If I need good security I edit access.conf and restrict ssh to certain IP-s.<br><br>I don&#39;t like denyhosts or fail2ban and I would probably purge and remove them from my vps.<br><br>It&#39;s easier to force strong passwords to users.<br>
<br>Known IP-s (home, work) get access instanly, for unknown (airport wifis, whatnot)<br>you have to knock: <a href="http://packages.debian.org/lenny/knockd">http://packages.debian.org/lenny/knockd</a><br><br>But with knocking there are few other problems such as you can&#39;t connect to random<br>
ports while using wifi with hardcore firewall configuration (which allow only 80 and 443, for example).<br><br>~a<br><br><div class="gmail_quote">On Sun, Mar 14, 2010 at 1:13 PM, Andy Smith <span dir="ltr">&lt;<a href="mailto:andy@bitfolk.com">andy@bitfolk.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi Alex,<br>
<div class="im"><br>
On Sun, Mar 14, 2010 at 11:01:00AM +0000, Alex Harrington wrote:<br>
&gt; Would it be too much administrative overhead for you to have two levels of vps images.<br>
&gt;<br>
&gt; One would be fairly locked down, maybe with ssh on a different port, fail2ban and a basic firewall pre installed.<br>
&gt;<br>
&gt; The second would be the image you currently provide with ssh locked to key authentication only.<br>
&gt;<br>
&gt; If people want a vps provisioned with a password they get the first image. Users who provision with a key can choose either image.<br>
<br>
</div>Provisioning *should* of course just be an automated web affair (and<br>
despite appearances, I *have* been making progress towards that and<br>
it *will* happen).<br>
<br>
Once that happens then it should be easy to offer variations upon<br>
the standard image, with tweaks like this built in.<br>
<br>
It&#39;s just that I&#39;m not convinced that the average customer will<br>
know/care what the point of all that is. I can try to educate, I can<br>
alter defaults and provide opt-outs, but I have seen limited success<br>
with that sort of thing before.<br>
<br>
At the very least the default image would still have to have an<br>
effective defence against ssh scanning in it, such as<br>
DenyHosts/Fail2Ban.<br>
<div><div></div><div class="h5"><br>
Cheers,<br>
Andy<br>
<br>
--<br>
<a href="http://bitfolk.com/" target="_blank">http://bitfolk.com/</a> -- No-nonsense VPS hosting<br>
</div></div><br>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.9 (GNU/Linux)<br>
<br>
iEYEAREDAAYFAkucxM8ACgkQIJm2TL8VSQvv6gCfd2WyE6fn87XlncyJq0uFu5rI<br>
o4gAnjgdw7DvJLn5ZgCxj9K1x3Ch5HPR<br>
=Qyn7<br>
-----END PGP SIGNATURE-----<br>
<br>_______________________________________________<br>
users mailing list<br>
<a href="mailto:users@lists.bitfolk.com">users@lists.bitfolk.com</a><br>
<a href="https://lists.bitfolk.com/mailman/listinfo/users" target="_blank">https://lists.bitfolk.com/mailman/listinfo/users</a><br>
<br></blockquote></div><br>