| 1 |
On December 4, 2008, Christian Franke wrote: |
| 2 |
> I just don't see what blocking ssh-bruteforce attempts should be good |
| 3 |
> for, at least on a server where few _users_ are active. |
| 4 |
|
| 5 |
Considering how much creative paranoia I've exposed in this thread it might |
| 6 |
come as a surprise, but I do agree with the above statement. Strong passwords |
| 7 |
(or key-only authentication) would prevent brute-force attacks from being |
| 8 |
successfull. The only thing that is semi-usefull side-effect is that you can |
| 9 |
identify compromised machines and deny ANY type of traffic from them |
| 10 |
preventing possible DoS launched against you. But then IPs are so easy to |
| 11 |
spoof :) Balance is what makes sysadmin comfortable enough and doesn't |
| 12 |
compromise usability of the server, so everybody decides for themselves. OP |
| 13 |
obviously wants that "extra" layer of protection and notification so with a |
| 14 |
bit of creativity and some external tools it's possible to achieve. As long |
| 15 |
as he doesn't forget about other aspects of security - he should do just fine |
| 16 |
with all those extra measures :) |
| 17 |
|
| 18 |
-- |
| 19 |
Dmitry Makovey |
| 20 |
Web Systems Administrator |
| 21 |
Athabasca University |
| 22 |
(780) 675-6245 |
Archives