tightening ssh
Wolfgang S. Rupprecht
wolfgang+gnus200511 at dailyplanet.dontspam.wsrcc.com
Mon Nov 21 06:41:37 UTC 2005
Tony Nelson <tonynelson at georgeanelson.com> writes:
> I suggest one of the secure ways to set up SSH: public key pair or
> encrypted passwords. And only allow SSH 2. Public key should be simple
> /enough/ to set up; your user would need to make a key with GPG and put the
> private key in the right place (I think man ssh tells where) and give you
> the public key to put in the right place.
Just to save folks a bit of time, I wrote up a cheat sheet a while ago
for technical folks that weren't really hard-core computer nerds and
were struggling with sshd.
http://www.wsrcc.com/wolfgang/sshd-config.html
> With strong authentication, you don't need to care about probes anymore.
> Just ignore them.
Yup. Setting up real public-key authentication is several hundred
orders of magnitude stronger against guessing attacks than changing
the ssh portnumbers or adding bad hosts into some IP level filter
table and hoping the attackers won't guess a good password before they
run out of IP addresses to test from.
(And yes, I did really mean hundreds of orders of magnitude. An
attacker has 1 chance in 10**308 of guessing the 1024-bit public key
on each try if they follow the same brute-force attack. Given a
billion tests per second and the whole age of universe up to this
time, we are still only talking a 1 in 10**281 chance.)
-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
More information about the users
mailing list