
But that mechanism can be a great thing to help with DoS attacks, and
other things as well.
--
Darrin Chandler | Phoenix BSD Users Group
dwchandler@stilyagin.com | http://bsd.phoenix.az.us/
http://www.stilyagin.com/ |
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)