abuse@ and postmaster@ in the modern world?
london.pm at bang.meep.org
Fri Nov 17 18:06:34 GMT 2006
On Fri, 17 Nov 2006, Dean Wilson wrote:
> I'm curious as to how many people audit the successful ssh logins
If they've already logged in, then the odds aren't too good that you can
trust the logs on that machine any more. If you're using a loghost, it
might be more useful, but how many people do that at home ?
> Something else worth noting is that the next ssh exploit based worm/zero
> day scanner won't be slowed down by these blocking scripts. They only
> protect against brute force attacks. Which is fine, as long as the
> limitation is known.
Either port-knocking or as suggested elsewhere, run ssh on non-standard
port and autoblock anyone connecting on 22 from the real thing would seem
possible ways around that.
Overall though, I suspect we have a lot of conflicting needs. Personally
I could whitelist my gprs provider and a large number of friends home/work
IPs that I use very occasionally. That still doesn't help when I'm
roaming on random wifi networks, nor gprs roaming abroad. Similarly, I
could use keys from the machines I tend to carry, but that doesn't help
when you're quickly borrowing a session on a friend's machine. And my own
suggestion isn't great either, plenty of firewalls and random networks
won't allow connections on random ports.
More information about the london.pm