SLUG Mailing List Archives
Re: [SLUG] Chinese intruder yesterday
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Chinese intruder yesterday
- From: Daniel Pittman <daniel@xxxxxxxxxxxx>
- Date: Fri, 14 Aug 2009 11:50:47 +1000
- User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux)
Morgan Storey <me@xxxxxxxxxxxxxxxx> writes:
> I am a big fan of the denyhosts package, it can warn you via email or sms
> gateway and lock IP's out on x number of failed attempts.
I am not sure I care that much about knowing every time a robot gets
banned. ;) Anyway, I found the distributed nature of denyhosts a much more
valuable service: it allows you to detect, in conjunction with others, hostile
machines *before* they have a chance to abuse your systems.
> There is also port knocking that I have found useful for remote support, but
> it is too difficult for end users I think.
It probably is, and given that there is *zero* security difference between
any of the current "port knocking" and using some other solution that uses
user authentication to open the firewall for other remote access.
So, using something more user-friendly is probably a better strategy if you do
want to open SSH inbound only if someone authenticates somewhere else first.
 ...or a security difference in favour of the non-"port knocking"
solutions, since they have better tested, audited and validated code, or
the scope to do more in terms of security.
✣ Daniel Pittman ✉ daniel@xxxxxxxxxxxx ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
Looking for work? Love Perl? In Melbourne, Australia? We are hiring.