[clug] mc-root anyone?
Kim Holburn
kim at holburn.net
Thu Jun 18 16:29:45 GMT 2009
On 2009/Jun/18, at 6:06 PM, Michael Still wrote:
> Paul Wayper wrote:
>
>> I would recommend never allowing SSH on port 22 on anything that
>> handles
>> a connection from the internet. I have a port remapping NAT rule
>> on my
>> firewall to remap from a high port to SSH on my internal server;
>> other
>> people just change the 'Port' number in /etc/ssh/sshd_config to a
>> highish number (2222 is easy to remember). If you're paranoid, you
>> also
>> run fail2ban or some similar daemon that checks for too many password
>> failures and bans that IP address automatically for a time.
>
> What about retarded networks that filter higher ports though? I
> travel a
> bit, and these things seem to happen relatively frequently.
And they let ssh in? Like I said in another post, I don't think
changing the port does that much. There's lots of ports under 1024 if
you really want to do that. Allow/authorise only a small number of
users to ssh in. Only allow public key or one-time keys; either are
secure and stop outside attacks ever being successful (unless someone
finds a buffer overflow in sshd and then yubikeys or one-time keys are
not going to be any more effective than public keys). Use fail2ban.
> I'm wondering if yubikeys are the answer.
>
> Mikal
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the linux
mailing list