On 11/21/05, Wolfgang S. Rupprecht >
Yup. Setting up real public-key authentication is several hundred orders of magnitude stronger against guessing attacks than changing the ssh portnumbers or adding bad hosts into some IP level filter table and hoping the attackers won't guess a good password before they run out of IP addresses to test from.
(And yes, I did really mean hundreds of orders of magnitude. An attacker has 1 chance in 10**308 of guessing the 1024-bit public key on each try if they follow the same brute-force attack. Given a billion tests per second and the whole age of universe up to this time, we are still only talking a 1 in 10**281 chance.)
Even harder, if there's a password on that key. The other part of this discussion, I thought, was the DoS-ability of these ssh attacks. That is, do these ssh attacks prevent legitmate users from accessing regardless of the authentication mechanism configured for sshd?
-- Jiann-Ming Su "I have to decide between two equally frightening options. If I wanted to do that, I'd vote." --Duckman "The system's broke, Hank. The election baby has peed in the bath water. You got to throw 'em both out." --Dale Gribble