| 1 |
Thanks for all your suggestions... |
| 2 |
|
| 3 |
I will look into fail2ban... that might be what I need... While I could |
| 4 |
crank BLOCKING_PERIOD for blacklist.py to an absurdly high value, this |
| 5 |
(AFAIK) will not persist blocks when the server is powered down or rebooted. |
| 6 |
|
| 7 |
I need to retain port 22 and can't easily do port-knocking - since some |
| 8 |
of the clients I require to connect to my server are in restrictive |
| 9 |
environments. I've another idea too... I'm happy to entirely cut off |
| 10 |
all services from any IP that attempts to brute-force SSH passwords... |
| 11 |
as it is an unequivocal act of aggression that would not arise with any |
| 12 |
legitimate clients... Another aside is that in some restrictive |
| 13 |
environments it is hard to securely obtain my private key without first |
| 14 |
obtaining a secure off-site connection. For this reason, I prefer to |
| 15 |
have the facility to log in using username/password - my compromise is |
| 16 |
to make my password extremely complex... plus using a non-obvious |
| 17 |
user-id, which again hampers attackers. |
| 18 |
|
| 19 |
While interesting, I don't think the connection rate limiter is for |
| 20 |
me... I may want to legitimately make rapid connections at some time or |
| 21 |
other. :-) |
| 22 |
-- |
| 23 |
gentoo-user@l.g.o mailing list |
Archives