Re: Is there an openssh security problem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I think if you use double authentication (both keys and a password) and put your SSH server on a different port then you are doing the best you can. You hope to prevent a 0-day but you cannot fully protect yourself...


James

On Fri, Jul 10, 2009 at 7:06 PM, Rob Townley <rob.townley@xxxxxxxxx> wrote:
On Fri, Jul 10, 2009 at 9:33 AM, Peter Kjellstrom<cap@xxxxxxxxxx> wrote:
> On Friday 10 July 2009, Rob Kampen wrote:
>> Coert Waagmeester wrote:
> ...
>> > it only allows one NEW connection to ssh per minute.
>> >
>> > That is also a good protection right?
> ...
>> Not really protection - rather a deterrent - it just makes it slower for
>> the script kiddies that try brute force attacks
>
> Basically it's not so much about protection in the end as it is about keeping
> your secure-log readable. Or maybe also a sense of being secure...
>
> It's always good to limit your exposure but you really have to weigh cost
> against the win. Two examples:
>
> Limit from which hosts you can login to a server:
>  Configuration cost: trivial setup (one iptables line)
>  Additional cost: between no impact and some impact depending on your habits
>  Positive effect: 99.9+% of all scans and login attempts are now gone
>  Verdict: Clear win as long as the set of servers are easily identifiable
>
> Elaborate knocking/blocking setup:
>  Configuration cost: significant (include keeping it up-to-date)
>  Additional cost: setup of clients for knocking, use of -p XXX for new port
>  Positive effect: "standard scans" will probably miss but not air tight
>  Verdict: Harder to judge, I think it's often not worth it
>
> Other things worth looking into are, for example, access.conf (pam_access.so)
> and ensuring that non-trivial passwords are used.
>
> my €0.02,
>  Peter
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
>

Virtual Networks are such as tinc-vpn.org or hamachi create an
encrypted network only accessible to members of the virtual network.
So if your server's virtual nic has an address of 5.4.3.2, then the
only other host that may see your server would be your laptop with
address 5.4.3.3.  No other internet hosts would even see 5.4.3.2...
It is like IPSec, but much easier.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



--
http://www.goldwatches.com



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux