1 |
On December 3, 2008, Steve wrote: |
2 |
> Sure, I could use IPtables to block all these bad ports... or... I could |
3 |
> disable password authentication entirely... but I keep thinking that |
4 |
> there has to be something better I can do... any suggestions? Is there |
5 |
> a simple way to integrate a block-list of known-compromised hosts into |
6 |
> IPtables - rather like my postfix is configured to drop connections from |
7 |
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
8 |
> example. |
9 |
|
10 |
I went the path of paswordless entries (i.e. DSA/RSA keys) and I think it |
11 |
helped a lot, no botnet/worm/cracker is known to do selective key assembly so |
12 |
far and it's a labour-intensive process. I think applying keys is a very good |
13 |
step forward (well, and make sure every externally exposed service is |
14 |
properly patched and secured ;) ). |
15 |
|
16 |
-- |
17 |
Dmitry Makovey |
18 |
Web Systems Administrator |
19 |
Athabasca University |
20 |
(780) 675-6245 |