[svlug] Firewalls?
Rick Moen
rick at linuxmafia.com
Tue Jan 23 21:32:22 PST 2007
Quoting Raj Shekhar (rajlist at rajshekhar.net):
> This has come up once earlier too on this mailing list. IIRC, the
> methods that were recommended were (in no particular order)
> - change the sshd listener port
This puts you thereafter to the indignity of having to type "ssh -p
8080 ..." and "scp -P 8080..." and such, for no actual gain in security,
and is the security analogue of the ever-popular "hide from spammers"
strategy.
> - allow only key-based logins
This actually does something -- at the cost of making you need to always
have handy your public-key credential. Which, by the way, can get stolen
as well (if used on a compromised host).
> - use denyhosts (http://denyhosts.sourceforge.net/)
Insanely over-elaborate. Cheswick and Bellovin would weep.
At least the author finally and belatedly added an option to expire the
/etc/hosts.deny entries, making it less likely someone can cause you to
DoS yourself by sending spoofed traffic.
> - someone pointed to this netfilter magic
> http://blog.andrew.net.au/2005/02/16#ipt_recent_and_ssh_attacks
Much more sound and better engineered than denyhosts, and at least he
built in timeouts on its blocks from the beginning, making it less likely
you're going to hurt yourself -- in the process of solving the wrong
problem, which is of course the fundamental drawback of all these things.
More information about the Svlug
mailing list