Dan Noe wrote: > On Tue, May 10, 2005 at 07:33:15PM -0600, Sancho2k.net Lists wrote: > >>I configure my sshd to only allow public key-based authentication. I use >>1024 bit DSA keys and SSHv2 only. They can try brute forcing the box for >>centuries if they want, and they won't come any closer to getting in. I >>personally don't see a huge point to blocking attacks, but only if >>you're set up securely. > > > Disallowing password authentication isn't something that works for > everyone (along with port knocking, running SSH on an odd port, etc). I > run a server which allows public access to many people. I try to make > sure passwords are secure and SSHv1 is disabled, but I really can't be > locking down any more severely.
Circumstances understood. I think too many people however err towards laziness in this scenario. Password authentication is terrible - plain and simple. Passwords are difficult to keep strong. Cracklib helps in making sure most kinds of weak passwords are caught, but you can certainly get by it. Besides, with ssh agents available for all popular platforms, there is no reason that *most* people couldn't use RSA auth for their SSH servers. > In almost all of these cases the machine in question has been > compromised and is being used by a 3rd party cracker to scan for more > vulnerable boxen (creating botnets). If you, as an admin, are willing > to spend 5 minutes reporting these attacks you've potentially shut down > zombie boxes and you are doing the administrator and the ISP a huge > favor. You've obviously had much better luck with abuse@ contacts than I have. I have found the few that I've tried to be complete wastes of time. DS -- [email protected] mailing list
