From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 08:12:52 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1C601065670 for ; Tue, 23 Jun 2009 08:12:52 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2078FC17 for ; Tue, 23 Jun 2009 08:12:51 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: by ewy8 with SMTP id 8so4428258ewy.43 for ; Tue, 23 Jun 2009 01:12:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=/8yvpjI+gJvf4AoYt000LKyEHPIybR0omHP3D+b5HM8=; b=i3Cv3QDckKyswsrb49520kZOuuBZRiX40aY6ji27Fd/Y9Lp+Vk6ZZINwRzO27yC9DH y2yGctz/ntM7+1iVOBQ6+vQp1010gFZlAlIYwyRIXLbBD45Zyy4IXQErXx73yGRmqNrS 21fXHmp0F5V0AzFFqX+wKyYL9SblKg74NOxo8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding; b=i3f76phkk8LSkV0bpqMvYzQxkd9admvqzWE4KfEQUKNffBUTFZz0XEgQ1p6dFeTk7O 8ZIw7cx1jIBKcLjDSG+zrgWFitD/DVLCTOFNb9ZuD5EndiBj2K18n3gVvQ3p/SFE96Ic x8O4HoLT+SjZc0caWL2w95kVHsRxFRVK1rRT0= MIME-Version: 1.0 Received: by 10.216.13.74 with SMTP id a52mr2526106wea.145.1245744771135; Tue, 23 Jun 2009 01:12:51 -0700 (PDT) In-Reply-To: References: <4A403324.6090300@b1c1l1.com> From: Chris Rees Date: Tue, 23 Jun 2009 09:12:31 +0100 Message-ID: To: Wojciech Puchar Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Benjamin Lee , Daniel Underwood , freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 08:12:53 -0000 2009/6/23 Wojciech Puchar : >> If for some reason you would prefer to use password authentication, I >> would recommend that you look into automatic brute force detection. >> There are a number of utilities in ports available for this purpose, >> including security/sshguard and security/denyhosts. > > good, but not really important with properly chosen password. > You can't do more than maybe 10 attempts/second this way, while cracking 10 > character password consisting of just small letters and digits needs > > 36^10=3656158440062976 possible passwords, and over 11 milion years to check > all possibilities, so say 100000 years if someone is really lucky and will > get it after checking 1% possible password. > > Of course - you must not look at logs in 100000 years and not see this 10 > attempts per second. > > > > I give this example against common paranoia that exist on that group - mix > of real "security paranoid" persons and pseudo-experts that like to repeat > "intelligent" phrases to show up themselves. > > Actually - there is no need for extra protection for ssh, but for humans. > > 99% of crack attempts are done by "kevin mitnick" methods, not password > cracking. You're right about the probability of password breaking, but personally I installed denyhosts just because I got sick of this: Aug 22 00:46:21 amnesiac sshd[63107]: error: PAM: authentication error for illegal user adrian from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:21 amnesiac sshd[63107]: Failed keyboard-interactive/pam for invalid user adrian from 76.193.128.193 port 2901 ssh2 Aug 22 00:46:23 amnesiac sshd[63110]: error: PAM: authentication error for illegal user agfa from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:23 amnesiac sshd[63110]: Failed keyboard-interactive/pam for invalid user agfa from 76.193.128.193 port 3165 ssh2 Aug 22 00:46:26 amnesiac sshd[63113]: error: PAM: authentication error for illegal user agneta from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:26 amnesiac sshd[63113]: Failed keyboard-interactive/pam for invalid user agneta from 76.193.128.193 port 3338 ssh2 Aug 22 00:46:29 amnesiac sshd[63116]: error: PAM: authentication error for illegal user ahren from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net Aug 22 00:46:29 amnesiac sshd[63116]: Failed keyboard-interactive/pam for invalid user ahren from 76.193.128.193 port 3499 ssh2 10,000 lines of this in _every_ security digest I get off my server. No I haven't changed any IP addresses, either. Now I get: Added the following hosts to /etc/hosts.evil: 89.232.63.160 87.117.236.15 Much easier to read... Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list?