1 |
On December 4, 2008, Christian Franke wrote: |
2 |
> I just don't see what blocking ssh-bruteforce attempts should be good |
3 |
> for, at least on a server where few _users_ are active. |
4 |
|
5 |
Considering how much creative paranoia I've exposed in this thread it might |
6 |
come as a surprise, but I do agree with the above statement. Strong passwords |
7 |
(or key-only authentication) would prevent brute-force attacks from being |
8 |
successfull. The only thing that is semi-usefull side-effect is that you can |
9 |
identify compromised machines and deny ANY type of traffic from them |
10 |
preventing possible DoS launched against you. But then IPs are so easy to |
11 |
spoof :) Balance is what makes sysadmin comfortable enough and doesn't |
12 |
compromise usability of the server, so everybody decides for themselves. OP |
13 |
obviously wants that "extra" layer of protection and notification so with a |
14 |
bit of creativity and some external tools it's possible to achieve. As long |
15 |
as he doesn't forget about other aspects of security - he should do just fine |
16 |
with all those extra measures :) |
17 |
|
18 |
-- |
19 |
Dmitry Makovey |
20 |
Web Systems Administrator |
21 |
Athabasca University |
22 |
(780) 675-6245 |