If I need good security I edit access.conf and restrict ssh to certain IP-s.
I don't like denyhosts or fail2ban and I would probably purge and remove
them from my vps.
It's easier to force strong passwords to users.
Known IP-s (home, work) get access instanly, for unknown (airport wifis,
whatnot)
you have to knock:
http://packages.debian.org/lenny/knockd
But with knocking there are few other problems such as you can't connect to
random
ports while using wifi with hardcore firewall configuration (which allow
only 80 and 443, for example).
~a
On Sun, Mar 14, 2010 at 1:13 PM, Andy Smith <andy@???> wrote:
> Hi Alex,
>
> On Sun, Mar 14, 2010 at 11:01:00AM +0000, Alex Harrington wrote:
> > Would it be too much administrative overhead for you to have two levels
> of vps images.
> >
> > One would be fairly locked down, maybe with ssh on a different port,
> fail2ban and a basic firewall pre installed.
> >
> > The second would be the image you currently provide with ssh locked to
> key authentication only.
> >
> > If people want a vps provisioned with a password they get the first
> image. Users who provision with a key can choose either image.
>
> Provisioning *should* of course just be an automated web affair (and
> despite appearances, I *have* been making progress towards that and
> it *will* happen).
>
> Once that happens then it should be easy to offer variations upon
> the standard image, with tweaks like this built in.
>
> It's just that I'm not convinced that the average customer will
> know/care what the point of all that is. I can try to educate, I can
> alter defaults and provide opt-outs, but I have seen limited success
> with that sort of thing before.
>
> At the very least the default image would still have to have an
> effective defence against ssh scanning in it, such as
> DenyHosts/Fail2Ban.
>
> Cheers,
> Andy
>
> --
> http://bitfolk.com/ -- No-nonsense VPS hosting
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEAREDAAYFAkucxM8ACgkQIJm2TL8VSQvv6gCfd2WyE6fn87XlncyJq0uFu5rI
> o4gAnjgdw7DvJLn5ZgCxj9K1x3Ch5HPR
> =Qyn7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
