Please Help! How to STOP them...
Norberto Meijome
freebsd at meijome.net
Sun Jan 14 23:53:53 UTC 2007
On Sun, 14 Jan 2007 15:39:30 +0100
Erik Norgaard <norgaard at locolomo.org> wrote:
> - enforce key authentication
From memory, you still get the 'user unknown' messages if you have only key
auth.
> - restrict access to certain users or groups of users
I would say, idem here.
> - deny direct access as root
this is obvious...and a default in BSD (i dont think it's a default in some
(most?) linux distros though)
> - enforce strong passwords, if you can't enforce key authentication
> - limit the ip address space that is allowed to connect, to the space
> where you or your users are likely to be
> - limit the number of simultaneous unauthenticated connections
I would add to limit the number of passwords retries - so if they want to
hammer you, at least they'll have to try a new connection. Of course, this
leaves you open to a DOS ... but , well, i guess you are still open to that the
second you're on the net :)
Moving the default tcp port to other than the default WILL disminish the
attempts - it will NOT PROVIDE YOU WITH EXTRA SECURITY AT ALL , so you still
should configure key auth + limit users + deny root, etc.
_________________________
{Beto|Norberto|Numard} Meijome
"Everything should be made as simple as possible, but not simpler."
Albert Einstein
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
More information about the freebsd-questions
mailing list