Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
|
| |||||||||||
sshguard: Protection for OpenSSH (Linux.com)sshguard: Protection for OpenSSH (Linux.com)Posted Mar 6, 2007 22:15 UTC (Tue) by drag (subscriber, #31333)In reply to: sshguard: Protection for OpenSSH (Linux.com) by HappyCamp Parent article: sshguard: Protection for OpenSSH (Linux.com)
I like public private keypairs in addition to a passphrase.
If I wanted a secure ssh installation I'd just remove all ability to login with a password.
(Log in to post comments)
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 6, 2007 22:25 UTC (Tue) by nix (subscriber, #2304) [Link] There are people who still *allow* PasswordAuthentication over the openinternet?
Dictionary attacks aside, passwords are so... *short*, and anyway, they're
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 1:51 UTC (Wed) by yarikoptic (subscriber, #36795) [Link] I found simple knocking (even 1 port knocking, which gets closed by "knocking" on near-by ports) very useful and easy to setup natively by iptables (see http://www.shorewall.net/PortKnocking.html) - it pretty much eliminated my need in fail2ban for ssh blocking (I still use it with following filters: apache-attacks, apache-noscript, apache-attacks-gb, apache-badbots, ssh, sasl, apache, courierauth, exim4-abuse, some of which are custom crafted and some are 'stock')
portknocking Posted Mar 8, 2007 23:45 UTC (Thu) by ldo (subscriber, #40946) [Link] I found simple knocking (even 1 port knocking, which gets closed by "knocking" on near-by ports) very useful and easy to setup natively by iptables... If SSH is like an iron door, then port knocking is like putting an extra layer of cardboard on top of it to try to make it stronger. As a security measure, port knocking is laughable. It's a pushover for something as elementary as a replay attack. As for those SSH password guessers, they're never going to get in if you have good passwords. You can enforce this on your users through appropriate system configuration. And of course you can run your own password-cracking tools, like John the Ripper, just to make sure.
portknocking Posted Mar 9, 2007 1:12 UTC (Fri) by yarikoptic (subscriber, #36795) [Link] well, taking cardboard analogy further, it is a cardboard which hides where the lock is.
Thus it might help preventing
So it is good what it is worth for: now my daily logwatch is clean and any entry which would report malicious attempt to login would trigger my interest to that event (as opposed to going through lengthy lists of failed attempts from dictionary attacks).
sshguard: Protection for OpenSSH (Linux.com) Posted Mar 7, 2007 5:39 UTC (Wed) by k8to (subscriber, #15413) [Link] If you want to be able to log into your system from anywhere, then passwords are pretty much necessary for ssh. You can try to cart around your key on a pen drive or whatever, but there will be plenty of situations where you can't access it.
The problems this exposes you to are sometimes large enough to simply live without this ability, but sometimes the reverse is true.
|
|||||||||||