| 1 |
On December 3, 2008, Steve wrote: |
| 2 |
> Sure, I could use IPtables to block all these bad ports... or... I could |
| 3 |
> disable password authentication entirely... but I keep thinking that |
| 4 |
> there has to be something better I can do... any suggestions? Is there |
| 5 |
> a simple way to integrate a block-list of known-compromised hosts into |
| 6 |
> IPtables - rather like my postfix is configured to drop connections from |
| 7 |
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for |
| 8 |
> example. |
| 9 |
|
| 10 |
I went the path of paswordless entries (i.e. DSA/RSA keys) and I think it |
| 11 |
helped a lot, no botnet/worm/cracker is known to do selective key assembly so |
| 12 |
far and it's a labour-intensive process. I think applying keys is a very good |
| 13 |
step forward (well, and make sure every externally exposed service is |
| 14 |
properly patched and secured ;) ). |
| 15 |
|
| 16 |
-- |
| 17 |
Dmitry Makovey |
| 18 |
Web Systems Administrator |
| 19 |
Athabasca University |
| 20 |
(780) 675-6245 |
Archives