* Peter Wiersig wrote on Fri, Aug 09, 2002 at 09:44 +0200:
Bastian Friedrich wrote:
Am Donnerstag, 8. August 2002 22:01 schrieb Jeff Stewart:
That's a good idea, but I want to be able to shell in from public computers. Maybe instead of blocking the IP address, I should block the username from logging in after a certain number of tries.
This idea is even worse, as it leads to an easy DoS: If I know your box' IP, I simply connect a couple of times with your login - and afterwards, you're no longer able to connect.
No, you don't. If you spoof the IP, you wouldn't be able to get past the TCP handshake.
He said, "*instead* of blocking the IP address, I should block blocking the IP address, I should block the username". And for IP: I wouldn't rely to the sequence number to be safe, finnally it's only a 32 bit value and not as strong as an RSA key. IP is not for security, SSH keys are made for this! I suggest to put the key on a floppy disk with a good passphrase and disallow password auth. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.