On Mar 14, 2010, at 09:52, Mathew Newton wrote:
5) Install DenyHosts or Fail2Ban.
I think this approach would be a good start, although note that neither of
those support IPv6 so for those that have it enabled they'd turn a blind
eye to such connections. SSHguard (
http://www.sshguard.net) claims to
support it however I've not used it personally.
I solved the fail2ban issue by limiting IPv6 connections to my home /48. If somebody unauthorized is coming from there, they've already pwned me. That's in addition to keys-only, but I'm just a professional paranoid that way.
FWIW, as a stopgap until passwordless can be made to work better for the half of the users not on this list, I'd go for adding fail2ban to the default image, and if you can set up the pam configuration so that cracklib validates proposed root passwords too that would be good.