From owner-freebsd-questions@FreeBSD.ORG Tue Sep 19 22:38:17 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D1D116A40F for ; Tue, 19 Sep 2006 22:38:17 +0000 (UTC) (envelope-from dwc@stilyagin.com) Received: from puffy.asicommunications.com (puffy.asicommunications.com [216.9.200.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75A9D43D72 for ; Tue, 19 Sep 2006 22:38:16 +0000 (GMT) (envelope-from dwc@stilyagin.com) Received: from zloy.stilyagin.com (71-35-25-152.phnx.qwest.net [71.35.25.152]) by puffy.asicommunications.com (8.13.4/8.13.3) with ESMTP id k8JMcE7I024629 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 19 Sep 2006 15:38:15 -0700 (MST) Received: (from dwc@localhost) by zloy.stilyagin.com (8.13.4/8.13.4/Submit) id k8JMc8T5003566; Tue, 19 Sep 2006 15:38:08 -0700 (MST) Date: Tue, 19 Sep 2006 15:38:08 -0700 From: Darrin Chandler To: backyard Message-ID: <20060919223808.GF18329@zloy.stilyagin.com> References: <20060919165400.A4380@prime.gushi.org> <20060919212242.97964.qmail@web83102.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060919212242.97964.qmail@web83102.mail.mud.yahoo.com> User-Agent: Mutt/1.5.11 Cc: "Dan Mahoney, System Admin" , questions@freebsd.org Subject: Re: sshd brute force attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2006 22:38:17 -0000 On Tue, Sep 19, 2006 at 02:22:41PM -0700, backyard wrote: > > well you could pretty much eliminate the problem by > disabling password logins to sshd and only accepting > keyed logins. Then only a key will work. This is probably the best thing you can do to keep the bad guys out. This is what I'm doing on every box I have control over. It does not stop anyone from trying, but nobody gets in. I have yet to see even an attempt by script kiddies to use keys. > Frequently changing the keys would ensure hackers > would have to want to get in REALLY bad in order to > gain unauthorized access by a brute force attempt. > > Depending on how hosts login and their systems, you > could perhaps run a login script that regenerates keys > automatically and distributes them to the user every > so many days or whatever so the system appears > passwordless to them, and secure to the outside. This > may be more trouble then you are looking for though. I think this isn't needed, and is somewhat silly. Like all (decent) implementations of pubkey, the key is only used to authenticate and exchange a symetric session key. So the pubkey sees little actual use, compared with the session key. Anyone who knows better please correct me. -- Darrin Chandler | Phoenix BSD Users Group dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |