1 |
On Tue, May 10, 2005 at 07:33:15PM -0600, Sancho2k.net Lists wrote: |
2 |
> I configure my sshd to only allow public key-based authentication. I use |
3 |
> 1024 bit DSA keys and SSHv2 only. They can try brute forcing the box for |
4 |
> centuries if they want, and they won't come any closer to getting in. I |
5 |
> personally don't see a huge point to blocking attacks, but only if |
6 |
> you're set up securely. |
7 |
|
8 |
Disallowing password authentication isn't something that works for |
9 |
everyone (along with port knocking, running SSH on an odd port, etc). I |
10 |
run a server which allows public access to many people. I try to make |
11 |
sure passwords are secure and SSHv1 is disabled, but I really can't be |
12 |
locking down any more severely. |
13 |
|
14 |
With an automated script, it can cut the attacks short while at the same |
15 |
time alerting me to the attack. Why risk it? |
16 |
|
17 |
> Users that allow SSHv1 or allow password auth and use weak passwords, |
18 |
> now that is an issue to worry about, but you've got bigger problems on |
19 |
> your hands. |
20 |
|
21 |
Primarily my reason for using login_sentry is it emails me when an |
22 |
attack is occuring. This provides me with an opportunity to |
23 |
whois/reverse DNS the name and figure out where the attack is coming |
24 |
from. If it is from a US/UK/Likely English Speaking/Likely to Care ISP |
25 |
I will report it to their abuse desk. |
26 |
|
27 |
In almost all of these cases the machine in question has been |
28 |
compromised and is being used by a 3rd party cracker to scan for more |
29 |
vulnerable boxen (creating botnets). If you, as an admin, are willing |
30 |
to spend 5 minutes reporting these attacks you've potentially shut down |
31 |
zombie boxes and you are doing the administrator and the ISP a huge |
32 |
favor. |
33 |
|
34 |
-- |
35 |
/--------------- - - - - - - |
36 |
| Dan Noe, freelance hacker |
37 |
| http://isomerica.net/ |