Re: RFC: changes to default password strength checks in pam_unix

[Oleg Verych <for.gmane@flower.upol.cz>]

04-09-2007, John Kelly:
> On Sep 3, Lars Wirzenius wrote:
>
>>ti, 2007-09-04 kello 10:17 +0900, Miles Bader kirjoitti:
>
>>> If the system is excessively anal about what passwords it will let you
>>> use, people will just start writing them down...
>
>>That is arguably better than having passwords which can be guessed by
>>doing brute-force attackes over ssh.
>
> I stop brute force attacks by sending auth log messages to a FIFO which I 
> read with a perl script. After 10 login failures, your IP is firewalled for 
> 24 hours.

What about having more secure Debian's sshd_config by default?
"
PermitRootLogin no
DenyUsers       *
"
to start with.

Also i would really love to have sshd rc script being able to load
different configs easily. I have dummy sshd on 22 port and one actual
door on another. Having more dummy services else where, is more "security
by obscurity". Not 100% protection, but something.
____