-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 09 April 2005 20:13, Brian Gaynor wrote: > > -----Original Message----- > > I will agree that for a script kiddy this will work, but for > > someone who is > > really trying to get in they will figure this out in a short > > time and then > > you are no longer protected. The best bet is to move to an > > unknown port. > > I would disagree a bit. Denying access after a small number of > unsuccessful logons effectively reduces the bandwidth of anyone attempting > a brute force attack, script kiddie or pro. Changing ports may hide you > from script kiddies but not from a pro. Not so sure I would agree with this. If they are hammering you then yes. But if they watch their logs then they will see that after X attempts they are no longer getting a reply then they could (at least I would) add time in between requests. Sooner or later they will find the right time intervals and they are back in business again. Ex; you set a 5 attempt/5 minutes. they change this script to wait 61 sec between attempt they are back in business. > In addition the need to support users of various skill levels and > additional services that may rely on SSH (SFTP, SVN) and changing ports > becomes a support mess. This could all be configured. > Probably the most secure is to use certificates, but this can be a > headache if you have lots of users. True - -- Regards Robert Smile... it increases your face value! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCWIpS0xJrO8dQYHgRAtDkAJ0RYEhCVKdzjTSKvJyM7jOasY0O7wCgp432 Sx5O8ikwDRcALRIMI8pdxLo= =s2ZA -----END PGP SIGNATURE-----
