I do not get ssh. Why is it more secure?
in [General Linux]
|
Prev: How to convert TrueType fonts to bitmapped fonts in Ubuntu
Next: I do not get ssh. Why is it more secure?
From: David Brown on 18 Jun 2010 08:56 On 18/06/2010 12:29, unruh wrote: > On 2010-06-17, David Brown<david(a)westcontrol.removethisbit.com> wrote: >> On 17/06/2010 11:12, Todd wrote: >>> Hi All, >>> >>> With this command: >>> >>> ssh -l todd -X 192.168.255.14 /usr/bin/VirtualBox >>> >>> I can run VirtualBox console on another computer with X11. >>> All I get is asked for my password. >>> >>> I don't get it. How is this any more secure that plain >>> old telnet? Both are just a user name and password. >>> You could hack it the same old way other services >>> are hacked by running the dictionary at them. I >>> do believe OPH Crack over on the Windows side calls >>> this "Rainbow tables". > > A dictionary attack on passwords is difficult if you choose reasonable > passwords Ie, greater than 8 letters, and proper password choice. If you > use "a" as your password, they yes, password guessing it easy. > Also ssh enrypts all data, includeing password exchange. > I like to put iptables connection limits on the ssh port - say, 3 per minute with a burst of 3. That will stop any dictionary attacks (unless your password is in the top few favourite passwords list). Theoretically this could give you a DOS, but in practice the attacker will give up quickly. >>> >>> I ask this because I will be needing to open SSH (port 22) >>> for a vendor to get in on. And, well, I just don't get >>> the advantage of ssh over anything else. > > Think about it. > >>> >> >> Arrange with the vendor to use a non-standard port. If you open port 22 >> to the world, you'll get lots of unwanted attempts at breaking in. If >> you put your ssh server on port 12345, it will be free from attacks. > > No. But it might make it more difficult. If you have a specific enemy ( > rather than someone in Ulan Battor trying stuff on your random machine) > then weird ports will be of no help. > A non-standard port won't stop a knowledgeable and determined attacker - but if you are expecting that sort of thing, you are in a different class for security requirements. The non-standard port will stop all drive-bys and script kiddies - no one is going to scan for open ports in this range. For extra protection, add port knocking on port 22 and various other unused ports that trigger a block on the source ip. >> >>> What am I missing? Is there a way to tighten ssh up? > > Use decent passwords.
From: unruh on 18 Jun 2010 10:51 On 2010-06-18, Maxwell Lol <nospam(a)com.invalid> wrote: > unruh <unruh(a)wormhole.physics.ubc.ca> writes: > >> A dictionary attack on passwords is difficult if you choose reasonable >> passwords Ie, greater than 8 letters, and proper password choice. If you >> use "a" as your password, they yes, password guessing it easy. >> Also ssh enrypts all data, includeing password exchange. > > Well, if the application was dumb, and allowed unlimited guessing, > then brute force password cracking can succeed even if a hard-to-guess > password is chosen. > Depends on how long you try. Most people are not interested in taking 10000 centuries to crack an ssh session. So, let us put a time limit of 1 year. And a hard to guess pasword WILL give you one year. (and remember that most people are not interested even in 1 year.)
From: jellybean stonerfish on 18 Jun 2010 12:35 On Thu, 17 Jun 2010 14:20:41 +0000, J G Miller wrote: > On Thu, 17 Jun 2010 13:44:39 +0000, General Schvantzkoph wrote: >> I require RSA authentication and I use denyhosts, but I also keep my >> pants up with both a belt and suspenders (that's for real, it's not >> just an expression). > > I really do not understand people's reaction to too much security being > overkill ie a bad thing. > > Too much security never hurt, as compared to too little. Encrypting everything to the point of insanity is expensive.
From: Todd on 18 Jun 2010 22:50 > Also you should never use passwords on ssh, you should require RSA > authentication. In /etc/sshd_config > > RSAAuthentication yes > PubkeyAuthentication yes > PasswordAuthentication no > > To allow access to an account you put the user's public key in > ~/.ssh/authorized_keys Now is makes sense. Thank you. -T
From: General Schvantzkoph on 19 Jun 2010 07:59
On Fri, 18 Jun 2010 19:50:26 -0700, Todd wrote: >> Also you should never use passwords on ssh, you should require RSA >> authentication. In /etc/sshd_config >> >> RSAAuthentication yes >> PubkeyAuthentication yes >> PasswordAuthentication no >> >> To allow access to an account you put the user's public key in >> ~/.ssh/authorized_keys > > > Now is makes sense. Thank you. > > -T The easiest way to manage ssh is to use webmin, http://www.webmin.com Webmin is a browser based admin tool that works on most Linux distros, you just have to point your browser at https://machinename:10000. The ssh module is under Servers/SSH Server, it will allow you to configure all of SSH's options. |