On 11/21/05, Wolfgang S. Rupprecht >
Yup. Setting up real public-key authentication is several hundred
orders of magnitude stronger against guessing attacks than changing
the ssh portnumbers or adding bad hosts into some IP level filter
table and hoping the attackers won't guess a good password before they
run out of IP addresses to test from.
(And yes, I did really mean hundreds of orders of magnitude. An
attacker has 1 chance in 10**308 of guessing the 1024-bit public key
on each try if they follow the same brute-force attack. Given a
billion tests per second and the whole age of universe up to this
time, we are still only talking a 1 in 10**281 chance.)
Even harder, if there's a password on that key. The other part of
this discussion, I thought, was the DoS-ability of these ssh attacks.
That is, do these ssh attacks prevent legitmate users from accessing
regardless of the authentication mechanism configured for sshd?
--
Jiann-Ming Su
"I have to decide between two equally frightening options.
If I wanted to do that, I'd vote." --Duckman
"The system's broke, Hank. The election baby has peed in
the bath water. You got to throw 'em both out." --Dale Gribble