Hell, start by changing your ssh port, that cuts down everything Heavily. <br><br><div class="gmail_quote">On Fri, Dec 24, 2010 at 12:00 PM, <span dir="ltr"><<a href="mailto:ale-request@ale.org">ale-request@ale.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Send Ale mailing list submissions to<br>
<a href="mailto:ale@ale.org">ale@ale.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:ale-request@ale.org">ale-request@ale.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:ale-owner@ale.org">ale-owner@ale.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Ale digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: any suggestions on an automated method for blocking<br>
repeated failed ssh login attempts? (Michael H. Warfield)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 24 Dec 2010 11:29:46 -0500<br>
From: "Michael H. Warfield" <mhw@WittsEnd.com><br>
Subject: Re: [ale] any suggestions on an automated method for blocking<br>
repeated failed ssh login attempts?<br>
To: Atlanta Linux Enthusiasts <<a href="mailto:ale@ale.org">ale@ale.org</a>><br>
Cc: mhw@WittsEnd.com, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>><br>
Message-ID: <<a href="mailto:1293208186.4614.137.camel@canyon.wittsend.com">1293208186.4614.137.camel@canyon.wittsend.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
On Fri, 2010-12-24 at 10:52 -0500, Michael H. Warfield wrote:<br>
> On Fri, 2010-12-24 at 08:41 -0500, Jim Kinney wrote:<br>
<br>
: snip<br>
<br>
> > Ah ha! CAC. I've seen this acronym around. crypto-access-card maybe. I will<br>
> > start the push for more info on those and some details on usage.<br>
<br>
> That's it.<br>
<br>
> Also, after reflecting on it over night, since you seem mostly concerned<br>
> with Windows users. If you/they are really paranoid you might consider<br>
> IronKey.<br>
<br>
> <a href="https://www.ironkey.com/" target="_blank">https://www.ironkey.com/</a><br>
<br>
> The keys are encrypted and hardware cryptographically locked. The user<br>
> has to enter a PIN and then the USB side of the key can be accessed just<br>
> like a regular USB key, albeit a rather pricey USB key. That much<br>
> actually works in Linux. The entire crypto engine may be accessed over<br>
> a pkcs11 API interface in Windows, so anything that can talk to a<br>
> smart-card can use this key as a crypto engine, but they don't have<br>
> those drivers for Linux last I looked. With that interface, you can<br>
> generate or store a limited number of private keys for PGP, SSH, or<br>
> X.509 certificates. The private key, once stored on the IronKey, can<br>
> never be extracted from the IronKey. It can only be used by the crypto<br>
> engine on the ironkey itself. So it's a CSD (Crypto Storage Device) and<br>
> hardware crypto engine. They claim it's tamper proof and will destroy<br>
> the contents if tampered with. The enterprise version even allows<br>
> remote locking and destruction of the key in case of loss or theft.<br>
<br>
> They were eliminated from consideration purely due to the lack of the<br>
> pkcs11 API interface and drivers on Linux and we have an explicit<br>
> requirement for solution parity. Other than that, they looked pretty<br>
> impressive. Cost wise, the personal edition is (or was) about on parity<br>
> with a pair of good usb memory key and a good smart card style usb<br>
> crypto key. In the later case, though, you don't have the hardware<br>
> encryption on the USB key or the crypto locking.<br>
<br>
I may have to go back and reexamine these. For the basic key, at least,<br>
it now looks to be feature complete across Windows, Linux, and Mac OS X.<br>
That would be a really good thing. The "Personal" key has a few more<br>
Windows only features such as web browsing security that I don't think<br>
that significant (Basic and Personal seem to be the same price). The<br>
Enterprise version is a horse of a different color and I can't really<br>
tell. Looks like they also have a newer D200 series that gives you<br>
twice the memory at slightly reduced speeds at the same price. The<br>
price is right in the ball park for a good crypto key. $79 USD for a 2G<br>
D200 key and goes up from there to $269 for a 32G key all supporting<br>
2048 bit RSA. That would be a little pricier but still a viable<br>
alternative to the OpenPGP keys that are being discussed in another<br>
thread on this list and I don't believe those key have any storage on<br>
them other than the crypto key store itself. I don't know how big the<br>
crypto store on these are though. Most of the time it's only like 32KB<br>
or 64KB for the key storage itself. I couldn't find that in the spec.<br>
I may have to buy one just to play with the crypto under Linux.<br>
<br>
Regards,<br>
Mike<br>
--<br>
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | (678) 463-0932 | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: not available<br>
Type: application/pgp-signature<br>
Size: 482 bytes<br>
Desc: This is a digitally signed message part<br>
Url : <a href="http://mail.ale.org/pipermail/ale/attachments/20101224/f7b35128/attachment-0001.bin" target="_blank">http://mail.ale.org/pipermail/ale/attachments/20101224/f7b35128/attachment-0001.bin</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
<br>
<br>
End of Ale Digest, Vol 35, Issue 83<br>
***********************************<br>
</blockquote></div><br><br clear="all"><br>-- <br>SimonTek<br>404-585-1308<br><br>