If I need good security I edit access.conf and restrict ssh to certain IP-s.
I don't like denyhosts or fail2ban and I would probably purge and remove them from my vps.
It's easier to force strong passwords to users.
Known IP-s (home, work) get access instanly, for unknown (airport wifis, whatnot)
you have to knock: http://packages.debian.org/lenny/knockd
But with knocking there are few other problems such as you can't connect to random
ports while using wifi with hardcore firewall configuration (which allow only 80 and 443, for example).
~a
Hi Alex,
Provisioning *should* of course just be an automated web affair (and
On Sun, Mar 14, 2010 at 11:01:00AM +0000, Alex Harrington wrote:
> Would it be too much administrative overhead for you to have two levels of vps images.
>
> One would be fairly locked down, maybe with ssh on a different port, fail2ban and a basic firewall pre installed.
>
> The second would be the image you currently provide with ssh locked to key authentication only.
>
> If people want a vps provisioned with a password they get the first image. Users who provision with a key can choose either image.
despite appearances, I *have* been making progress towards that and
it *will* happen).
Once that happens then it should be easy to offer variations upon
the standard image, with tweaks like this built in.
It's just that I'm not convinced that the average customer will
know/care what the point of all that is. I can try to educate, I can
alter defaults and provide opt-outs, but I have seen limited success
with that sort of thing before.
At the very least the default image would still have to have an
effective defence against ssh scanning in it, such as
DenyHosts/Fail2Ban.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREDAAYFAkucxM8ACgkQIJm2TL8VSQvv6gCfd2WyE6fn87XlncyJq0uFu5rI
o4gAnjgdw7DvJLn5ZgCxj9K1x3Ch5HPR
=Qyn7
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users