From owner-freebsd-questions@FreeBSD.ORG Sun Jan 14 23:53:53 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 32B1B16A416 for ; Sun, 14 Jan 2007 23:53:53 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id D8AF613C45B for ; Sun, 14 Jan 2007 23:53:52 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 9756 invoked from network); 15 Jan 2007 10:53:51 +1100 Received: from 203-214-150-45.perm.iinet.net.au (HELO localhost) (203.214.150.45) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 15 Jan 2007 10:53:51 +1100 Date: Mon, 15 Jan 2007 10:53:47 +1100 From: Norberto Meijome To: Erik Norgaard Message-ID: <20070115105347.391e6d41@localhost> In-Reply-To: <45AA40A2.2000906@locolomo.org> References: <2cd0a0da0701121343g7fa2535fv4a7b201f5a03aff2@mail.gmail.com> <45AA40A2.2000906@locolomo.org> X-Mailer: Claws Mail 2.7.0 (GTK+ 2.10.7; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Cc: FreeBSD-Questions , VeeJay Subject: Re: Please Help! How to STOP them... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 23:53:53 -0000 On Sun, 14 Jan 2007 15:39:30 +0100 Erik Norgaard wrote: > - enforce key authentication =46rom memory, you still get the 'user unknown' messages if you have only key auth. > - restrict access to certain users or groups of users I would say, idem here. > - deny direct access as root this is obvious...and a default in BSD (i dont think it's a default in some (most?) linux distros though) > - enforce strong passwords, if you can't enforce key authentication > - limit the ip address space that is allowed to connect, to the space > where you or your users are likely to be > - limit the number of simultaneous unauthenticated connections I would add to limit the number of passwords retries - so if they want to hammer you, at least they'll have to try a new connection. Of course, this leaves you open to a DOS ... but , well, i guess you are still open to that= the second you're on the net :) Moving the default tcp port to other than the default WILL disminish the attempts - it will NOT PROVIDE YOU WITH EXTRA SECURITY AT ALL , so you still should configure key auth + limit users + deny root, etc. _________________________ {Beto|Norberto|Numard} Meijome "Everything should be made as simple as possible, but not simpler." Albert Einstein I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.