[plug] firewalling ssh
Bernard Blackham
bernard at blackham.com.au
Tue Jan 9 07:27:30 WST 2007
Adrian Woodley wrote:
> I'm personally not a huge fan of Port Knocking - its smacks of "security
> through obscurity".
If you're going for the security by obscurity angle, just putting the
ssh server on a non-standard port is probably more than adequate. I
actually prefer this, as it protects the ssh server from automated scans
and exploit attempts (thus saving on traffic), and makes hackers idly
browsing a network disinterested (unless they *know* something's there).
> Using ssh keys is much more convenient and secure method of protecting
> both your password and your ssh server
Hear hear. Especially for root. The "PermitRootLogin without-password"
option in sshd_config is definitely recommended (it allows public keys
to authenticate, but not passwords).
> If you're frequently on strange/different machines then
> keeping your private key and a known_hosts file on a thumb-drive is a
> convenient way of authenticating both yourself and your server (avoid
> Man-in-the-Middle attacks).
Alternately, I've found setting up OTP (one-time passwords) to be
reasonably easy and secure for this situation (just don't lose your wallet!)
http://bernard.blackham.com.au/babble/2006/08/27/#2006-08-27
> (I'll wake up tomorrow to find Bernard has 'sploited my box through this
> little gateway - he's a dodgy character that one; heard he was spoofing
> MAC addresses yesterday!).
It could've been somebody spoofing identities too :P
Bernard.
More information about the plug
mailing list