On Fri, 15 Feb 2008, in the Usenet newsgroup comp.os.linux.security, in article
<b4378804-21b5-4057-a587-395b5537c637@64g2000hsw.googlegroups.com>, PooDBrown
wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>Instead of trying to figure out what passwords they are using, you
>could change your authentication on ssh to pubkey/privatekey, plus
>password. This would give you two factors of authentication, one the
>"attacker" would have to have your public key and private key in order
>to get into your box.

Yes, I agree with this, but here in the US, the Federal Banking
authorities frown upon users dinking with the authentication mechanisms
used for on-line banking services. You're stuck with what ever the
idiots running the server have decided upon.

>Another option to add is to use iptables to restrict IPs that can log
>into your box. By restricting by IPs, "attackers" can not get to your
>box without knowing your allowed IPs and spoofing them.

Spoofing TCP is absolutely not easy, especially if you are trying to
carry on a conversation such as a "Login:" sequence. See the docs
from nmap, and look at "Sequence Numbers" - great fun. But yes, I
have never understood why everyone feels the need to allow connections
to their systems from every d4mn IP address in the world. As of late
Friday, there were 2,586,651,004 IPv4 addresses authorized or
allocated (69.79 percent of non-RFC3330 IP space). My home systems
accept connections from a /22 and two /24s "outside" (which is a
total of 1536 addresses world wide) because I can't see any reason to
allow connections from you or anyone else that I haven't approved in
advance, and I really don't expect authorized users to be connecting
from Korea, Kenya, Kuwait or Kazakhstan or a lot of other places either.

Another "trick" often used is to simply move your server to some
entirely different port number.

[compton ~]$ head -1 /dev/random | mimencode | tr -d ' -/:-z'
615503201
30737390107
6
[compton ~]$

Yes People, an SSH server will work just fine if you move it to a port
such as 6155, 61550, 15503, or similar. You'll have to tell your client
to connect to the different port number - wow, isn't that hard.

Old guy