| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BLU148-W8796A387DA5117D4D3A9EB4DF0@phx.gbl>
Date: Thu, 17 Jun 2010 15:58:33 -0500
From: John Jacobs <flamdugen@...mail.com>
To: <pschmehl_lists@...rr.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks
> > Of course it's wise to disable password authentication and just use
> > public key authentication.
>
> Why? Ssh is encrypted, so you're not exposing a password when you login. How
> does public key authentication make you more secure (in a practical sense)?
>
Paul, it's more secure in that brute force attacks are mitigated because the private key is required by the client and the public key must appear in ~/.ssh/authorized_keys. Disabling password authentication means a weak password on an account cannot be compromised by brute force or other discovery efforts. A password on the private key provides even greater defense-in-depth security.
Disable password authentication and enforce key-pair authentication and targeted brute-force attacking becomes moot very quickly. Moving SSHd from TCP 22 also keeps the script-kiddies and automated scanners away.
After doing these two basic things then it's time to focus on fail2ban, denyhosts, and the other firewall integrating solutions.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists