At 4:24 pm +1000 26/6/06, David Guest wrote:
Peter Machell wrote:
We have changed our standard to RDP or VNC over SSH access now, using
PKI authentication (password authentication is turned off), only
trouble is having to slightly drop the MTU on some cheap modems.
For the linux allergic, cygwin installs ssh as a daemon on start up. I
have a mate who VNCs in with that. He uses passwords but I agree that PK
(without the I) is best.
David
I wasn't happy with allowing password authentication to sshd, as
every robot can find open port 22. Our firewall reports lots of
attacks, which the firewall does not stop, since port 22 is open. ssh
without addons provides *no* protection against brute force attacks.
Single factor authentication is weak. Public key authentication is
still single factor authentication, but at least the key length is
longer and makes brute force attacks harder.
Like all security, one prefers to be a harder to an easier target so
attackers will move on. Works fine if what you protect has relatively
little value. A friend recently related a story of hearing a bunch of
men walking down their back lane one night "don't do that one, it has
an alarm - see the box over there. This one is well hidden behind the
fence...."
sshdfilter may be useful. anyone know anything about it???
http://www.csc.liv.ac.uk/~greg/sshdfilter/
Ian.
--
Dr Ian R Cheong, BMedSc, FRACGP, GradDipCompSc, MBA(Exec)
Health Informatics Consultant, Brisbane, Australia
Internet: [EMAIL PROTECTED]
(for urgent matters, please send a copy to my practice email as well:
[EMAIL PROTECTED])
PRIVACY NOTE
I am happy for others to forward on email sent by me to public email lists.
Please ask my permission first if you wish to forward private email
to other parties.
_______________________________________________
Gpcg_talk mailing list
[email protected]
http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
