From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L81ZO-0005Vy-RY for garchives@archives.gentoo.org; Wed, 03 Dec 2008 23:55:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3FB7AE062B; Wed, 3 Dec 2008 23:55:49 +0000 (UTC) Received: from smtp.hotchilli.net (mta3.th.hotchilli.net [62.89.140.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 1822AE062B for ; Wed, 3 Dec 2008 23:55:49 +0000 (UTC) Received: from static-87-243-200-80.adsl.hotchilli.net ([87.243.200.80] helo=[127.0.0.1]) by smtp.hotchilli.net with esmtp (Exim 4.63) (envelope-from ) id 1L81ZM-000867-1P for gentoo-user@lists.gentoo.org; Wed, 03 Dec 2008 23:55:48 +0000 Message-ID: <49371C80.9090300@shic.co.uk> Date: Wed, 03 Dec 2008 23:55:45 +0000 From: Steve User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Curious pattern in log files from ssh... References: <4936E5E3.1040606@shic.co.uk> <200812031403.41731.dmitry@athabascau.ca> <4936FE82.9070509@shic.co.uk> <200812031511.34593.dmitry@athabascau.ca> <49370E5B.2030000@shic.co.uk> <58965d8a0812031521o18e02b1cq17ba380a4666084e@mail.gmail.com> In-Reply-To: <58965d8a0812031521o18e02b1cq17ba380a4666084e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: cbf2b6d9-4b64-4204-902d-aad3145b40ba X-Archives-Hash: b2e9e47d2d9ddac656719e9d807c68bf Paul Hartman wrote: > I think using Dmitry's idea of rejecting the first 2 connections, but > then allowing it as normal on the third attempt would satisfy your > requirements for being on the normal port, allowing all IPs and > requiring no special setup on the client end (other than knowing they > have to to retry twice). > Erm - surely I either need to set up my client to port-knock... which is a faff I'd rather avoid... in order to use the technique. Port knocking would be especially infuriating from trusted clients where I'd like to use standard software like WinSCP; Putty; Symbian Putty - etc. While I recognise port knocking as a valuable strategy in some circumstances, it seems a very bad fit for my needs. GEO-IP blocking would be fairly good... if I could limit this to password authentication only - as would blacklisting known bot-net participants. While these exotic ideas are interesting - a better way to identify malicious hosts is, by far, my preferred solution.