Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Openssh + security
  • From: Jaime Santos <jesantos@xxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 13 Dec 2005 16:43:22 +0100
  • Message-id: <439EEC1A.5010301@xxxxxxxxxxxxxxxxxxxx>
Hi,

This discussion has developed in two different directions, namely how
SSH works and in particular how
challenge-response is implemented and the use of different rules to
block scan attempts, both to port 22
and also in general. Let me clarify that, although I do use
challenge-response, I do not think it is a universal
panacea. If your users are computer literate, then its is a good idea to
implement it (it also works under Windows
ssh-clients such as Putty, but I have no idea how to). If not, which is
the most probable thing if you administer
a network with hundreds of users, then you will have to keep password
authentication and a blocking rule against
password attacks is a good idea. It is in any case worth implementing, I
think, specially if it is designed to block
general port scans, rather than just single ports like port 22. You
never know if your apache server, or mail server,
or whatever is vulnerable. To repeat the mantra of security people,
security is a layered process. Two locks are
always better than one :-) ...

Best, Jaime.

< Previous Next >