| 1 |
On Tue, May 10, 2005 at 07:33:15PM -0600, Sancho2k.net Lists wrote: |
| 2 |
> I configure my sshd to only allow public key-based authentication. I use |
| 3 |
> 1024 bit DSA keys and SSHv2 only. They can try brute forcing the box for |
| 4 |
> centuries if they want, and they won't come any closer to getting in. I |
| 5 |
> personally don't see a huge point to blocking attacks, but only if |
| 6 |
> you're set up securely. |
| 7 |
|
| 8 |
Disallowing password authentication isn't something that works for |
| 9 |
everyone (along with port knocking, running SSH on an odd port, etc). I |
| 10 |
run a server which allows public access to many people. I try to make |
| 11 |
sure passwords are secure and SSHv1 is disabled, but I really can't be |
| 12 |
locking down any more severely. |
| 13 |
|
| 14 |
With an automated script, it can cut the attacks short while at the same |
| 15 |
time alerting me to the attack. Why risk it? |
| 16 |
|
| 17 |
> Users that allow SSHv1 or allow password auth and use weak passwords, |
| 18 |
> now that is an issue to worry about, but you've got bigger problems on |
| 19 |
> your hands. |
| 20 |
|
| 21 |
Primarily my reason for using login_sentry is it emails me when an |
| 22 |
attack is occuring. This provides me with an opportunity to |
| 23 |
whois/reverse DNS the name and figure out where the attack is coming |
| 24 |
from. If it is from a US/UK/Likely English Speaking/Likely to Care ISP |
| 25 |
I will report it to their abuse desk. |
| 26 |
|
| 27 |
In almost all of these cases the machine in question has been |
| 28 |
compromised and is being used by a 3rd party cracker to scan for more |
| 29 |
vulnerable boxen (creating botnets). If you, as an admin, are willing |
| 30 |
to spend 5 minutes reporting these attacks you've potentially shut down |
| 31 |
zombie boxes and you are doing the administrator and the ISP a huge |
| 32 |
favor. |
| 33 |
|
| 34 |
-- |
| 35 |
/--------------- - - - - - - |
| 36 |
| Dan Noe, freelance hacker |
| 37 |
| http://isomerica.net/ |
Archives