| 1 |
Brian Davis wrote: |
| 2 |
> Anyone have comparisons on denyhosts vs. sshdfilter? Should one just use |
| 3 |
> both? |
| 4 |
> |
| 5 |
I didn't see sshdfilter, but denyhosts is essentially a blacklister. My |
| 6 |
needs are probably simpler, but I've got hosts.deny set to ALL and I |
| 7 |
whitelist in hosts.allow as well as iptables. I'm really only concerned |
| 8 |
about getting in with ssh from a few places with static IPs. |
| 9 |
|
| 10 |
I'm more liberal about what I let through with OpenVPN, but that's |
| 11 |
protected with certificates, extra keys, etc. |
| 12 |
|
| 13 |
Dale Pontius |
| 14 |
> Jason Booth wrote: |
| 15 |
>> On Monday 23 October 2006 13:21, Brian Davis wrote: |
| 16 |
>> |
| 17 |
>>> What do you folks do to harden SSHD? I'm looking for some pointers. |
| 18 |
>>> |
| 19 |
>>> Thanks, |
| 20 |
>>> Brian |
| 21 |
>>> |
| 22 |
>> I'm not sure what you mean. I suppose you could make a chroot jail for |
| 23 |
>> ssh, except I'm assuming you want access to the real system... which |
| 24 |
>> you could run a separate server on a different port and use iptables |
| 25 |
>> to allow connection to that port only from a specific i.p. address.. |
| 26 |
>> |
| 27 |
>> The main thing I have noticed lately is the huge volume of brute-force |
| 28 |
>> attacks: |
| 29 |
>> |
| 30 |
>> Using DenyHosts is pretty much a necessity now. |
| 31 |
>> app-admin/denyhosts |
| 32 |
>> |
| 33 |
>> -Jason |
| 34 |
>> |
| 35 |
>> |
| 36 |
|
| 37 |
-- |
| 38 |
gentoo-hardened@g.o mailing list |
Archives