![](https://seccdn.libravatar.org/avatar/450b2e967219e620803a8b9e3c672e6e.jpg?s=120&d=mm&r=g)
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
David C. Rankin wrote:
Listmates,
Moving ssh to a high port has been a resounding success at completely eliminating the dictionary attacks against my server. And so far, I have not had one single instance since making the change. I don't have any great statistics, but I do have one that shows the impact very clearly. The number of log entries per 24 hour period before and after.
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted.
That seems like it is next up on my learning agenda. I already use ssh-key authentication, I guess I just need to turn password checking off.
I've been following this thread with interest, and can report similar results to David's as a result of moving ssh to a higher port number. Thank you, David, for your lucid How-To earlier on. To turn off password checking, which of the following do I need to modify in sshd.config? --- # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ... # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes --- My guess is the last one, ie. change UsePAM to 'no', but I'm not sure of the effects of the earlier options. Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.18-0.2-default, KDE 3.5.10 Intel Celeron 2.53GHz, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org