[plug] firewalling ssh
Adrian Woodley
Adrian at ScreamingRoot.org
Tue Jan 9 13:49:20 WST 2007
On Tue, 09 Jan 2007 09:42:16 +0900, Bernd Felsche <bernie at innovative.iinet.net.au> wrote:
> It's a shared secret; just like a password. You can explain exactly
> *how* it works so it's not oscurity that's the protection; it's the
> port numbers and the sequence in which they're knocked.
Yes, but most security experts would agree that access should be granted based on "something you have and something you know". In this case the something you have is your private ssh key and the something you know is the password to unlock it.
...
> Having an sshd listen all the time to the world opens the system to
> a DoS attack.... a dictionary attack can generate hundreds of
> megabytes of sshd log entries in a day. The firewall's memory may
> also be exhausted if the sshd tries to handle too many connections
> at once.
That is pretty unlikely on a domestic DSL connection. My personal server is on a 3Mbit link and I still don't see that as being a problem. Maybe on 100Mbit or even 10Mbit (doubtful).
--
~#
http://screamingroot.org
Are you a Screamer?
More information about the plug
mailing list