1 |
On Mon, Jan 16, 2012 at 08:23:33AM +0700, Pandu Poluan wrote |
2 |
|
3 |
> That depends on who are authorized to access the boxen via SSH. In my case, |
4 |
> only the IT Division is authorized to access them via SSH, so the "real |
5 |
> sysadmin" in me (g) decides it is much easier to shift the port rather than |
6 |
> implementing esoteric hardening stuffs ;-) |
7 |
> |
8 |
> Plus, I get the benefit of ridiculing any IT guy/gal who managed to get |
9 |
> him-/herself locked out (thanks to the auto-blacklist) B-) |
10 |
|
11 |
The opposite of auto-blacklisting is port-knocking. Think of it as |
12 |
auto-unblacklisting, where the world is blacklisted by default. See... |
13 |
|
14 |
http://www.hostsvault.com/blog/howto-protect-services-like-ssh-against-brute-force-using-only-iptables-port-knocking/ |
15 |
|
16 |
The idea is that your external service is blocked to everybody by |
17 |
default. When an external IP address "knocks" in sequence on the right |
18 |
3 ports (specified in iptables), it is then allowed a few seconds to |
19 |
establish a connection (ssh/ftp/whatever). |
20 |
|
21 |
-- |
22 |
Walter Dnes <waltdnes@××××××××.org> |