-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-10-04 at 01:30 +0200, Hans Witvliet wrote:
On Sat, 2009-10-03 at 23:34 +0200, Carlos E. R. wrote:
Well, that's useful if the IPs are static, but not if the bots are on dymaic addresses. Plus, six months is a lot of time, those machines could have been "repaired" since.
You want to block them altogether? Think again, if they came from a dynamic address, you'll block the next owner as well.
That's what I was meaning. You can not use a static blocking list, it has to be dynamic. New addresses have to be added and old removed.
Just block passwords all together, it doesn't claim any resources at your side (In contrast of scrutinysing that number of addresses), and don't have to analyse your logfiles for ssh-attacks, as there wont be any anymore.
It is a possibility, where it is possible to use it. For example, my router has ssh, but the login user is fixed by the manufacturer and keys are impossible to add. Thus I have to disable it completely, from the outside. Then, if I'm to connect from the outside to my PC, I may not have control of the ssh home directory to place my key there - nor might I want to do that, allowing somebody else coming later to steal my key from the file. ssh would have to take the key from a usb stick and never store it locally. For windows, it has been said to use putty on a usb stick, but then, some setups remove the usb port. Another hassle is the first connection, because you need to store the other part of the key on the server, and for that you need to connect first, without keys. You can see how sourceforge solves (solved?) that, you have to upload the key on a webpage. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkrId8kACgkQtTMYHG2NR9VG/ACghACq44tFjm+Lv2JphsCwDiu4 nDQAoIHwsSpFRjfgC1bR2cnYO2IIX1+b =clIB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org