annoying brute force attack attempt using ssh
Patrick O'Callaghan
pocallaghan at gmail.com
Thu May 15 23:14:14 UTC 2008
On Thu, 2008-05-15 at 17:45 -0500, Mikkel L. Ellertson wrote:
> Patrick O'Callaghan wrote:
> > On Thu, 2008-05-15 at 14:41 -0700, Wolfgang S. Rupprecht wrote:
> >> "jeff emminger" <jemminger at gmail.com> writes:
> >>> isn't password authentication insecure? why not set
> >>> "PasswordAuthentication no" and use ssh keys, and maybe port-knocking
> >>> too
> >> My feeling exactly. You have no control over how stupid a password
> >> users will pick. The only control you have is to not allow passwords
> >> in the first place and insist on at least a 1k-bit (hopefully random)
> >> key.
> >
> > Then you just have to hope the users' machines aren't vulnerable ...
> >
> > poc
> >
> Or at least they use a pass-phrase protected key, and a good phrase.
And aren't root-kitted and don't have a keyboard logger ... there's no
end to how paranoid you can be, and not everything is valuable enough to
be worth the hassle. That's what makes security interesting :-)
poc
More information about the fedora-list
mailing list