Author: Vic Date: To: Hampshire LUG Discussion List Subject: Re: [Hampshire] confused ssh newbie
> But I take a "run silent run deep" attitude in that I want to reveal as
> little information as possible about what I'm running on my home network
> because I never know if some human isn't going to look through those bot
> logs and try to manually break into my systems - the less information that
> human has about my network, the more difficult a task he/she has of
> getting in.
That's a "security through obscurity" argument. It does no harm unless you
actually rely on that obscurity for your security - but in the same
breath, if you're not relying on obscurity, then it does no good either.
> There's other things you can do that help - I can't remember the
> application names because I don't use them but there are daemon
> applications that monitor for brute force attempts and if, say,
> more than 10 come from a particular IP address within the space of a
> minute, it can block that IP address temporarily or permanently by using
> TCP Wrappers or an iptables firewall rule.
portwatch is the one I used to use. TBH, I found it caused at least as
many problems as it solved. Some of my users were rubbish at remembering
passwords...
I replaced it with a rate-limiting script in iptables which is very
effective.
> There's even a port knocking application that will wait to see incoming
> requests on two or more pre-agreed ports and if the knocks on those ports
> are in the correct order, it will open up the SSH server for you to
> access.
Again, with key-based authentication, I don't need to open the port on
demand; it's safe to leave it open. If an attacker can break my 2048-bit
key, there are far more lucrative keys to break elsewhere...
