> -----Original Message----- > I will agree that for a script kiddy this will work, but for > someone who is > really trying to get in they will figure this out in a short > time and then > you are no longer protected. The best bet is to move to an > unknown port. I would disagree a bit. Denying access after a small number of unsuccessful logons effectively reduces the bandwidth of anyone attempting a brute force attack, script kiddie or pro. Changing ports may hide you from script kiddies but not from a pro. In addition the need to support users of various skill levels and additional services that may rely on SSH (SFTP, SVN) and changing ports becomes a support mess. Probably the most secure is to use certificates, but this can be a headache if you have lots of users. Brian
