On December 3, 2008, Steve wrote:
> Sure, I could use IPtables to block all these bad ports... or... I could
> disable password authentication entirely... but I keep thinking that
> there has to be something better I can do... any suggestions?  Is there
> a simple way to integrate a block-list of known-compromised hosts into
> IPtables - rather like my postfix is configured to drop connections from
> known spam sources from the sbl-xbl.spamhaus.org DNS block list, for
> example.

I went the path of paswordless entries (i.e. DSA/RSA keys) and I think it 
helped a lot, no botnet/worm/cracker is known to do selective key assembly so 
far and it's a labour-intensive process. I think applying keys is a very good 
step forward (well, and make sure every externally exposed service is 
properly patched and secured ;) ).

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245