[nycbug-talk] Distributed ssh dictionary attacks

Miles Nordin carton at Ivy.NET
Wed Nov 26 14:56:02 EST 2008

>>>>> "ak" == Andy Kosela <akosela at andykosela.com> writes:

    ak> If this is not a server with hundreds of users coming from all
    ak> over the world that setup works very nicely

how about one user coming from all over the world:  me?

I was trying to say, at least for me I expect access to my machines
from anywhere, so if it's not going to be through ssh then there will
be some kind of VPN or a chain of ssh's bouncing all over the place or
some stupid ad-hoc shit like ``first I VPN in, then i remote-desktop
into the Active Drectory DNS server machine and then vnc over to the
Mac webserver, and from there i can ssh back out to anywhere because
the NAT address at that site is whitelisted.  except, haha, this one
time when the UPS blew and <blah blah blah>.''  ssh is one of the
simplest and strongest front doors there is, so why not put it out
rather than something else?  I would guess it's probably more bug-free
and DoS-hardenable than an IKE daemon, except that bot-herders
probably aren't targeting IKE yet.  Unless you are saying that you can
only maintain your machines from certain physical locations, which
does not seem reasonable to me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20081126/05059162/attachment.bin>

More information about the talk mailing list