On Fri, 20 Apr 2007 16:03:41 +0300 "Nick Demou" <[EMAIL PROTECTED]> wrote:
> On 4/20/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote: > > On Fri, Apr 20, 2007 at 12:47:20PM +0300, Nick Demou wrote: > > > [...] > > > Any other idea of simple measures that will keep as many attackers > > > away from the one and only service that is listening to the Internet? > > > > > Well, if which outbound ports are available is a real concern, then > > consider the following: > > > > - rate-limit new ssh connections (I use this) > > [this] will keep your logs from getting cluttered (and will also slow > > attackers down greatly so that they take longer to get to other people's > > machines). > > do you mean to configure iptables in order to limit cons/min? > what rules do you use? any pointer to the web? All together, now :) Use shorewall. Set an SSH rule in your rules file, and use the RATE-LIMIT column (see /usr/share/doc/shorewall/default-config/rules). > > - force key-only authentication > > [this] makes it impossible for a dictionary attack to > > ever succeed. > > That one I can't do in some cases because I'll lose the ability to > connect from some random PC. I rarely need this but when I do I need > it badly :) > Carry the key (password protected, of course) on a USB flash drive? Celejar
