Quote:
Originally Posted by BSDfan666
As you're exposing ssh to the Internet, you may wish to allow only public key authentication and disable root logins.
|
+1...this is some really excellent advice that doesn't get stated enough. If you allow root, 1/2 of the job is done for any hacker/cracker that stumbles across your ip.
Disallowing password authentication will harden it even more, as it's much more difficult to crack a key than it is to crack a typical password. For a 1024 bit rsa key, there are ~1.8e+308 possible combinations, whereas a 14 character password of upper/lower/numeric/special has ~1.0e+26 possible combinations (and most don't have perfectly random passwords, so the possible combinations is far fewer). For comparison, if you could check 1e+20 combinations per second, it'd take ~12 days to crack a perfectly random 14 character password, but ~2.8e+279 **years** to crack a 1024 bit rsa key (the universe has been around for 1e+10 years, for the record).
Really, as long as your private key is safe and secure (i.e. backed up to a secure location), public key auth is the only way to go.
Quote:
Originally Posted by Dr-D
I actually do employ security by obscurity by using odd port numbers for SSH and VNC. Some people frown upon this method but for networks that I work with I definitely do this and it works well in my opinion.
|
The biggest benefit of moving the port number is that it might fool the mass of "dumb" scanners out there...but it wouldn't do much for a determined attacker. But I see your point, reducing that crazy volume of logs (vs not logging anything? yikes!) is in and of itself a valid reason.