If I need good security I edit access.conf and restrict ssh to certain IP-s.
I don't like denyhosts or fail2ban and I would probably purge and remove
them from my vps.
It's easier to force strong passwords to users.
Known IP-s (home, work) get access instanly, for unknown (airport wifis,
whatnot)
you have to knock:
But with knocking there are few other problems such as you can't connect to
random
ports while using wifi with hardcore firewall configuration (which allow
only 80 and 443, for example).
~a
On Sun, Mar 14, 2010 at 1:13 PM, Andy Smith <andy(a)bitfolk.com> wrote:
Hi Alex,
On Sun, Mar 14, 2010 at 11:01:00AM +0000, Alex Harrington wrote:
Would it be too much administrative overhead for
you to have two levels
of vps images.
One would be fairly locked down, maybe with ssh on a different port,
fail2ban and
a basic firewall pre installed.
The second would be the image you currently provide with ssh locked to
key
authentication only.
If people want a vps provisioned with a password they get the first
image. Users
who provision with a key can choose either image.
Provisioning *should* of course just be an automated web affair (and
despite appearances, I *have* been making progress towards that and
it *will* happen).
Once that happens then it should be easy to offer variations upon
the standard image, with tweaks like this built in.
It's just that I'm not convinced that the average customer will
know/care what the point of all that is. I can try to educate, I can
alter defaults and provide opt-outs, but I have seen limited success
with that sort of thing before.
At the very least the default image would still have to have an
effective defence against ssh scanning in it, such as
DenyHosts/Fail2Ban.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREDAAYFAkucxM8ACgkQIJm2TL8VSQvv6gCfd2WyE6fn87XlncyJq0uFu5rI
o4gAnjgdw7DvJLn5ZgCxj9K1x3Ch5HPR
=Qyn7
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users