Menu
▾
▴
Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing
|
From: Bruce S. <bw...@ar...> - 2007-03-05 01:13:32
|
> > A better solution (IMO) would be a modification to openssh so it shuts > > down an IP for a [configurable] period of time, after a [configurable] > > number of bad authentication attempts. I even suggested that to one of > > the openssh developers I once had a small email thread with. > > You are not talking approximately about this: denyhosts.sourceforge.net > > I considered it, but I don't like any extra daemons lurking there > (watching ssh log for bad login attempts). > > It can also act as an wrapper, so it will control openssh daemon. It > restarts it if it has to block an IP, or something. > > iptables, even with the scp problem you discussed above, is independent, > protocol neutral, wrapper/daemon-free solution. I like it that way, and > I do understand it is a matter of taste. I agree. I've looked at ssh "wrappers", but I also don't like the extra daemons or cron jobs running. Especially since a non-standard port + ssh-keys works great for me. I really don't think we'll see ssh brute force bots looking at non-standard ports for a LONG time (not until everyone stops using 22). With 64K ports available, that's a LOT of extra scanning to do. - BS |
