- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Banning non Australian IP's from Aussie ecommerce site
- From: justin randell <justin.randell@xxxxxxxxx>
- Date: Mon, 11 Oct 2010 18:25:09 +1100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type; bh=YWutAgsyAsJ7h2NnVPPMYxZTER+zmOGeggGiOjToyIc=; b=gedqfD8RzJRLY1fV8KoAlrjD2Ddn3S5Xcs/AkFcF7NMLEZ/Vtbe0CU00CW4/vhHqY2 qpJE8AyfCL1ShlF0i/Wjx5uaI8xeXZcz+hR65qv+nRkx4+gVq5xPG6/dgnPRe5yudMlt OFG0bVJv7CKjxtccr26xglSseeUoefUI2bWRU=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=YabKYlBAkuzseYk6pKQbwJmueFt/WI6QdUn4o65J0qN24J3Qefrt9iZcySH3Ehg+B1 NKJckVzGE8NXduFQqs+cLrJbYbZ/FFRR1ibcq/jaOCIfh1HNUmpB1dNsycybQwHtx34b gfEmVWfjm2Lp67E0k3Cu348j3oI1nXW9MjSOM=
hi,
On 11 October 2010 17:54, Nick Andrew <nick@xxxxxxxxxxxxxxx> wrote:
> On Mon, Oct 11, 2010 at 16:31, justin randell <justin.randell@xxxxxxxxx> wrote:
>
>> unless there's some really good reason not to, i'd strongly advise
>> securing your ssh so that it's public-key only. i've seen too many
>> places that rely on limiting the amount of ssh attempts get hacked to
>> put any faith in that method any more.
>
> Don't discount defense in depth. Hostile IP addresses found by ssh
> rate-limiting can be blocked from all ports. It doesn't preclude use of
> keys instead of passwords.
discount? how much is defence in depth going for these days? ;-)
perhaps i wasn't clear, but when i said "relying on rate limiting is
bad", i didn't mean to imply "using rate-limiting is evil in all forms
no matter what".
if i had to choose between rate limiting and strong passwords vs keys,
i'd choose keys.
cheers
justin
SLUG Mailing List Archives