On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: > Le 12240i?me jour apr?s Epoch, > Mario Ohnewald ?crivait: > > I think this problem should not be solved with configuring sshd. > > Wrong... You can configure sshd to accept only login from recognized keys, > and let the firewall open.
If there is an exploitable bug in that code, you're screwed, and the whole world can crack your machine. It's not really a problem to allow ssh access from the whole world, execpt when there's a problem with ssh. What you should try to do is limit the chance people have to crack your machine before you can do something about it. By allowing connections from only a few IP address blocks, you cut out most of the crackers in the world, but don't have to mess with dynamic DNS and lack of reverse lookup; A good tradeoff between security and convenience. I suppose filtering with iptables is really the way to do it, but using ssh's built-in AllowUsers is still at least somewhat useful. I don't know how much code in sshd runs before AllowUsers is checked, but I hope not too much, so as to minimize the risk of bugs. > > I solved it with iptables script which resolv my dynamic host every 5mins, > > and then reload the firewall if needed. > > So, on some case, you must wait 5 mins to connect ? Yeah, I agree that this is going too far, unless you are trying to protect secrets that require armed guards in the real world, to back up the extreme paranoia in the virtual world. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
