tightening ssh
Jiann-Ming Su
sujiannming at gmail.com
Mon Nov 21 16:58:00 UTC 2005
On 11/21/05, Wolfgang S. Rupprecht >
> Yup. Setting up real public-key authentication is several hundred
> orders of magnitude stronger against guessing attacks than changing
> the ssh portnumbers or adding bad hosts into some IP level filter
> table and hoping the attackers won't guess a good password before they
> run out of IP addresses to test from.
>
> (And yes, I did really mean hundreds of orders of magnitude. An
> attacker has 1 chance in 10**308 of guessing the 1024-bit public key
> on each try if they follow the same brute-force attack. Given a
> billion tests per second and the whole age of universe up to this
> time, we are still only talking a 1 in 10**281 chance.)
>
Even harder, if there's a password on that key. The other part of
this discussion, I thought, was the DoS-ability of these ssh attacks.
That is, do these ssh attacks prevent legitmate users from accessing
regardless of the authentication mechanism configured for sshd?
--
Jiann-Ming Su
"I have to decide between two equally frightening options.
If I wanted to do that, I'd vote." --Duckman
"The system's broke, Hank. The election baby has peed in
the bath water. You got to throw 'em both out." --Dale Gribble
More information about the fedora-list
mailing list