gpg: Signature made Sun Mar 14 11:13:19 2010 UTC using DSA key ID BF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>"
gpg: aka "Andrew James Smith <andy@strugglers.net>"
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>"
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>"
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>"
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>"
Hi Alex,
On Sun, Mar 14, 2010 at 11:01:00AM +0000, Alex Harrington wrote:
> Would it be too much administrative overhead for you to have two levels of vps images.
>
> One would be fairly locked down, maybe with ssh on a different port, fail2ban and a basic firewall pre installed.
>
> The second would be the image you currently provide with ssh locked to key authentication only.
>
> If people want a vps provisioned with a password they get the first image. Users who provision with a key can choose either image.
Provisioning *should* of course just be an automated web affair (and
despite appearances, I *have* been making progress towards that and
it *will* happen).
Once that happens then it should be easy to offer variations upon
the standard image, with tweaks like this built in.
It's just that I'm not convinced that the average customer will
know/care what the point of all that is. I can try to educate, I can
alter defaults and provide opt-outs, but I have seen limited success
with that sort of thing before.
At the very least the default image would still have to have an
effective defence against ssh scanning in it, such as
DenyHosts/Fail2Ban.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
