Date: Fri, 5 Mar 2010 09:46:54 -0600 From: John <john@starfire.mn.org> To: "Randal L. Schwartz" <merlyn@stonehenge.com> Cc: John <john@starfire.mn.org>, freebsd-questions@freebsd.org, Programmer In Training <pit@joseph-a-nagy-jr.us>, Anton <anton@sng.by> Subject: Re: Thousands of ssh probes Message-ID: <20100305154654.GB17456@elwood.starfire.mn.org> In-Reply-To: <861vfy6add.fsf@blue.stonehenge.com> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <1108389354.20100305154152@sng.by> <861vfy6add.fsf@blue.stonehenge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 05, 2010 at 07:45:02AM -0800, Randal L. Schwartz wrote: > >>>>> "Anton" == Anton <anton@sng.by> writes: > > Anton> But, to allow acces for yourself - you could install wonderfull > Anton> utility = 'knock-knock'. > > Port knocking is false security. > > It's equivalent to adding precisely two bytes (per knock, which can't > be too close or far apart or numerous) to the key length. > > Are you really thinking that increasing your key length from 2048 to 2050 > helps? > > The right solution is proper ssh key management, and intrusion detection, and > if you insist on having password access, use one-time passwords and/or > strength checks. > > If you don't like your logfiles filling up, don't run ssh on port 22. I like > 443, because corporate firewalls tend to pass that... :) Yes - that's exactly what I used to do, and exactly why I used to do it, but now I'm thinking of actually implement https. -- John Lind john@starfire.MN.ORG The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries. - Winston Churchill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100305154654.GB17456>