sshd brute force attempts?
Darrin Chandler
dwchandler at stilyagin.com
Tue Sep 19 15:38:17 PDT 2006
On Tue, Sep 19, 2006 at 02:22:41PM -0700, backyard wrote:
>
> well you could pretty much eliminate the problem by
> disabling password logins to sshd and only accepting
> keyed logins. Then only a key will work.
This is probably the best thing you can do to keep the bad guys out.
This is what I'm doing on every box I have control over. It does not
stop anyone from trying, but nobody gets in. I have yet to see even an
attempt by script kiddies to use keys.
> Frequently changing the keys would ensure hackers
> would have to want to get in REALLY bad in order to
> gain unauthorized access by a brute force attempt.
>
> Depending on how hosts login and their systems, you
> could perhaps run a login script that regenerates keys
> automatically and distributes them to the user every
> so many days or whatever so the system appears
> passwordless to them, and secure to the outside. This
> may be more trouble then you are looking for though.
I think this isn't needed, and is somewhat silly. Like all (decent)
implementations of pubkey, the key is only used to authenticate and
exchange a symetric session key. So the pubkey sees little actual use,
compared with the session key.
Anyone who knows better please correct me.
--
Darrin Chandler | Phoenix BSD Users Group
dwchandler at stilyagin.com | http://bsd.phoenix.az.us/
http://www.stilyagin.com/ |
More information about the freebsd-questions
mailing list