On Tue, 2007-06-05 at 12:02 +1000, Zhasper wrote: > It probably makes these types of automated scans, which are relying on > you having common usernames with obvious passwords, less likely to do > bad things to your machine. > > On the other hand, they're already 100% unlikely to access your > machine, assuming you don't have common usernames with obvious > passwords. You can't get better than that.
10% of users will choose a poor password. Better to get ssh to insist on a public key, and then call login so it can ask for their password too. Just running public keys rather than passwords as the first authentication cuts out the username/password scanning traffic from succeeding; leaving just the exploit traffic with a chance. [ If I may rant about Fedora for just a moment. Insisting upon a root password during installation, not testing the strength of it, and then giving root sshd access is just asking for trouble. ] > If you have a more determined attacker - someone who is specifically > focussed on your machine, as opposed to someone scanning the internet > for quick easy targets - they're going to find it no matter what port > you put it on You can use "door knocking" software. sshd doesn't get attached to the network traffic unless a particular pattern of traffic is seen beforehand. This is commonly used to hide the sshd of rootkits from nmap scans, but there is no reason why they can't be used for good rather than evil. I used to do this, but in practice it is painful to do from any host I hadn't set up beforehand (and in that case, why not use a firewall access list). > You've already got this quite locked down. You could take it a step > further by not allowing passwords at all, and relying on the SSH key > you carry on your USB stick to authenticate you. Of course, that again > makes things inconvenient for you - if you left the USB stick at home, > you can't log in. If it gets stolen, not only can you not log in, but > you can't even revoke your key until you get home and get your backup > key on the spare usb stick - meanwhile, whoever stole the key has > (potentially) free access to your machine.. Also, the remote machine can secretly copy your USB key. There's some Windows malware which does that. On a more practical note, the file format for PuTTY is different for that from OpenSSH. Having the key in both formats on the USB disk saves a lot of stuffing about. -- Glen Turner -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
