Hi, This discussion has developed in two different directions, namely how SSH works and in particular how challenge-response is implemented and the use of different rules to block scan attempts, both to port 22 and also in general. Let me clarify that, although I do use challenge-response, I do not think it is a universal panacea. If your users are computer literate, then its is a good idea to implement it (it also works under Windows ssh-clients such as Putty, but I have no idea how to). If not, which is the most probable thing if you administer a network with hundreds of users, then you will have to keep password authentication and a blocking rule against password attacks is a good idea. It is in any case worth implementing, I think, specially if it is designed to block general port scans, rather than just single ports like port 22. You never know if your apache server, or mail server, or whatever is vulnerable. To repeat the mantra of security people, security is a layered process. Two locks are always better than one :-) ... Best, Jaime.