[opensuse] Results of moving ssh to a high port - Zero script kiddies in a 24 hour period.
Listmates, Moving ssh to a high port has been a resounding success at completely eliminating the dictionary attacks against my server. And so far, I have not had one single instance since making the change. I don't have any great statistics, but I do have one that shows the impact very clearly. The number of log entries per 24 hour period before and after. Before the change (November 21) I had over 5000 ssh attempts on port 22. There were periods where there were multiple attempts every second: 16:36 nirvana~/linux/boxes/bonza/log> wc -l < 20081121.log 5353 After the change: 16:37 nirvana~/linux/boxes/bonza/log> wc -l < 20081125.log 294 Less than 300 entries in the logs in _total_ for an entire 24 hour period. If you have similar issues, and your real user needs can be accommodated on a high port, I highly recommend it. -- David C. Rankin, J.D.,P.E. | openSoftware und SystemEntwicklung Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 www.rankinlawfirm.com | http://counter.opensuse.org/11.1/small -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* David C. Rankin <drankinatty@suddenlinkmail.com> [Nov 27. 2008 08:30]:
16:36 nirvana~/linux/boxes/bonza/log> wc -l < 20081121.log 5353
After the change:
16:37 nirvana~/linux/boxes/bonza/log> wc -l < 20081125.log 294
Less than 300 entries in the logs in _total_ for an entire 24 hour period. If you have similar issues, and your real user needs can be accommodated on a high port, I highly recommend it.
Another approach is one I use after I found it on the DragonFlyBSD list. Have an entry to send everything from the auth log into a seperate program scanning for invalid user logins. If one such is found--blacklist it. After a while it stops and you don't have to inform all users about port number change. -- Mads Martin Joergensen, http://mmj.dk "Why make things difficult, when it is possible to make them cryptic and totally illogical, with just a little bit more effort?" -- A. P. J. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
Listmates,
Moving ssh to a high port has been a resounding success at completely eliminating the dictionary attacks against my server. And so far, I have not had one single instance since making the change. I don't have any great statistics, but I do have one that shows the impact very clearly. The number of log entries per 24 hour period before and after.
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
David C. Rankin wrote:
Listmates,
Moving ssh to a high port has been a resounding success at completely eliminating the dictionary attacks against my server. And so far, I have not had one single instance since making the change. I don't have any great statistics, but I do have one that shows the impact very clearly. The number of log entries per 24 hour period before and after.
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted.
That seems like it is next up on my learning agenda. I already use ssh-key authentication, I guess I just need to turn password checking off. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
James Knott wrote:
David C. Rankin wrote:
Listmates,
Moving ssh to a high port has been a resounding success at completely eliminating the dictionary attacks against my server. And so far, I have not had one single instance since making the change. I don't have any great statistics, but I do have one that shows the impact very clearly. The number of log entries per 24 hour period before and after.
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted.
That seems like it is next up on my learning agenda. I already use ssh-key authentication, I guess I just need to turn password checking off.
Quite so. If you already use a key, then passwords are superfluous and give crackers an access point. Incidentally, with Linux, you don't even have to leave the key on the computer. Just save it on a USB pen drive and symlink to it. That way, no pen drive, no way to access your system via ssh. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
David C. Rankin wrote:
Listmates,
Moving ssh to a high port has been a resounding success at completely eliminating the dictionary attacks against my server. And so far, I have not had one single instance since making the change. I don't have any great statistics, but I do have one that shows the impact very clearly. The number of log entries per 24 hour period before and after.
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted.
That seems like it is next up on my learning agenda. I already use ssh-key authentication, I guess I just need to turn password checking off.
I've been following this thread with interest, and can report similar results to David's as a result of moving ssh to a higher port number. Thank you, David, for your lucid How-To earlier on. To turn off password checking, which of the following do I need to modify in sshd.config? --- # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ... # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes --- My guess is the last one, ie. change UsePAM to 'no', but I'm not sure of the effects of the earlier options. Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.18-0.2-default, KDE 3.5.10 Intel Celeron 2.53GHz, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
To turn off password checking, which of the following do I need to modify in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify that the port is open for ssh and taking security of it is not very safe (particularly if open to the outside world). All this does is protect against 'dumb' scripts causing server load issues, once the port has been identified as being used for ssh it will become open to attack again. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkv6H4ACgkQasN0sSnLmgIBnACg6SWze7+5+QbDFX+gYdmzGs1i h+wAoO6NlDrwqLcvsPZEilD3c/3xha7p =kha3 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/28/2008 at 1:47 PM, G T Smith <grahamsmith@gandalfsemporium.homelinux.com> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
To turn off password checking, which of the following do I need to modify in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests. I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dominique Leuenberger wrote:
On 11/28/2008 at 1:47 PM, G T Smith <grahamsmith@gandalfsemporium.homelinux.com> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote: To turn off password checking, which of the following do I need to modify in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
In earlier mail in the thread David stated something about needing just needing to turn password authentication off. However, this could be interpreted by some as all that was needed to be done (with the port change). The issue of setting up of the keypair is not mentioned, both host and client need this in place before you can start making these kind of changes to the sshd.config file. Disabling password authentication without these being in place could be kind of risky, and it is not something to attempt unless one is absolutely clear about what one was doing (and why). I was putting up the "Here be Monsters and Dragons" warning notice. I would agree, that if you have a regular need for ssh access from an external location that this is the preferable authentication mechanism, though a slight case of overkill for a small home network for mainly internal use. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkv8wwACgkQasN0sSnLmgKOXACeIJLUp8LQ7TunGywQMqW5UZ/m jCsAoNNuWNoL6AT0Qf/Llwt3CwsaEk9y =hsXZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 November 2008 07:33:01 am G T Smith wrote:
I would agree, that if you have a regular need for ssh access from an external location that this is the preferable authentication mechanism, though a slight case of overkill for a small home network for mainly internal use.
In any network it is more convenient to have keypair authentication, than to type passwords all the time. One time more work and then enjoy. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rajko M. wrote:
On Friday 28 November 2008 07:33:01 am G T Smith wrote:
I would agree, that if you have a regular need for ssh access from an external location that this is the preferable authentication mechanism, though a slight case of overkill for a small home network for mainly internal use.
In any network it is more convenient to have keypair authentication, than to type passwords all the time. One time more work and then enjoy.
I would generally prefer the password protected key option (to use the key you have to authenticate with a password), which is same difference in the latter context. The thing about household or computer keys (like single socks, paper clips, and pens) is they can get lost, usually when you most need them :-) . If the wrong person gets the lost key then you could be toast if the key is not protected. For private use I tend to prefer password, entry plus blocks on external firewall as I have very little call for external ssh access at the moment. On the very rare occasions I think I will need it (once in the last 12 months or so), I set up the port to be opened at external firewall at a fixed time for a fixed time. (The key is in your head, and if you loose that you have other things to worry about :-) ). What I would like to do is fix up some sort of single sign on, so one authentication allows access networked resources at a network level, but unfortunately for *NIX this would be a major project (and getting this to work with ssh, cups, apache and samba etc could be a major pain). So one has one strong point of entry rather than several points of varying strength. If this requirement changes I will almost certainly implement something better, but until this happens I have other things to do. YMMV - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkxGdQACgkQasN0sSnLmgKHlgCgwPmUuebWg7FQtW9mjR3mVx2X s3oAoI7w8KwQFq6ETRoAun1rXUz9t2na =b/jh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2008-11-29 at 10:30 +0000, G T Smith wrote: <snip>
I would generally prefer the password protected key option (to use the key you have to authenticate with a password), which is same difference in the latter context. The thing about household or computer keys (like single socks, paper clips, and pens) is they can get lost, usually when you most need them :-) . If the wrong person gets the lost key then you could be toast if the key is not protected.
For private use I tend to prefer password, entry plus blocks on external firewall as I have very little call for external ssh access at the moment. On the very rare occasions I think I will need it (once in the last 12 months or so), I set up the port to be opened at external firewall at a fixed time for a fixed time. (The key is in your head, and if you loose that you have other things to worry about :-) ).
What I would like to do is fix up some sort of single sign on, so one authentication allows access networked resources at a network level, but unfortunately for *NIX this would be a major project (and getting this to work with ssh, cups, apache and samba etc could be a major pain). So one has one strong point of entry rather than several points of varying strength.
It's the usual trade-off between security level and ease of use /maintainability.... For gaining access to a specific (or any) node in your network, you might considder the use of tokens (Aladdin, Kobill) Allmost all systems have an USB-port nowadays. Private keys protected by a pin-code, that snaps after three failed attemps. It raises the security level drastivally, but at what costs, is it worthwhile? OTOH, using single-sign-on techniques (distributing trusted keys, kerberos etc etc) removes security barriers. Instead of access to a specific node, one gets access to all nodes. Incase you want to avoid the maintenance of tokens, there is still another option I saw last week. If one wants to login, send the user an one-time-password via an SMS-message on his GSM... (It seems that ordinary lusers are more carefull about their private GSM and pin-code than with company-tokens....) hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hans Witvliet wrote:
On Sat, 2008-11-29 at 10:30 +0000, G T Smith wrote: <snip>
What I would like to do is fix up some sort of single sign on, so one authentication allows access networked resources at a network level, but unfortunately for *NIX this would be a major project (and getting this to work with ssh, cups, apache and samba etc could be a major pain). So one has one strong point of entry rather than several points of varying strength.
OTOH, using single-sign-on techniques (distributing trusted keys, kerberos etc etc) removes security barriers. Instead of access to a specific node, one gets access to all nodes.
The neat concept behind Novells Directory Service (NDS) was the integration between rights to access services, resources, or even parts of the NDS database data or schema to an authenticated object on top of X500. Authenticated objects can only get access to resources and services that the administrators of those resources and services have defined at the level they have defined it. AD does do this but it is still a very poor cripple in comparison to NDS. (Authenticated objects are users, groups or services BTW). Unfortunately, *NIX authentication is more loosely federated, with many different ways of defining access to different functions and resources, making such integration rather more complex than is ideal. OpenLDAP and Kerberos are part there but still seem to be a penny short of a full shilling last time I looked at them, and the later versions of NISS are not very impressive either.
hw
- -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkxRMsACgkQasN0sSnLmgKF3gCgpGva9GVidLCpuz8VJLW/Mctp aN8AnRioyDNazJLmtnuDq11I+iLXIx3e =Zqki -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
Rajko M. wrote:
On Friday 28 November 2008 07:33:01 am G T Smith wrote:
I would agree, that if you have a regular need for ssh access from an external location that this is the preferable authentication mechanism, though a slight case of overkill for a small home network for mainly internal use. In any network it is more convenient to have keypair authentication, than to type passwords all the time. One time more work and then enjoy.
I would generally prefer the password protected key option (to use the key you have to authenticate with a password), which is same difference in the latter context. The thing about household or computer keys (like single socks, paper clips, and pens) is they can get lost, usually when you most need them :-) . If the wrong person gets the lost key then you could be toast if the key is not protected.
For private use I tend to prefer password, entry plus blocks on external firewall as I have very little call for external ssh access at the moment. On the very rare occasions I think I will need it (once in the last 12 months or so), I set up the port to be opened at external firewall at a fixed time for a fixed time. (The key is in your head, and if you loose that you have other things to worry about :-) ). I allow passwords on my local computers, as well as public/private keys. However, my firewall is key only.
-- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 29 November 2008 04:30:44 am G T Smith wrote:
Rajko M. wrote:
On Friday 28 November 2008 07:33:01 am G T Smith wrote:
I would agree, that if you have a regular need for ssh access from an external location that this is the preferable authentication mechanism, though a slight case of overkill for a small home network for mainly internal use.
In any network it is more convenient to have keypair authentication, than to type passwords all the time. One time more work and then enjoy.
I would generally prefer the password protected key option (to use the key you have to authenticate with a password), which is same difference in the latter context. The thing about household or computer keys (like single socks, paper clips, and pens) is they can get lost, usually when you most need them :-) . If the wrong person gets the lost key then you could be toast if the key is not protected.
I was talking about private/public keypair and ssh access. Once you setup computers that can talk to each other and exclude all others, you just connect. It is some work to move public keys around, but once it is done you need procedure only when you buy new computer, or hard disk fails. Nothing can get lost, as you have nothing to remember.
For private use I tend to prefer password, entry plus blocks on external firewall as I have very little call for external ssh access at the moment. On the very rare occasions I think I will need it (once in the last 12 months or so), I set up the port to be opened at external firewall at a fixed time for a fixed time. (The key is in your head, and if you loose that you have other things to worry about :-) ).
Sure, under some circumstances :-D Under normal conditions, it is not so hard to trick yourself and forget easy to remember password. I did that few times creating passwords for others. Luckily I know more than one way to recover from that kind of problem, otherwise it would be real embarrassment.
What I would like to do is fix up some sort of single sign on, so one authentication allows access networked resources at a network level, but unfortunately for *NIX this would be a major project (and getting this to work with ssh, cups, apache and samba etc could be a major pain). So one has one strong point of entry rather than several points of varying strength.
It is good idea, but as you said it involves some work and extra resources and it has no justification in home or small office setting.
If this requirement changes I will almost certainly implement something better, but until this happens I have other things to do. YMMV
-- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 29 November 2008, Rajko M. wrote:
For private use I tend to prefer password, entry plus blocks on external firewall as I have very little call for external ssh access at the moment. On the very rare occasions I think I will need it (once in the last 12 months or so), I set up the port to be opened at external firewall at a fixed time for a fixed time. (The key is in your head, and if you loose that you have other things to worry about :-) ).
Sure, under some circumstances :-D Under normal conditions, it is not so hard to trick yourself and forget easy to remember password. I did that few times creating passwords for others. Luckily I know more than one way to recover from that kind of problem, otherwise it would be real embarrassment.
For less often used passwords, or for those that are of high quality and thus difficult to remember unless used often, such as "LnhU34p3Olxm7yXKtns92", and the like, I recommend a password "safe" -- a plain ASCII text file where they are written. Encrypt it symmetrically (or asymmetrically if you need not access it anywhere where you might not have your private key at hand) with GPG with a very good password that you have learnt well, and put the file somewhere where you can find it when needed, such as your FTP site, your online backup service, CD, USB stick... wherever necessary so you will not lose it. And when someone comes to you asking "what that password was again", you can look it up in that file -- or use it when you forget one of your own passwords. This approach also allows you to regenerate those password regularly, which you are less likely to do if you absolutely have to remember them all. A similar file is handy for all those login username / password pairs you need for every possible site these days. When I need to login to site X, I just write "gpg -d ~/pwsafe.gpg" and copy-paste. Regards, Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tero Pesonen wrote:
On Saturday 29 November 2008, Rajko M. wrote:
For private use I tend to prefer password, entry plus blocks on external firewall as I have very little call for external ssh access at the moment. On the very rare occasions I think I will need it (once in the last 12 months or so), I set up the port to be opened at external firewall at a fixed time for a fixed time. (The key is in your head, and if you loose that you have other things to worry about :-) ). Sure, under some circumstances :-D Under normal conditions, it is not so hard to trick yourself and forget easy to remember password. I did that few times creating passwords for others. Luckily I know more than one way to recover from that kind of problem, otherwise it would be real embarrassment.
For less often used passwords, or for those that are of high quality and thus difficult to remember unless used often, such as "LnhU34p3Olxm7yXKtns92", and the like, I recommend a password "safe" -- a plain ASCII text file where they are written. Encrypt it symmetrically (or asymmetrically if you need not access it anywhere where you might not have your private key at hand) with GPG with a very good password that you have learnt well, and put the file somewhere where you can find it when needed, such as your FTP site, your online backup service, CD, USB stick... wherever necessary so you will not lose it.
And when someone comes to you asking "what that password was again", you can look it up in that file -- or use it when you forget one of your own passwords.
This approach also allows you to regenerate those password regularly, which you are less likely to do if you absolutely have to remember them all.
A similar file is handy for all those login username / password pairs you need for every possible site these days. When I need to login to site X, I just write "gpg -d ~/pwsafe.gpg" and copy-paste.
Regards, Tero Pesonen
This I need to look into, what with local MySQL accounts, subversion authentication, rsync authentication, funambol authentication, Tomcat authentication, apache authentication and CMS authentication locally (and I am sure I will have forgotten something in that list:-) ), the only thing integrated to any extent is Samba/PAM/email. It would be nice to just login and use the stuff *sigh* - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkyeMAACgkQasN0sSnLmgLOwwCgnsU5fGSLDIDZl+7ZbmR+rAGU H14AnRb2eUDkncEicHWGxccfZtm1ECt9 =ttbT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
Dominique Leuenberger wrote:
On 11/28/2008 at 1:47 PM, G T Smith <grahamsmith@gandalfsemporium.homelinux.com> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote: To turn off password checking, which of the following do I need to modify in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
In earlier mail in the thread David stated something about needing just needing to turn password authentication off. However, this could be interpreted by some as all that was needed to be done (with the port change).
The issue of setting up of the keypair is not mentioned, both host and client need this in place before you can start making these kind of changes to the sshd.config file. Disabling password authentication without these being in place could be kind of risky, and it is not something to attempt unless one is absolutely clear about what one was doing (and why). I was putting up the "Here be Monsters and Dragons" warning notice.
I would agree, that if you have a regular need for ssh access from an external location that this is the preferable authentication mechanism, though a slight case of overkill for a small home network for mainly internal use.
Here's my original comment about not using password:
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted. If he didn't know about the keys, all he had to do was ask.
-- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Knott wrote:
Here's my original comment about not using password:
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted. If he didn't know about the keys, all he had to do was ask.
Hmm... that particular message did not get to me until well after afterwards, Maybe should of held fire a little bit... I am noticing recently that I am getting some responses turning up before the original..., which makes for some interesting reading on occasions, especially when bits have been edited out... - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkxEIgACgkQasN0sSnLmgKn/QCfXZzUkQT1ZtXkgUY18VFBCwlp e44An2JMnhTPzQ2LsEkzz5ZRcSvB5YPz =NDzn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
James Knott wrote:
Here's my original comment about not using password:
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted. If he didn't know about the keys, all he had to do was ask.
Hmm... that particular message did not get to me until well after afterwards, Maybe should of held fire a little bit... I am noticing recently that I am getting some responses turning up before the original..., which makes for some interesting reading on occasions, especially when bits have been edited out...
Yep, as I mentioned before, people should wait until a message is posted, before they respond to it. ;-) Actually, while sometimes it's mail delay that causes it, on many occasions, it appears that way because someone's clock is wrong, so that if you're reading some time later, the reply appears to have been posted before the original message. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2008-11-29 at 07:37 -0500, James Knott wrote:
G T Smith wrote:
James Knott wrote:
Here's my original comment about not using password:
One thing you can do, to stop dictionary attacks, is use a key, rather than password for access. No amount of password guessing will get through if no passwords are accepted. If he didn't know about the keys, all he had to do was ask.
Hmm... that particular message did not get to me until well after afterwards, Maybe should of held fire a little bit... I am noticing recently that I am getting some responses turning up before the original..., which makes for some interesting reading on occasions, especially when bits have been edited out...
Yep, as I mentioned before, people should wait until a message is posted, before they respond to it. ;-)
Actually, while sometimes it's mail delay that causes it, on many occasions, it appears that way because someone's clock is wrong, so that if you're reading some time later, the reply appears to have been posted before the original message.
Once or twice, I've gotten the reply the day before the original showed up. Mike -- nice to know it's not just me -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mike McMullin wrote:
Once or twice, I've gotten the reply the day before the original showed up.
Mike -- nice to know it's not just me
Same here. John Perry -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Mike McMullin wrote:
Actually, while sometimes it's mail delay that causes it, on many occasions, it appears that way because someone's clock is wrong, so that if you're reading some time later, the reply appears to have been posted before the original message.
Once or twice, I've gotten the reply the day before the original showed up.
Perhaps the guy replying is just being proactive. ;-) -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 November 2008, G T Smith wrote:
Dominique Leuenberger wrote:
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
But how do you log into that box from where ever you happen to be if you do not have your private key at hand? Or did I miss something here? I'd take pw authentication over a key-based one any day unless I'd become a target of constant dictionary attacks that would affect performance. Otherwise, moving that private key from place A to B securely is too much of a trouble. With a good pw, no amount of guessing, however sophisticated or powerful, or by which ever entity, is going to work. Regards, Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tero Pesonen wrote:
On Friday 28 November 2008, G T Smith wrote:
Dominique Leuenberger wrote:
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
But how do you log into that box from where ever you happen to be if you do not have your private key at hand? Or did I miss something here? I'd take pw authentication over a key-based one any day unless I'd become a target of constant dictionary attacks that would affect performance. Otherwise, moving that private key from place A to B securely is too much of a trouble. With a good pw, no amount of guessing, however sophisticated or powerful, or by which ever entity, is going to work.
Regards, Tero Pesonen
There are two keys, the public one and the private one. You have to protect the private one and it's only on the computer you are connecting from . You can email the public key, if you wish, as it doesn't have to be protected. At the destination computer, it is added to the known_hosts file. The public key can be copied to any computer you wish to connect to. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 November 2008, James Knott wrote:
Tero Pesonen wrote:
On Friday 28 November 2008, G T Smith wrote:
Dominique Leuenberger wrote:
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
But how do you log into that box from where ever you happen to be if you do not have your private key at hand? Or did I miss something here? I'd take pw authentication over a key-based one any day unless I'd become a target of constant dictionary attacks that would affect performance. Otherwise, moving that private key from place A to B securely is too much of a trouble. With a good pw, no amount of guessing, however sophisticated or powerful, or by which ever entity, is going to work.
Regards, Tero Pesonen
There are two keys, the public one and the private one. You have to protect the private one and it's only on the computer you are connecting from . You can email the public key, if you wish, as it doesn't have to be protected. At the destination computer, it is added to the known_hosts file. The public key can be copied to any computer you wish to connect to.
Yes, I understand, but the problem lies exactly in that you need your private key whereever you're connecting from. That is, if I had to SSH into my box while at the university, I'd have to have my private key on that machine I would have to be using there (not an option, unless I'd bring my own laptop etc. -- not always possible) or on some memory stick or similar, and have that memory stick or select files always encrypted so that if, or when, I would lose it, I wouldn't get compromised. But perhaps this wouldn't be too much of trouble if I had the FS on that key remain unencrypted, with only the private key encrypted, and had both *NIX and Windows versions of GPG there (is that even possible?) or something like that, and the key would be decrypted only onto that stick, not onto the host machine's local disks, and later overwritten with zeros. Although you never know where some swapping might throw a copy of it on that machine. But I think this might work. Still, unless a key would be necessary, a plain password would be much easier to use securely. Regards, Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 November 2008, Tero Pesonen wrote:
On Friday 28 November 2008, James Knott wrote:
Tero Pesonen wrote:
On Friday 28 November 2008, G T Smith wrote:
Dominique Leuenberger wrote:
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
But how do you log into that box from where ever you happen to be if you do not have your private key at hand? Or did I miss something here? I'd take pw authentication over a key-based one any day unless I'd become a target of constant dictionary attacks that would affect performance. Otherwise, moving that private key from place A to B securely is too much of a trouble. With a good pw, no amount of guessing, however sophisticated or powerful, or by which ever entity, is going to work.
Regards, Tero Pesonen
There are two keys, the public one and the private one. You have to protect the private one and it's only on the computer you are connecting from . You can email the public key, if you wish, as it doesn't have to be protected. At the destination computer, it is added to the known_hosts file. The public key can be copied to any computer you wish to connect to.
Yes, I understand, but the problem lies exactly in that you need your private key whereever you're connecting from. That is, if I had to SSH into my box while at the university, I'd have to have my private key on that machine I would have to be using there (not an option, unless I'd bring my own laptop etc. -- not always possible) or on some memory stick or similar, and have that memory stick or select files always encrypted so that if, or when, I would lose it, I wouldn't get compromised.
But perhaps this wouldn't be too much of trouble if I had the FS on that key* remain unencrypted, with only the private key encrypted, and
* on that memory stick, of course.
had both *NIX and Windows versions of GPG there (is that even possible?) or something like that, and the key would be decrypted only onto that stick, not onto the host machine's local disks, and later overwritten with zeros. Although you never know where some swapping might throw a copy of it on that machine.
But I think this might work.
Still, unless a key would be necessary, a plain password would be much easier to use securely.
Regards, Tero Pesonen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Tero Pesonen wrote:
On Friday 28 November 2008, James Knott wrote:
Tero Pesonen wrote:
On Friday 28 November 2008, G T Smith wrote:
Dominique Leuenberger wrote:
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
But how do you log into that box from where ever you happen to be if you do not have your private key at hand? Or did I miss something here? I'd take pw authentication over a key-based one any day unless I'd become a target of constant dictionary attacks that would affect performance. Otherwise, moving that private key from place A to B securely is too much of a trouble. With a good pw, no amount of guessing, however sophisticated or powerful, or by which ever entity, is going to work.
Regards, Tero Pesonen
There are two keys, the public one and the private one. You have to protect the private one and it's only on the computer you are connecting from . You can email the public key, if you wish, as it doesn't have to be protected. At the destination computer, it is added to the known_hosts file. The public key can be copied to any computer you wish to connect to.
Yes, I understand, but the problem lies exactly in that you need your private key whereever you're connecting from. That is, if I had to SSH into my box while at the university, I'd have to have my private key on that machine I would have to be using there (not an option, unless I'd bring my own laptop etc. -- not always possible) or on some memory stick or similar, and have that memory stick or select files always encrypted so that if, or when, I would lose it, I wouldn't get compromised.
But perhaps this wouldn't be too much of trouble if I had the FS on that key remain unencrypted, with only the private key encrypted, and had both *NIX and Windows versions of GPG there (is that even possible?) or something like that, and the key would be decrypted only onto that stick, not onto the host machine's local disks, and later overwritten with zeros. Although you never know where some swapping might throw a copy of it on that machine.
But I think this might work.
Still, unless a key would be necessary, a plain password would be much easier to use securely.
Regards, Tero Pesonen
GPG is compatible with PGP on any other platform. Also, you can password protect the key. If you're using Linux boxes, you don't even have to copy the key to the computer. Just carry it on a USB drive and symlink to it. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dominique Leuenberger wrote:
On 11/28/2008 at 1:47 PM, G T Smith
<grahamsmith@gandalfsemporium.homelinux.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
To turn off password checking, which of the following do I need to
modify
in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to
identify
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
Further, you can put a password on the key, so that even if someone obtained it, they couldn't use it without knowing the password. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 November 2008 12:47:58 G T Smith wrote:
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
To turn off password checking, which of the following do I need to modify in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify that the port is open for ssh and taking security of it is not very safe (particularly if open to the outside world). All this does is protect against 'dumb' scripts causing server load issues, once the port has been identified as being used for ssh it will become open to attack again.
Sorry, lack of clarity on my part. I already have keys set up, and understood that this made password checking superfluous. If that is so, I was asking which settings I should change in sshd.config. I appreciate your caution - always better to be safe than sorry! -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.18-0.2-default, KDE 3.5.10 Intel Celeron 2.53GHz, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote: To turn off password checking, which of the following do I need to modify in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify that the port is open for ssh and taking security of it is not very safe (particularly if open to the outside world). All this does is protect against 'dumb' scripts causing server load issues, once the port has been identified as being used for ssh it will become open to attack again.
I didn't say turn off authentication. I suggested turning off password authentication. With SSH you can use a public/private key to log in. Without that key, no amount of password guessing will get you in, because there is no valid password. My private key appears to be over 1600 random ASCII characters, which will very difficult to guess. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 November 2008 19:12:52 James Knott wrote:
G T Smith wrote:
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
To turn off password checking, which of the following do I need to
modify
in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify that the port is open for ssh and taking security of it is not very safe (particularly if open to the outside world). All this does is protect against 'dumb' scripts causing server load issues, once the port has been identified as being used for ssh it will become open to attack again.
I didn't say turn off authentication. I suggested turning off password authentication. With SSH you can use a public/private key to log in. Without that key, no amount of password guessing will get you in, because there is no valid password. My private key appears to be over 1600 random ASCII characters, which will very difficult to guess.
And I asked how to turn off password authentication. I'd still be grateful for an answer, guys :) Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.18-0.2-default, KDE 3.5.10 Intel Celeron 2.53GHz, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Bob Williams wrote:
On Friday 28 November 2008 19:12:52 James Knott wrote:
G T Smith wrote:
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
To turn off password checking, which of the following do I need to
modify
in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify that the port is open for ssh and taking security of it is not very safe (particularly if open to the outside world). All this does is protect against 'dumb' scripts causing server load issues, once the port has been identified as being used for ssh it will become open to attack again.
I didn't say turn off authentication. I suggested turning off password authentication. With SSH you can use a public/private key to log in. Without that key, no amount of password guessing will get you in, because there is no valid password. My private key appears to be over 1600 random ASCII characters, which will very difficult to guess.
And I asked how to turn off password authentication. I'd still be grateful for an answer, guys :)
Bob
Here's what I have on my firewall: # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 28 November 2008 20:19:15 James Knott wrote:
Bob Williams wrote:
On Friday 28 November 2008 19:12:52 James Knott wrote:
G T Smith wrote:
Bob Williams wrote:
On Thursday 27 November 2008 15:03:29 David C. Rankin wrote:
James Knott wrote:
To turn off password checking, which of the following do I need to
modify
in sshd.config?
I am not sure this is a good idea. Just because you have moved the default port to a different value does *not* mean you should disable authentication. A more sophisticated scan is quite likely to identify that the port is open for ssh and taking security of it is not very safe (particularly if open to the outside world). All this does is protect against 'dumb' scripts causing server load issues, once the port has been identified as being used for ssh it will become open to attack again.
I didn't say turn off authentication. I suggested turning off password authentication. With SSH you can use a public/private key to log in. Without that key, no amount of password guessing will get you in, because there is no valid password. My private key appears to be over 1600 random ASCII characters, which will very difficult to guess.
And I asked how to turn off password authentication. I'd still be grateful for an answer, guys :)
Bob
Here's what I have on my firewall:
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no
Thanks, James. Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.18-0.2-default, KDE 3.5.10 Intel Celeron 2.53GHz, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
Listmates,
Less than 300 entries in the logs in _total_ for an entire 24 hour period. If you have similar issues, and your real user needs can be accommodated on a high port, I highly recommend it.
Last note on moving ssh to a higher port. For a seamless move, as was suggested earlier, either add the Host and Port entries to the system wide /etc/ssh/ssh_config or to your personal ~/.ssh/config to match hostnames to ports and you eliminate the need to specify the new port on the command line for each rsync, ssh, etc.. command. Example: Host alchemy.3111skyline.com alchemy Port 22 Host arete.3111skyline.com arete Port 22 Host ecstasy.3111skyline.com ecstacy Port 5271 Host bonza.rbpllc.com bonza Port 5250 -- David C. Rankin, J.D.,P.E. | openSoftware und SystemEntwicklung Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 www.rankinlawfirm.com | http://counter.opensuse.org/11.1/small -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (11)
-
Bob Williams -
David C. Rankin -
Dominique Leuenberger -
G T Smith -
Hans Witvliet -
James Knott -
John E. Perry -
Mads Martin Joergensen -
Mike McMullin -
Rajko M. -
Tero Pesonen