Andrew Errington wrote:
I read a rather good article from some at Mickey$oft about security. He suggested that you give up on the use of passwords altogether. Instead you should use a passphrase. Easy for you to remember, but at 30 or 40 characters, almost impossible to hack.<snip>Andrew Errington wrote:
I'm expecting the answer no.
I'd agree with you really. Until you start hosting other services on your servers, there's not too much of a need.
Hmm. That's what I thought.
I would just check and see what ports are open - run an nmap of your server from horse or something - and take any appropriate action. My router has a 'default destination' option, which I don't use! Mind you, you could have some fun with it.
Yes, I've used nmap inside and outside my network to verify what I thought I'd done.
For you, the only real use of a firewall would be to log and stand back
in amazement at the number of attempts made on your address!
I get that in auth.log:
Apr 21 13:17:46 virgo sshd[11537]: Connection from 213.202.216.87 port 45651 Apr 21 13:17:46 virgo sshd[11537]: Enabling compatibility mode for protocol 2.0 Apr 21 13:17:48 virgo sshd[11539]: Connection from 213.202.216.87 port 45991 Apr 21 13:17:49 virgo sshd[11539]: Enabling compatibility mode for protocol 2.0 Apr 21 13:17:51 virgo sshd[11541]: Connection from 213.202.216.87 port 46207 Apr 21 13:17:52 virgo sshd[11541]: Enabling compatibility mode for protocol 2.0 Apr 21 13:17:54 virgo sshd[11543]: Connection from 213.202.216.87 port 46545 Apr 21 13:17:54 virgo sshd[11543]: Enabling compatibility mode for protocol 2.0 Apr 21 13:17:57 virgo sshd[11545]: Connection from 213.202.216.87 port 46777
213.202.216.87 is in Germany. I have no idea who it is, an it's probably a zombie anyway. I get attempts at logging in as root, news, mail, uucp and so on from all over the world (but mostly China, Korea, India and Romania).
I think of sshd as my front door, with a very narrow bridge leading to it (i.e. it's the only way in), and attempts like this as knocking on the door. I just hope that no-one can jimmy the lock (or rather, I have taken what steps I can to ensure no-one can do that).
Andy
Need to check what combinations of auth servers will support that idea.
(Needless to say, I haven't actually got round to doing anything about it!)
Steve
