On Fri, 2010-03-12 at 10:24 +1300, Jim Cheetham wrote: > On Thu, Mar 11, 2010 at 9:55 PM, Steve Holdoway <[email protected]> > wrote: > > no - still being prompted for a password... > > Steve, I hope you're testing with ssh -v so you can see all the > methods the ssh server is advertising. > > Rob, I hope you've set "PasswordAuthentication no" in > /etc/ssh/sshd_config (and restarted sshd). I also hope that you have > whitelisted places you know you might be connecting from in > /etc/hosts.allow :-) > > Hads, you're right that a connection attempt denied by sshd can move > on to the next authentication method, which often means that you get > asked for a password. However, denyhosts logs IP addresses in > /etc/hosts.deny, and sshd is usually compiled to look at tcpwrappers, > so people who have failed to login too many times will eventually get > no ACK from sshd at all. > > -jim
I'm as risk averse as the next person - probably more than some having fought hackers since the interweb was invented in my role as a sysadm. However... For a couple of weeks away, I wouldn't bother with the obscurity bit in that way, rather just disable root login so they have to guess the user account and password before denyhosts closes them out. This is a pretty huge block for any prospective hacker, especially if you chose your login carefully off the bottom of the common account names list. In fact, outside a corporate environment, I'd say it's all you need(*). Yes, some may say that you need to take distributed hack attempts into account but... well, risk is a subjective viewpoint, and mine is that it's an acceptable one to take - even more so if you use a dynamic dns service and can persuade your router to acquire a new IP address on a regular basis. The bit about password authentication is ok if you're going to use your own lappie, but if you're going to borrow a pc to check stuff, then carrying around your private key is going to be a real pain. Use of internet cafes brings up a new list of potential security issues, of course. BTW, if you are taking a lappie with you, then I'd set OpenVPN up and restrict the ssh server to listen only on that subnet. Cheers, Steve (*) at the moment! -- Steve Holdoway <[email protected]> http://www.greengecko.co.nz MSN: [email protected] GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0
signature.asc
Description: This is a digitally signed message part
