On December 3, 2008, Steve wrote: > Sure, I could use IPtables to block all these bad ports... or... I could > disable password authentication entirely... but I keep thinking that > there has to be something better I can do... any suggestions? Is there > a simple way to integrate a block-list of known-compromised hosts into > IPtables - rather like my postfix is configured to drop connections from > known spam sources from the sbl-xbl.spamhaus.org DNS block list, for > example.
I went the path of paswordless entries (i.e. DSA/RSA keys) and I think it helped a lot, no botnet/worm/cracker is known to do selective key assembly so far and it's a labour-intensive process. I think applying keys is a very good step forward (well, and make sure every externally exposed service is properly patched and secured ;) ). -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245
signature.asc
Description: This is a digitally signed message part.
