Re: Security basics

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Karl Larsen wrote:

Alan M. Evans wrote:

On Wed, 2007-10-03 at 15:40 -0500, Steve Siegfried wrote:
Changing ports for ssh isn't actually that hot of an idea. Most port scanners can detect ssh implementations since they normally self-identify. For example, 
if you're running ssh on the normal port (22), try executing:
    /usr/bin/telnet YOUR.HOST.IP.ADDR 22
and see what pops out.

Of course. But most attacks aren't scanning every port on your machine
and trying to identify unknown services. Mostly they're just going for
the low-hanging fruit on the standard port numbers.
This whole line of reasoning is false. I don't care if Hacker, the bad guy, gets on my computer with ssh. He then needs to come up with a valid login name and password. If he fails at this in some set time it all quits.
Until you can convince me that my system is at risk from ssh when using a real password I am going to sleep well.
If you're the only one who ever SSHes into your system, set it up to use public key authentication only and always walk around with a thumbdrive that has your private key on it. This will be sufficient to stop all non-targeted attacks (by "targeted" I mean someone wants to break into your machine, specifically. These are normally quite rare and often not worth planning against). Changing SSH ports does not provide any extra security, it simply reduces the size of your ssh log file (because the script kiddies will not notice it). Another reason is convenience (if, for example, you have a router set up to forward ports to ssh on multiple internal machines).
To answer your original question: yes, if you have "passwords that are safe for an hour," your computer is safe -- for 1 hour. With a safe, it's expected that the perpetrator will be caught within that hour and will not be allowed to resume the cracking. With your computer, you might not notice the problem until you look at the log (days/weeks later?) and even if you notice it in time, you can't apprehend the intruder -- you must block them somehow and not allow them to continue hacking, which is pretty hard because they can use proxies/etc and appear to come from some other IP address. This is pretty much why the safe security ratings don't make much sense in computer world. You must use other techniques to block access: a combination of not allowing trying too many times + using public key authentication (disabling password authentication) works well enough.
If you can't be bothered with public key authentication, at least set up ssh to block attempts after N tries. That, and a good password, can go a pretty long way. 


HTH

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux