Date: Tue, 23 Jun 2009 09:12:31 +0100 From: Chris Rees <utisoft@googlemail.com> To: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl> Cc: Benjamin Lee <ben@b1c1l1.com>, Daniel Underwood <djuatdelta@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <b79ecaef0906230112y7e96cd04ke983a0f6d3dac71b@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.0906230839170.54856@wojtek.tensor.gdynia.pl> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A403324.6090300@b1c1l1.com> <alpine.BSF.2.00.0906230839170.54856@wojtek.tensor.gdynia.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/6/23 Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl>: >> If for some reason you would prefer to use password authentication, I >> would recommend that you look into automatic brute force detection. >> There are a number of utilities in ports available for this purpose, >> including security/sshguard and security/denyhosts. > > good, but not really important with properly chosen password. > You can't do more than maybe 10 attempts/second this way, while cracking 10 > character password consisting of just small letters and digits needs > > 36^10=3656158440062976 possible passwords, and over 11 milion years to check > all possibilities, so say 100000 years if someone is really lucky and will > get it after checking 1% possible password. > > Of course - you must not look at logs in 100000 years and not see this 10 > attempts per second. > > > > I give this example against common paranoia that exist on that group - mix > of real "security paranoid" persons and pseudo-experts that like to repeat > "intelligent" phrases to show up themselves. > > Actually - there is no need for extra protection for ssh, but for humans. > > 99% of crack attempts are done by "kevin mitnick" methods, not password > cracking. You're right about the probability of password breaking, but personally I installed denyhosts just because I got sick of this: Aug 22 00:46:21 amnesiac sshd[63107]: error: PAM: authentication error for illegal user adrian from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:21 amnesiac sshd[63107]: Failed keyboard-interactive/pam for invalid user adrian from 76.193.128.193 port 2901 ssh2 Aug 22 00:46:23 amnesiac sshd[63110]: error: PAM: authentication error for illegal user agfa from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:23 amnesiac sshd[63110]: Failed keyboard-interactive/pam for invalid user agfa from 76.193.128.193 port 3165 ssh2 Aug 22 00:46:26 amnesiac sshd[63113]: error: PAM: authentication error for illegal user agneta from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:26 amnesiac sshd[63113]: Failed keyboard-interactive/pam for invalid user agneta from 76.193.128.193 port 3338 ssh2 Aug 22 00:46:29 amnesiac sshd[63116]: error: PAM: authentication error for illegal user ahren from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:29 amnesiac sshd[63116]: Failed keyboard-interactive/pam for invalid user ahren from 76.193.128.193 port 3499 ssh2 10,000 lines of this in _every_ security digest I get off my server. No I haven't changed any IP addresses, either. Now I get: Added the following hosts to /etc/hosts.evil: 89.232.63.160 87.117.236.15 Much easier to read... Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b79ecaef0906230112y7e96cd04ke983a0f6d3dac71b>