On Thu, Nov 23, 2006 at 10:28:20PM +0100, Igor Sobrado wrote:
> In message <[EMAIL PROTECTED]>, Steve Williams writes:
> >
> > I block brute force attacks using PF. They get a small set of attempts
> > before they are blocked. Very trivial.
> >
> > pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \
> > keep state (max-src-conn-rate 5/40, overload <scanners>)
> > block in log on $ext_if proto tcp from <scanners> to $ext_if port ssh
> > Voilla, I still have root access, with a hard to guess password, and
> > people trying to brute force me are blocked. Of course, there could be
> > a "distributed" brute force attack... but how paranoid do you want to get??
>
> A distributed brute force attack against your set up is, at best,
> very challenging. This attack would be possible only if you are
> the target of a highly talented security expert. No one is so
> paranoid to believe that a distributed attack able to pass your
> protection will happen, though.
While I'm inclined to agree with the last part, setting up a botnet
isn't *that* hard.
> > I also rely on having the abiltiy to install/upgrade remotly and ssh
> > into the system post install. With root access blocked off, well...kind
> > of hard!
> I am curious... how can OpenBSD be remotely installed on a computer
> without a [serial console]? How can the installer be run remotely
> without a device that the operating system calls "console"?
Well, at least theoretically, one could just replace the install script
by one that does whatever you want it to, without asking any questions.
Joachim
