On 2017-06-30 16:08, Cameron Simpson wrote:
On 30Jun2017 10:11, Greg Woods <woods(a)ucar.edu> wrote:
> On Fri, Jun 30, 2017 at 9:36 AM, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
>> It's not necessarily a target on *you*, but very probably it's just
>> targeting any computer that responds to them. Poke, get a response,
>> keep prodding...
>
> Yeah, pretty much all of this is totally automated these days. [...]
> If you have an exposed ssh server, you will see this kind of
> doorknob-rattling. I get around it in one of four ways:
You omitted way 0: DO NOT ALLOW PASSWORD BASED SSH. This is the single best
thing you can do. Allowing only key-based access simply prevents all password
based access and is cryptographicly strong, instead human-prose-imagination
strong, which is typically awful.
Way 0(a) is to "PermitRootLogin No" and 0(b) is to have a fixed and small
"AllowUsers" setting.
All your other suggestions come after that in terms of usefulness.
Password remote login: just don't do it.
> 1) Turn off sshd if
> I don't really need it on a given system; 2) Use firewall rules to allow
> access only from certain known remote locations (so I can get into my home
> system from my desktop at work, for instance); 3) run sshd on a
> non-standard port (won't stop the serious bad guys, but is usually good
> enough to stop the automated doorknob-rattlers); and 4) If you really have
> to have an ssh server that allows access from unknown remote locations, run
> something like fail2ban that at least automatically blocks them if they try
> too often from the same place. And the most important thing is, any of
> these defenses can fail if you make a mistake configuring them (won't
> happen because we're all perfect, right? :-) , so the most important thing
> you can do is use strong passwords so that the brute force guessing cannot
> succeed.
No, the most important thing is to make password guessing pointless.
Cheers,
Cameron Simpson <cs(a)zip.com.au>
And what do I do if I have to login from a different machine than one of mine?
Should I hang a tag or key with the key to my computers on my key chain when
traveling? A long password like farcicalGrebling is not likely to be found by
anybody in any reasonable amount of time, eg. before I am dead and decomposed.
I developed a bad habit back in the 50s of actually running numbers on problems.
I think that is why I was a heartless young adult, eg a conservative/libertarian
sort of creature. Numbers talk to me. Ideals don't.
I've noticed in security there are a LOT of "assumptions" or
"ideals" that
really ain't so. Change your password every x days is one such. Change it
whenever you think there is any chance it was compromised regardless of the
number of days. I'm working on decades on that one. I am VERY careful where I
type in any passwords to my accounts. I pick reasonably safe for a high value of
reasonably rather than try to fool myself that I can make it absolutely safe.
It's several thousands of times harder to get in through a password on my
systems than it is to use other malware means. So why harden ssh logins any
further? Make a Fermi number analysis of the likelihood of problems and work on
the worst ones not the best ones.
{^_^}