Date: Tue, 19 Sep 2006 15:38:08 -0700 From: Darrin Chandler <dwchandler@stilyagin.com> To: backyard <backyard1454-bsd@yahoo.com> Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, questions@freebsd.org Subject: Re: sshd brute force attempts? Message-ID: <20060919223808.GF18329@zloy.stilyagin.com> In-Reply-To: <20060919212242.97964.qmail@web83102.mail.mud.yahoo.com> References: <20060919165400.A4380@prime.gushi.org> <20060919212242.97964.qmail@web83102.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 19, 2006 at 02:22:41PM -0700, backyard wrote: > > well you could pretty much eliminate the problem by > disabling password logins to sshd and only accepting > keyed logins. Then only a key will work. This is probably the best thing you can do to keep the bad guys out. This is what I'm doing on every box I have control over. It does not stop anyone from trying, but nobody gets in. I have yet to see even an attempt by script kiddies to use keys. > Frequently changing the keys would ensure hackers > would have to want to get in REALLY bad in order to > gain unauthorized access by a brute force attempt. > > Depending on how hosts login and their systems, you > could perhaps run a login script that regenerates keys > automatically and distributes them to the user every > so many days or whatever so the system appears > passwordless to them, and secure to the outside. This > may be more trouble then you are looking for though. I think this isn't needed, and is somewhat silly. Like all (decent) implementations of pubkey, the key is only used to authenticate and exchange a symetric session key. So the pubkey sees little actual use, compared with the session key. Anyone who knows better please correct me. -- Darrin Chandler | Phoenix BSD Users Group dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060919223808.GF18329>