Date: Fri, 05 Mar 2010 07:45:02 -0800 From: merlyn@stonehenge.com (Randal L. Schwartz) To: Anton <anton@sng.by> Cc: John <john@starfire.mn.org>, freebsd-questions@freebsd.org, Programmer In Training <pit@joseph-a-nagy-jr.us> Subject: Re: Thousands of ssh probes Message-ID: <861vfy6add.fsf@blue.stonehenge.com> In-Reply-To: <1108389354.20100305154152@sng.by> (anton@sng.by's message of "Fri, 5 Mar 2010 15:41:52 %2B0200") References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <1108389354.20100305154152@sng.by>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Anton" == Anton <anton@sng.by> writes: Anton> But, to allow acces for yourself - you could install wonderfull Anton> utility = 'knock-knock'. Port knocking is false security. It's equivalent to adding precisely two bytes (per knock, which can't be too close or far apart or numerous) to the key length. Are you really thinking that increasing your key length from 2048 to 2050 helps? The right solution is proper ssh key management, and intrusion detection, and if you insist on having password access, use one-time passwords and/or strength checks. If you don't like your logfiles filling up, don't run ssh on port 22. I like 443, because corporate firewalls tend to pass that... :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>; Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?861vfy6add.fsf>