Date: Thu, 1 Oct 2015 08:52:47 +0200 From: Nino J <nino80@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: User Questions <freebsd-questions@freebsd.org> Subject: Re: SSHguard & IPFW Message-ID: <CALf6cgY0TYxugyMWd7ugpL5YgjKYiX%2Bk35%2BP1%2BzwbDMJw9T2Jw@mail.gmail.com> In-Reply-To: <20151001033001.R67283@sola.nimnet.asn.au> References: <mailman.98.1443614402.37653.freebsd-questions@freebsd.org> <20151001033001.R67283@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 30, 2015 at 7:58 PM, Ian Smith <smithi@nimnet.asn.au> wrote: > > I'm more paranoid and only allow addresses in a table to access sshd's > port, with a couple of roaming users who need to check mail to update > their IP before login .. but this is great news for sshguard users. > > It's not necessarily paranoid. It depends on your risk assessment. I'm primarily defending against bruteforce attacks and sshguard effectively solves that. If I were concerned about possible vulnerability in sshd that would allow an attacker to bypass the login process or crash sshd on a machine where ssh access is critical, restricting access to known IPs only would be a perfectly reasonable solution. On a side note, if I understood correctly, you're modifying IPFW rules based on a user successfully checking mail, basically a sort of port-knocking? Or I totally misinterpreted? :) -- Nino
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALf6cgY0TYxugyMWd7ugpL5YgjKYiX%2Bk35%2BP1%2BzwbDMJw9T2Jw>