Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Banning non Australian IP's from Aussie ecommerce site


hi,

On 11 October 2010 17:54, Nick Andrew <nick@xxxxxxxxxxxxxxx> wrote:
> On Mon, Oct 11, 2010 at 16:31, justin randell <justin.randell@xxxxxxxxx> wrote:
>
>> unless there's some really good reason not to, i'd strongly advise
>> securing your ssh so that it's public-key only. i've seen too many
>> places that rely on limiting the amount of ssh attempts get hacked to
>> put any faith in that method any more.
>
> Don't discount defense in depth. Hostile IP addresses found by ssh
> rate-limiting can be blocked from all ports. It doesn't preclude use of
> keys instead of passwords.

discount? how much is defence in depth going for these days? ;-)

perhaps i wasn't clear, but when i said "relying on rate limiting is
bad", i didn't mean to imply "using rate-limiting is evil in all forms
no matter what".

if i had to choose between rate limiting and strong passwords vs keys,
i'd choose keys.

cheers
justin