On 15 December 2011 16:34, Jake Shipton <jakems@xxxxxxxxxxxxxxxxx> wrote: > On 15/12/11 15:23, Robert Moskowitz wrote: >> I will provide a disclaimer up front that I work in the security field, >> but I design security protocols (e.g. co-chaired IPsec, author of HIP, >> contributor to 802.11i) and OS security I learn from osmosis from my >> colleagues. > I myself am not working within the security field. I am simply passing > on advise from what I have learned over the years :-) (Well part of it) >> On 12/15/2011 08:08 AM, Jake Shipton wrote: >>>> "Joe Zeff"<joe@xxxxxxx> >> For a good analysis of the problem with passwords see: >> >> http://www.cryptosmith.com/password-sanity >> >> Richard has a very good book on Authentication that I once taught a >> class from... >> > I only have open what I need, and I usually forward local ports to ones > needed. For example my SSH (not actual ports) > > I would have say, port 1000 locally forwarded via firewall to port 22, > but still blocking 22. So an attempt to go straight to 22 will not work, > however port 1000 would take them to port 22 (and good luck to them when > they get there.....) > > PS: I don't actually use port 1000, I use another. I would change port > 22 directly via sshd_config but every time I did SSH broke in some way > or another, so I just forwarded it instead haha :-). >> >>> For example, you said you have no idea what SSH is, if I remember >>> correctly this is enabled by default. >> >> Yes it is. Sitting on port 22 and EVERY script kiddie out there knows >> that and 'knocks' with common userids and passwords. If you really need >> the SSH server, at least move it to another port and/or implement >> shorewall with port knocking defense on ssh (well documented in >> shorewall docs). Just the number of entries in logwatch if you have it >> up and on port 22 is annoying and part of the reason I have moved it to >> a different port. > Oh most definitely, and if your serious about using SSH and you need it, > make sure you disable root login, that will be the account script > kiddies will be after, and if it's disabled, it won't work, and they > will need to guess your user-name aswell. > > I would never recommend leaving port 22 open in the wild either. > Require key authentication for ssh, that way the only brute force that's halfway sensible will be on your key file, and will be different from your system password. -- imalone -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
