[nycbug-talk] Distributed ssh dictionary attacks
Miles Nordin
carton at Ivy.NET
Wed Nov 26 14:56:02 EST 2008
>>>>> "ak" == Andy Kosela <akosela at andykosela.com> writes:
ak> If this is not a server with hundreds of users coming from all
ak> over the world that setup works very nicely
how about one user coming from all over the world: me?
I was trying to say, at least for me I expect access to my machines
from anywhere, so if it's not going to be through ssh then there will
be some kind of VPN or a chain of ssh's bouncing all over the place or
some stupid ad-hoc shit like ``first I VPN in, then i remote-desktop
into the Active Drectory DNS server machine and then vnc over to the
Mac webserver, and from there i can ssh back out to anywhere because
the NAT address at that site is whitelisted. except, haha, this one
time when the UPS blew and <blah blah blah>.'' ssh is one of the
simplest and strongest front doors there is, so why not put it out
rather than something else? I would guess it's probably more bug-free
and DoS-hardenable than an IKE daemon, except that bot-herders
probably aren't targeting IKE yet. Unless you are saying that you can
only maintain your machines from certain physical locations, which
does not seem reasonable to me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081126/05059162/attachment.bin>
More information about the talk
mailing list