| 1 |
On Mon, Jan 16, 2012 at 08:23:33AM +0700, Pandu Poluan wrote |
| 2 |
|
| 3 |
> That depends on who are authorized to access the boxen via SSH. In my case, |
| 4 |
> only the IT Division is authorized to access them via SSH, so the "real |
| 5 |
> sysadmin" in me (g) decides it is much easier to shift the port rather than |
| 6 |
> implementing esoteric hardening stuffs ;-) |
| 7 |
> |
| 8 |
> Plus, I get the benefit of ridiculing any IT guy/gal who managed to get |
| 9 |
> him-/herself locked out (thanks to the auto-blacklist) B-) |
| 10 |
|
| 11 |
The opposite of auto-blacklisting is port-knocking. Think of it as |
| 12 |
auto-unblacklisting, where the world is blacklisted by default. See... |
| 13 |
|
| 14 |
http://www.hostsvault.com/blog/howto-protect-services-like-ssh-against-brute-force-using-only-iptables-port-knocking/ |
| 15 |
|
| 16 |
The idea is that your external service is blocked to everybody by |
| 17 |
default. When an external IP address "knocks" in sequence on the right |
| 18 |
3 ports (specified in iptables), it is then allowed a few seconds to |
| 19 |
establish a connection (ssh/ftp/whatever). |
| 20 |
|
| 21 |
-- |
| 22 |
Walter Dnes <waltdnes@××××××××.org> |
Archives