

The Hail Mary Cloud And The Lessons Learned - zdw
http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-lessons-learned.html

======
eksith
There's an additional trick possible to dissuade these types of attacks, but
I'm not sure if everyone is up to that type of dedication.

I once worked with an admin who would setup a script to enable SSH passthrough
on the firewall (also OpenBSD) at a specific time of day, but never the same
time. Once connected in the allowed window and he finished his business, he
would reset the timer for another time of day (or perhaps several days to a
week later if he's going to be away for a while).

It's a bit like the timed bank vault where even the manager couldn't open it
until the timer on the door allowed it.

------
spindritf
I don't understand this sentence at the end of keys section

> And I'll let you in on a dirty little secret: you can even match on
> interface in your sshd config for things like these

I don't get the secret. Only allow logins from certain IP ranges for each
user/key?

~~~
dsr_
I haven't tried it, but perhaps you can allow passwords from an interface
that's internal, while requiring keys from the outside?

Not much gain. Keys (plus good passphrases, plus a decent manager) are a big
win.

------
dsr_
If you find yourself in need of iptables blocking large numbers of
discontinuous networks and/or hosts -- a very large blacklist, for instance --
you need ipset, from ipset.netfilter.org

