On 2017-06-30 16:08, Cameron Simpson wrote:
On 30Jun2017 10:11, Greg Woods <woods@xxxxxxxx> wrote:
On Fri, Jun 30, 2017 at 9:36 AM, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
It's not necessarily a target on *you*, but very probably it's just
targeting any computer that responds to them. Poke, get a response,
keep prodding...
Yeah, pretty much all of this is totally automated these days. [...]
If you have an exposed ssh server, you will see this kind of
doorknob-rattling. I get around it in one of four ways:
You omitted way 0: DO NOT ALLOW PASSWORD BASED SSH. This is the single best
thing you can do. Allowing only key-based access simply prevents all password
based access and is cryptographicly strong, instead human-prose-imagination
strong, which is typically awful.
Way 0(a) is to "PermitRootLogin No" and 0(b) is to have a fixed and small
"AllowUsers" setting.
All your other suggestions come after that in terms of usefulness.
Password remote login: just don't do it.
1) Turn off sshd if
I don't really need it on a given system; 2) Use firewall rules to allow
access only from certain known remote locations (so I can get into my home
system from my desktop at work, for instance); 3) run sshd on a
non-standard port (won't stop the serious bad guys, but is usually good
enough to stop the automated doorknob-rattlers); and 4) If you really have
to have an ssh server that allows access from unknown remote locations, run
something like fail2ban that at least automatically blocks them if they try
too often from the same place. And the most important thing is, any of
these defenses can fail if you make a mistake configuring them (won't
happen because we're all perfect, right? :-) , so the most important thing
you can do is use strong passwords so that the brute force guessing cannot
succeed.
No, the most important thing is to make password guessing pointless.
Cheers,
Cameron Simpson <cs@xxxxxxxxxx>
And what do I do if I have to login from a different machine than one of mine?
Should I hang a tag or key with the key to my computers on my key chain when
traveling? A long password like farcicalGrebling is not likely to be found by
anybody in any reasonable amount of time, eg. before I am dead and decomposed.
I developed a bad habit back in the 50s of actually running numbers on problems.
I think that is why I was a heartless young adult, eg a conservative/libertarian
sort of creature. Numbers talk to me. Ideals don't.
I've noticed in security there are a LOT of "assumptions" or "ideals" that
really ain't so. Change your password every x days is one such. Change it
whenever you think there is any chance it was compromised regardless of the
number of days. I'm working on decades on that one. I am VERY careful where I
type in any passwords to my accounts. I pick reasonably safe for a high value of
reasonably rather than try to fool myself that I can make it absolutely safe.
It's several thousands of times harder to get in through a password on my
systems than it is to use other malware means. So why harden ssh logins any
further? Make a Fermi number analysis of the likelihood of problems and work on
the worst ones not the best ones.
{^_^}
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
