tightening ssh
Danny Howard
dannyman at toldme.com
Tue Nov 22 00:16:23 UTC 2005
On Sat, Nov 19, 2005 at 10:41:52AM -0500, Tony Nelson wrote:
> Port obscurity is not much of a strategy. Maybe the current scripts don't
> try other ports, but it would be simple enough to add a port scan and then
> probe all open ports. Expect it.
The only "advantage" I see to a different port is a slightly reduced
performance impact from brute force attempts, and cleaner incidence
logs.
> I suggest one of the secure ways to set up SSH: public key pair or
> encrypted passwords. And only allow SSH 2. Public key should be simple
> /enough/ to set up; your user would need to make a key with GPG and put the
> private key in the right place (I think man ssh tells where) and give you
> the public key to put in the right place.
Someone mentioned to me in passing the other day, that you can have sshd
require both a key, and password authentication. Which sounds kind of
neat, because then you don't have to trust that the user has a password
on their key. :)
Cheers,
-danny
--
http://dannyman.toldme.com/
More information about the fedora-list
mailing list