[plug] john the ripper
Craig Ringer
craig at postnewspapers.com.au
Wed Jul 6 14:06:39 WST 2005
On Wed, 2005-07-06 at 13:34 +0800, Ben Jensz wrote:
> Ordinarily you wouldn't allow global access to ssh anyway, so any script
> kiddies shouldn't be able to even connect to the service to begin with.
Yep. Making it secure is good. Making it secure and hard to find is
better.
The main Internet-exposed host I run has ssh running on an unusual port
(making it somewhat less likely to be hit by "dumb" attackers like
worms) and requires public key authentication - it won't prompt for, or
accept, a password. This has issues (particularly strict firewalls when
a guest on someone's network, and needing to ssh into the box from a
host where I don't have my keys) but is preferable in my view to making
it easier to attack.
I used to limit access by IP, but that's no longer practical due to
changed use patterns by users.
If I'm on a strict network, I simply ssh into it via one of the other
hosts that *does* run on port 22. Keys are harder, unfortunately, but as
I carry my laptop that's usually not a problem.
--
Craig Ringer
More information about the plug
mailing list