View Single Post
  #6   (View Single Post)  
Old 19th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by BSDfan666 View Post
As you're exposing ssh to the Internet, you may wish to allow only public key authentication and disable root logins.
+1...this is some really excellent advice that doesn't get stated enough. If you allow root, 1/2 of the job is done for any hacker/cracker that stumbles across your ip.

Disallowing password authentication will harden it even more, as it's much more difficult to crack a key than it is to crack a typical password. For a 1024 bit rsa key, there are ~1.8e+308 possible combinations, whereas a 14 character password of upper/lower/numeric/special has ~1.0e+26 possible combinations (and most don't have perfectly random passwords, so the possible combinations is far fewer). For comparison, if you could check 1e+20 combinations per second, it'd take ~12 days to crack a perfectly random 14 character password, but ~2.8e+279 **years** to crack a 1024 bit rsa key (the universe has been around for 1e+10 years, for the record).

Really, as long as your private key is safe and secure (i.e. backed up to a secure location), public key auth is the only way to go.

Quote:
Originally Posted by Dr-D View Post
I actually do employ security by obscurity by using odd port numbers for SSH and VNC. Some people frown upon this method but for networks that I work with I definitely do this and it works well in my opinion.
The biggest benefit of moving the port number is that it might fool the mass of "dumb" scanners out there...but it wouldn't do much for a determined attacker. But I see your point, reducing that crazy volume of logs (vs not logging anything? yikes!) is in and of itself a valid reason.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.

Last edited by rocket357; 19th June 2011 at 12:23 AM.
Reply With Quote