Security basics

Wed Oct 3 22:21:34 UTC 2007

Karl Larsen wrote:
> Alan M. Evans wrote:
>> On Wed, 2007-10-03 at 15:40 -0500, Steve Siegfried wrote:
>>
>>  
>>> Changing ports for ssh isn't actually that hot of an idea.  Most 
>>> port scanners
>>> can detect ssh implementations since they normally self-identify.  
>>> For example,
>>> if you're running ssh on the normal port (22), try executing:
>>>     /usr/bin/telnet YOUR.HOST.IP.ADDR 22
>>> and see what pops out.
>>>     
>> Of course. But most attacks aren't scanning every port on your machine
>> and trying to identify unknown services. Mostly they're just going for
>> the low-hanging fruit on the standard port numbers.  
>    This whole line of reasoning is false. I don't care if Hacker, the 
> bad guy, gets on my computer with ssh. He then needs to come up with a 
> valid login name and password. If he fails at this in some set time it 
> all quits.
>
>    Until you can convince me that my system is at risk from ssh when 
> using a real password I am going to sleep well.
If you're the only one who ever SSHes into your system, set it up to use 
public key authentication only and always walk around with a thumbdrive 
that has your private key on it. This will be sufficient to stop all 
non-targeted attacks (by "targeted" I mean someone wants to break into 
your machine, specifically. These are normally quite rare and often not 
worth planning against).
Changing SSH ports does not provide any extra security, it simply 
reduces the size of your ssh log file (because the script kiddies will 
not notice it). Another reason is convenience (if, for example, you have 
a router set up to forward ports to ssh on multiple internal machines).

To answer your original question: yes, if you have "passwords that are 
safe for an hour," your computer is safe -- for 1 hour.
With a safe, it's expected that the perpetrator will be caught within 
that hour and will not be allowed to resume the cracking.
With your computer, you might not notice the problem until you look at 
the log (days/weeks later?) and even if you notice it in time, you can't 
apprehend the intruder -- you must block them somehow and not allow them 
to continue hacking, which is pretty hard because they can use 
proxies/etc and appear to come from some other IP address. This is 
pretty much why the safe security ratings don't make much sense in 
computer world. You must use other techniques to block access: a 
combination of not allowing trying too many times + using public key 
authentication (disabling password authentication) works well enough.

If you can't be bothered with public key authentication, at least set up 
ssh to block attempts after N tries. That, and a good password, can go a 
pretty long way.

HTH