Ian Cheong wrote: > At 4:24 pm +1000 26/6/06, David Guest wrote: >> Peter Machell wrote: >>> We have changed our standard to RDP or VNC over SSH access now, using >>> PKI authentication (password authentication is turned off), only >>> trouble is having to slightly drop the MTU on some cheap modems. >> >> For the linux allergic, cygwin installs ssh as a daemon on start up. I >> have a mate who VNCs in with that. He uses passwords but I agree that PK >> (without the I) is best. >> >> David >> > > I wasn't happy with allowing password authentication to sshd, as every > robot can find open port 22. Our firewall reports lots of attacks, which > the firewall does not stop, since port 22 is open. ssh without addons > provides *no* protection against brute force attacks. Single factor > authentication is weak. Public key authentication is still single factor > authentication, but at least the key length is longer and makes brute > force attacks harder.
For a sufficiently long but still memorable password contained mixed case and numbers, quite a lot of brute force is needed... but in principle you are correct. However, one can always use knockd as an additional layer of protection against robots looking for open ports: see http://manpages.debian.net/cgi-bin/display_man.cgi?id=4ea992e84847c4e8fd7ab92c116192d3&format=html in which the example of knocking on ports 7000, 8000 and 9000 in quick succession causes port 22 to be opened for a short period to accept connections via sshd. Of course, you still need to authenticate via sshd in the usual fashion. In practice, one would use a longer and more random series of port knocks. The knock utility is used to conveniently issue the knock sequence - see http://manpages.debian.net/cgi-bin/display_man.cgi?id=e0961894c19d5c21681820222cef1f7f&format=html Note that none of the ports used for the knock sequence are actually opened - knockd detects that someone has tried to access those ports (knocked on them), but failed because they are closed. It works a treat for any non-public service. No good for public-access Web servers, of course. I am told that it is especially good for getting around the restriction of certain ISPs on hosted services and incoming connections, because no open ports are visible to teh ISP's port scans - nor to hacker robots for that matter. > Like all security, one prefers to be a harder to an easier target so > attackers will move on. Works fine if what you protect has relatively > little value. A friend recently related a story of hearing a bunch of > men walking down their back lane one night "don't do that one, it has an > alarm - see the box over there. This one is well hidden behind the > fence...." > > sshdfilter may be useful. anyone know anything about it??? > http://www.csc.liv.ac.uk/~greg/sshdfilter/ Hmmm, looks useful. But try knockd (perhaps in addition, if you are really paranoid) - with a 5 or 6 random port sequence (for which the chance of guessing the sequence is vanishingly small). Here is some more discussion of knockd and ssh: http://frobnosticate.com/?p=81 Tim C _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
