On Mar 14, 2010, at 09:52, Mathew Newton wrote:
>> 5) Install DenyHosts or Fail2Ban.
>
> I think this approach would be a good start, although note that neither of
> those support IPv6 so for those that have it enabled they'd turn a blind
> eye to such connections. SSHguard (http://www.sshguard.net) claims to
> support it however I've not used it personally.
I solved the fail2ban issue by limiting IPv6 connections to my home /48. If somebody unauthorized is coming from there, they've already pwned me. That's in addition to keys-only, but I'm just a professional paranoid that way.
FWIW, as a stopgap until passwordless can be made to work better for the half of the users not on this list, I'd go for adding fail2ban to the default image, and if you can set up the pam configuration so that cracklib validates proposed root passwords too that would be good.
--
Brad Ackerman N1MNB/M0GQK PGP: 0x9F49A373
brad@??? <*> http://bsa.smugmug.com/
