ssh Access from the internet
Ansar Mohammed
ansarm-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue May 13 14:39:11 UTC 2008
My real hope was to really integrate GeoIP with my packet filter. Most of these attacks come from Non-North American sources.
It seems a bit 'involved'. Has anyone done this?
> -----Original Message-----
> From: owner-tlug-lxSQFCZeNF4 at public.gmane.org [mailto:owner-tlug-lxSQFCZeNF4 at public.gmane.org] On Behalf Of
> CLIFFORD ILKAY
> Sent: May 13, 2008 10:14 AM
> To: tlug-lxSQFCZeNF4 at public.gmane.org
> Subject: Re: [TLUG]: ssh Access from the internet
>
> Robert Brockway wrote:
> > Hi Ansar. As others have noted allowing only PKI authentication (ie,
> > disabling password access) is an effective approach. I never allow
> > password access to ssh from public IP addresses - brute force attacks
> > cannot succeed.
> >
> > This way you are safe unless there is a serious security exploit in
> > OpenSSH itself, and it is quite likely the most highly audited app on
> > your Linux box.
> >
> > I am totally against changing ports to avoid an attack. Changing the
> > port is a form of security through obscurity and can also make it
> > impossible for you to connect from certain locations as many
> > organisations restrict outbound port connections. Eg, they may allow
> > outbound 22 as they know it is ssh but not outbound 2222 or whatever.
> >
> > Changing port numbers as a means to avoid attacks is also not a
> scalable
> > solution and philosophically I disagree with this approach on this
> > basis. Or to put it another way: if everyone did this the Internet
> would
> > break.
> >
> > Approaches such as the use of a firewall to restrict source addresses
> > are also good but less important if you are using PKI authentication
> only.
>
> This sounds very much like a repeat of a discussion we had here some
> months ago. I respectfully disagree that changing ports is a bad thing
> and reject the notion that the Internet would break as a result. Yes,
> it's security through obscurity and no, I don't care. The idea isn't
> just to thwart potential attacks but to make it more difficult for what
> are obviously scripted attacks on port 22. Changing to some other port
> all but eliminates joe job attacks. It is very easy to work around port
> blocking restrictions by using ssh port forwarding.
>
> By the way, key-based authentication isn't always possible. FreeNX, for
> example, or at least the older version I have running, doesn't work
> unless password auth is also enabled.
> --
> Regards,
>
> Clifford Ilkay
> Dinamis Corporation
> 1419-3266 Yonge St.
> Toronto, ON
> Canada M4N 3P6
>
> <http://dinamis.com>
> +1 416-410-3326
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list