Date: Mon, 15 Jan 2007 10:53:47 +1100 From: Norberto Meijome <freebsd@meijome.net> To: Erik Norgaard <norgaard@locolomo.org> Cc: FreeBSD-Questions <freebsd-questions@freebsd.org>, VeeJay <maanjee@gmail.com> Subject: Re: Please Help! How to STOP them... Message-ID: <20070115105347.391e6d41@localhost> In-Reply-To: <45AA40A2.2000906@locolomo.org> References: <2cd0a0da0701121343g7fa2535fv4a7b201f5a03aff2@mail.gmail.com> <45AA40A2.2000906@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 14 Jan 2007 15:39:30 +0100 Erik Norgaard <norgaard@locolomo.org> wrote: > - enforce key authentication =46rom memory, you still get the 'user unknown' messages if you have only key auth. > - restrict access to certain users or groups of users I would say, idem here. > - deny direct access as root this is obvious...and a default in BSD (i dont think it's a default in some (most?) linux distros though) > - enforce strong passwords, if you can't enforce key authentication > - limit the ip address space that is allowed to connect, to the space > where you or your users are likely to be > - limit the number of simultaneous unauthenticated connections I would add to limit the number of passwords retries - so if they want to hammer you, at least they'll have to try a new connection. Of course, this leaves you open to a DOS ... but , well, i guess you are still open to that= the second you're on the net :) Moving the default tcp port to other than the default WILL disminish the attempts - it will NOT PROVIDE YOU WITH EXTRA SECURITY AT ALL , so you still should configure key auth + limit users + deny root, etc. _________________________ {Beto|Norberto|Numard} Meijome "Everything should be made as simple as possible, but not simpler." Albert Einstein I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070115105347.391e6d41>