On 02.11.17 20:19, Stuart Henderson wrote:
On 2017-10-30, Gregory Edigarov <ediga...@qarea.com> wrote:
On 29.10.17 03:20, x9p wrote:
Coming from the Linux world, I wonder if there is a better alternative
to fail2ban, already being used in OpenBSD servers by the majority.
I suggest you NEVER use such "solutions". It's security by obscurity
model, and therefore a bad very very bad thing.
You'd be much safer completely turning off password authentication,
using keys instead.
If someone is pushing a lot of auth attempts, they can be consuming meaningful
amounts of cpu. (They're usually too quick to show up in top). So restricting it
can be useful from that point of view.
Myself, I normally restrict ssh to connecting from a predefined list of IPs
though ...
And it is a right behavior when you can define such a list.
myself, I just turn off password auth, and have my keys on a pen drive.
