Re: web alternative to knockd for a "secure" sshd server?
On Fri, 20 Apr 2007 16:03:41 +0300
"Nick Demou" <firstname.lastname@example.org> wrote:
> On 4/20/07, Roberto C. Sánchez <email@example.com> wrote:
> > On Fri, Apr 20, 2007 at 12:47:20PM +0300, Nick Demou wrote:
> > > [...]
> > > Any other idea of simple measures that will keep as many attackers
> > > away from the one and only service that is listening to the Internet?
> > >
> > Well, if which outbound ports are available is a real concern, then
> > consider the following:
> > - rate-limit new ssh connections (I use this)
> > [this] will keep your logs from getting cluttered (and will also slow
> > attackers down greatly so that they take longer to get to other people's
> > machines).
> do you mean to configure iptables in order to limit cons/min?
> what rules do you use? any pointer to the web?
All together, now :)
Use shorewall. Set an SSH rule in your rules file, and use the
RATE-LIMIT column (see /usr/share/doc/shorewall/default-config/rules).
> > - force key-only authentication
> > [this] makes it impossible for a dictionary attack to
> > ever succeed.
> That one I can't do in some cases because I'll lose the ability to
> connect from some random PC. I rarely need this but when I do I need
> it badly :)
Carry the key (password protected, of course) on a USB flash drive?