Owen, Openssh with PKI will frustrate all but a high-level attacker targeting you, specifically (try not to annoy Hu Jin Tao or Vladimir Putin :-). Leaving the ssh well-known port open to the Internet means your system will constantly receive attempts to connect. It's annoying and uses up cycles and bandwidth. Port-knocking and using an alternate port reduce that annoyance considerably.
If you've got ssh working the scp is a better alternative than ftp. If you're feeling mean, you can set up a scheme that answers all ports but, with the exception of the ones you're using, returns a TCP window length of 0. This is a perfectly valid response when a server can't handle further requests. It basically puts scanning and portmapping programs into an infinite loop, however. What's scary is that most web-sites hash your password without salt using md5. The dual-GPU systems I purchased earlier can brute force 2.4 billion md5 hashes per minute per GPU. More specialized systems with more GPUs or using the cloud GPUs can do proportionately better. Using rainbow tables makes mass password guessing (as in the leaked Gawker info) possible. I use a formula that includes an element of the web-site with one of several standard salts. I can usually find the right password within the try count. Ray Parks ----- Original Message ----- From: Owen Densmore [mailto:[email protected]] Sent: Friday, December 24, 2010 09:05 AM To: The Friday Morning Applied Complexity Coffee Group <[email protected]> Subject: Re: [FRIAM] Passwords > From: "Parks, Raymond" <[email protected]> > Subject: Re: [FRIAM] Passwords > > Folks, > > I decided to put my advice about securing home networks in this message, > along with password advice. .... Ray: Would not trust a PKI system (openssh) with passwords disabled? What sort of vulnerability would it face .. other than someone stealing the private key? I had naively assumed it would be secure, and planned a set of tunnels for screen sharing, file sharing, and ssh. That's basically my goal: having lots of devices share resources like screen (VNC) and data (ftp/ssh). The port-knocking scheme seems very interesting and there is a command-line client/daemon for several OSs: http://www.zeroflux.org/projects/knock I completely agree the limited password symbols/length of many sites make things a lot harder. Given some reasonable pass-phrase with unique modification for each site makes a lot of sense, but unfortunately the differing passwords allowed makes this impossible. -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org
