On Tue, Jul 22, 2008, D Steward wrote:
>On Mon, 2008-07-21 at 17:09 -0500, Tim Nelson wrote:
>> When using denyhosts, you'll want to keep your IP's in hosts.allow so even if you're "banned" you can still get access. :-)
>Unfortunately, my ISP's plan uses dynamic IPs, so I have to enter
>various subnets to stay safe.
If you do not allow password authentication and use good pass
phrases on your identity, the only thing really gained by
restricting on IP ranges is restricting the number of reject
messages in your log files. The fail2ban program does a nice job
of limiting the number of rejection messages in the logs.
Another possibility is to set up OpenVPN on your system, which
authenticates on ssl certificates and works nicely even from
dynamic IPs behind NAT. Then you can ssh into the private LAN
behind your firewall via OpenVPN.
INTERNET: email@example.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
Voice: (206) 236-1676 Mercer Island, WA 98040-0820
Fax: (206) 232-9186
Foreign aid might be defined as a transfer from poor people in rich
countries to rich people in poor countries -- Douglas Casey
CentOS mailing list