Re: How do I prevent unauthorized ssh login attempts?
- From: Kevin Hunter <hunteke@xxxxxxxxxxx>
- Date: Thu, 26 Apr 2007 12:51:48 -0400
At 11:22a -0400 on 26 Apr 2007, Hal wrote:
On Apr 26, 2007, at 8:34 AM, Kevin Hunter wrote:In general, utilizing public/private keys for remote authentication is /much/ more secure than passwords.
There is some debate about which is more secure
public/private keys or username/password.
Yep, thank you for that reminder. :-) I suppose we now know what I'm arguing!
With public/private keys anyone who has
access to your machine has access to any machine
your machine has a key on.
Without a passphrase, I'd agree. The key word that I made sure to put in was 'remote'. With passphrases, it becomes a two-step authentication, one locally to unlock the private key, and one remotely to at least confirm that you have the other half of the key.
The other thing that I personally like about public/private key combinations is that for the more lazy of us, we don't always check the fingerprint matches. If I decide to log on to a remote machine to which I've not logged directly on before (e.g. a company NFS- shared home directory), then I can be assured that I'm not falling victim to a man-in-the-middle attack; I can blindly accept the fingerprint, and if it hangs, I can guess that I'm in the middle of an attack attempt, and try another avenue to get where I'm going.
With username/password protection is only as
strong as your password. But your password is
needed.
Yep. I agree.
So... Use a firewall which limits access to only machines
you are willing to let in.
Yep. I agree. See Bill's page about limiting number of connections per time frame as well.
Use hosts.allow to further restrict access to ssh.
Yep. I agree.
Change the ssh port to something not generally known.
This I place into the category of security-through-obscurity, which I don't find a particularly comforting method. So it adds a single extra layer, but if a cracker is worth her/his salt, it's easily discovered and, in my opinion, not worth the extra effort it takes me to type -p <PORT> everytime. (Yes, I could use an alias or some such, but that's still extra thought-power that I'd rather place elsewhere.)
In sshd_config use the AllowUsers parameter to allow
specific users to have access to ssh.
Yep. I agree.
I think that in the end, those who are security conscious, such as presumably you and me, the specifics of how we do it become largely a moot point or highly dependent on what it is that we're securing. My personal preference is to follow the 80/20 rule. I don't have 100% of my time to devote to doing the exact right thing. But I do have 20% of my time to devote to doing 80% of the exact right thing. If/ when that becomes a problem, I'll reevaluate my approach.
On that note, you may know better than I do: is there a web page or blog somewhere that coalesces all the different things that should be done/are currently best-practice to secure a system? Especially to a *BSD noob?
Thanks,
Kevin
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: How do I prevent unauthorized ssh login attempts?
- From: Bill Campbell
- Re: How do I prevent unauthorized ssh login attempts?
- References:
- How do I prevent unauthorized ssh login attempts?
- From: Andreas Widerøe Andersen
- Re: How do I prevent unauthorized ssh login attempts?
- From: Bill Moran
- Re: How do I prevent unauthorized ssh login attempts?
- From: Kevin Hunter
- How do I prevent unauthorized ssh login attempts?
- Prev by Date: how to: scripts on rel. 4.11
- Next by Date: Re: Single Instance Service
- Previous by thread: Re: How do I prevent unauthorized ssh login attempts?
- Next by thread: Re: How do I prevent unauthorized ssh login attempts?
- Index(es):
Relevant Pages
|
