Date: Tue, 23 Jun 2009 08:44:56 +0200 (CEST) From: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl> To: Benjamin Lee <ben@b1c1l1.com> Cc: Daniel Underwood <djuatdelta@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <alpine.BSF.2.00.0906230839170.54856@wojtek.tensor.gdynia.pl> In-Reply-To: <4A403324.6090300@b1c1l1.com> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A403324.6090300@b1c1l1.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> If for some reason you would prefer to use password authentication, I > would recommend that you look into automatic brute force detection. > There are a number of utilities in ports available for this purpose, > including security/sshguard and security/denyhosts. good, but not really important with properly chosen password. You can't do more than maybe 10 attempts/second this way, while cracking 10 character password consisting of just small letters and digits needs 36^10=3656158440062976 possible passwords, and over 11 milion years to check all possibilities, so say 100000 years if someone is really lucky and will get it after checking 1% possible password. Of course - you must not look at logs in 100000 years and not see this 10 attempts per second. I give this example against common paranoia that exist on that group - mix of real "security paranoid" persons and pseudo-experts that like to repeat "intelligent" phrases to show up themselves. Actually - there is no need for extra protection for ssh, but for humans. 99% of crack attempts are done by "kevin mitnick" methods, not password cracking.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0906230839170.54856>