From owner-freebsd-questions@FreeBSD.ORG  Fri Mar  5 15:45:33 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6225A106564A
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Mar 2010 15:45:33 +0000 (UTC)
	(envelope-from merlyn@stonehenge.com)
Received: from blue.stonehenge.com (blue.stonehenge.com [209.223.236.162])
	by mx1.freebsd.org (Postfix) with ESMTP id 40BE38FC14
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Mar 2010 15:45:32 +0000 (UTC)
Received: by blue.stonehenge.com (Postfix, from userid 1001)
	id 9F62B1DE283; Fri,  5 Mar 2010 07:45:02 -0800 (PST)
To: Anton <anton@sng.by>
References: <20100305125446.GA14774@elwood.starfire.mn.org>
	<4B910139.1080908@joseph-a-nagy-jr.us>
	<20100305132604.GC14774@elwood.starfire.mn.org>
	<1108389354.20100305154152@sng.by>
From: merlyn@stonehenge.com (Randal L. Schwartz)
x-mayan-date: Long count = 12.19.17.2.18; tzolkin = 9 Etznab; haab = 16 Kayab
Date: Fri, 05 Mar 2010 07:45:02 -0800
In-Reply-To: <1108389354.20100305154152@sng.by> (anton@sng.by's message of
	"Fri, 5 Mar 2010 15:41:52 +0200")
Message-ID: <861vfy6add.fsf@blue.stonehenge.com>
User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: John <john@starfire.mn.org>, freebsd-questions@freebsd.org,
	Programmer In Training <pit@joseph-a-nagy-jr.us>
Subject: Re: Thousands of ssh probes
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2010 15:45:33 -0000

>>>>> "Anton" == Anton  <anton@sng.by> writes:

Anton>    But, to allow acces for yourself - you could install wonderfull
Anton>    utility = 'knock-knock'.

Port knocking is false security.

It's equivalent to adding precisely two bytes (per knock, which can't
be too close or far apart or numerous) to the key length.

Are you really thinking that increasing your key length from 2048 to 2050
helps?

The right solution is proper ssh key management, and intrusion detection, and
if you insist on having password access, use one-time passwords and/or
strength checks.

If you don't like your logfiles filling up, don't run ssh on port 22.  I like
443, because corporate firewalls tend to pass that... :)

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion