Re: SSH brute force China and Linux: best practices

About Merit

Services

Network

Resources & Support

Network Research

News

Events

Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Re: SSH brute force China and Linux: best practices

From: Joe Greco
Date: Sat Jan 30 15:52:12 2010

List-archive: <http://mailman.nanog.org/mailman/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>

> > also enforce either strong passwords or require no passwords (e.g. keys
> > only) and everything should be cool.
> 
> what is 'password'?

"password" is that thing that you use when you don't want one compromised
"passphrase for your DSA key" to give access to every resource under the
sun that you have access to.

Keys are fantastic when used to access a resource with relatively
permissive (or no) IP-based access lists, automated applications, etc.

However, where I have a resource that's already heavily restricted for
SSH by ACL, I sometimes prefer an actual password that has to be dredged
out of memory.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

References:
- Re: SSH brute force China and Linux: best practices Randy Bush

Prev by Date: Re: SSH brute force China and Linux: best practices
Next by Date: Re: Countries with the most botnets
Date Index
Thread Index
Author Index
Historical