At 11:37 PM -0800 1/17/06, Dave Walcott wrote:
>On Jan 17, 2006, at 10:47 PM, Dan Shoop wrote:
>>You should be dropping this traffic at the network border, using
>Dropping what traffic, exactly?
SSH traffic from non-trusted hosts.
>The server, in this case, *is* the firewall, and SSH needs to be on.
Which is exactly your problem. You're using your server and a packet
filter to do the job of a firewall, which OS X Server isn't well
>>Why should you need this? You should be DENYing any unknown traffic
>>and only ALOWing any trusted traffic.
>Correct: allowed traffic includes SSH, as above.
No, you want to be more restrictive, that's the point of a real firewall.
> Firewalls (at least ones that my client can afford) can't
>intelligently parse traffic based on incorrect login attempts to a
>machine on the LAN.
Anyone can afford a firewall. I've mentioned just in the last week on
this list that the Linksys WRT54GS is quite capable when flashed with
third party firmware such as Svesofts' or OpenWRT. For under $75 you
can have what you need, and that $75 is money well spent in terms of
your time and effort trying to hurd this task elsewhere.
>>>Anyone know how I can get IP addresses to show up in my logs? Many
>>>thanks in advance...
>>And what would you do with it if you had it?
>Have a look at the denyhosts FAQ to find out. Specifically, I'd
>"drop this traffic at the network border, using my firewall."
Which again is not a good idea.
>>I smell wool.
>That's nice, Dan, but do you know how to do it? :)
With a firewall at the border, not a server trying to pretend to do
the job. By the time the traffic gets to the server you're too late.