Ray Van Dolson (r...@bludgeon.org)

Hehe, I think the somewhat confusing part about SAS is that you expect
it to be a SCSI disk and have the corresponding performance level, but
that won't necessarily be the case if its got SATA innards. :)

Ray

Ah.  So the description says it's a SATA drive, but I guess the
connector is SAS...

Thanks for the link!

I'm guessing you mean SATA instead of SAS.

I suppose you could perhaps do something with iSCSI or ATAoE to another
similarly configured box and then tie the local corresponding block
device and the ATAoE/iSCSI block device together with RAID1 or LVM...

Don't know how well that'd work vs something drbd with a local, "fast"
device and a remote "slow" device (1Gbps over the network).

Ray

>> 1. Change the default port
> I could do that, but if they already know about it, a simple port scan and
> they'll probably find it again. Plus I gotta go tell all my client
> programs the new port and I don't know how to do that on most of them (what
> a hassle).

If you're talking about people who are just scanning your machine and
then doing brute force on the port, changing the port likely will solve
that since these are just automated robots.  A human might actually do
a portscan, but just a port change will probably stop your security
logs from going crazy.

Of course the hassle part may be a show-stopper here. :)

>> 2. use only SSH protocol 2
> got it.
>> 3. Install some brute force protection which can automatically ban an IP
>> on say 5 / 10 failed login attempts
> The only software I know that could do this isn't supported anymore
> (trisentry) or is too confusing and I don't know it yet (snort).
> Suggestions?

denyhosts is pretty widely used.  You could probably also make use of
iptables.

>> 4. ONLY allow SSH access from your IP, if it's static. Or signup for a
>> DynDNS account, and then only allow SSH access from your DynDNS domain
>>
> Yeah my home account is on dynamic IP. I'd love to setup the firewall to
> only allow my home computer. You're talking about these guys?
> http://www.dyndns.com/ never used them before, but it looks like a good
> idea. Especially since it's free (for 5 hosts) if I read correctly.

Ray

It would certainly set a precedent which definitely carries a lot of
weight in subsequent similar cases.

And you assume too much about my or other's motives.  I think it's a
fair question even in an academic sense whether or not we should or
should not be allowed to redistribute RHEL.  However, probably a
prickly topic so perhaps best not discussed here. :)

I am happy to pay for all copies of RHEL and am fortunate to work at a
company that can afford to. RH does great work for the community.