On Wed, 2010-04-21 at 11:26 -0700, Wolfgang S. Rupprecht wrote: > g <geleem@xxxxxxxxxxxxx> writes: > > Steve Blackwell wrote: > > <snip> > >> so it appears that someone was trying to break in to my machine. > > > > do you have 'ping reply' enabled on your cable modem? > > > > if so, i would suggest that you disable it so you are not visible. > > > > hth. > > One should really point out that some icmp messages are vital to the > correct operation of the network? Many newbies seem to end up filtering > out icmp-must-fragment in their zeal to stop all those evil icmp > messages. That messes up mtu-discovery and ends up causing some > destinations to effectively be unreachable for large packets. > > The core problem is to prevent someone from guessing users' passwords. > You aren't going to achieve real security by hiding this or that > attribute. If you don't want to worry about your users chosing bad > non-random passwords, don't let them. Force them to use a 1k-2k RSA key > for ssh and turn off all login types in sshd_config other than RSA2. > That way any attacker has to correctly guess a 1k-bit computer generated > number. That will almost certainly be much more secure than any > password users will chose. Then you can look at the ssh log files and > laugh. The universe isn't going to last long enough for them to guess > even a small fraction of the keys. Although this is true, it doesn't stop denial-of-service attacks, while not replying to Pings may go some way to do so by hiding the IP address from the less sophisticated attacker. I'm just saying ... poc -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
