Re: [opensuse] Results of moving ssh to a high port - Zero scriptkiddies in a 24 hour period.

On Sat, 2008-11-29 at 10:30 +0000, G T Smith wrote:
<snip>


I would generally prefer the password protected key option (to use the
key you have to authenticate with a password), which is same difference
in the latter context. The thing about household or computer keys (like
single socks, paper clips, and pens) is they can get lost, usually when
you most need them :-) . If the wrong person gets the lost key then you
could be toast if the key is not protected.

For private use I tend to prefer password, entry plus blocks on external
firewall as I have very little call for external ssh access at the
moment. On the very rare occasions I think I will need it (once in the
last 12 months or so), I set up the port to be opened at external
firewall at a fixed time for a fixed time. (The key is in your head, and
if you loose that you have other things to worry about :-) ).

What I would like to do is fix up some sort of single sign on, so one
authentication allows access networked resources at a network level, but
unfortunately for *NIX this would be a major project (and getting this
to work with ssh, cups, apache and samba etc could be a major pain). So
one has one strong point of entry rather than several points of varying
strength.


It's the usual trade-off between security level and ease of
use /maintainability....

For gaining access to a specific (or any) node in your network, you
might considder the use of tokens (Aladdin, Kobill) Allmost all systems
have an USB-port nowadays. Private keys protected by a pin-code, that
snaps after three failed attemps.
It raises the security level drastivally, but at what costs, is it
worthwhile?

OTOH, using single-sign-on techniques (distributing trusted keys,
kerberos etc etc) removes security barriers. Instead of access to a
specific node, one gets access to all nodes.

Incase you want to avoid the maintenance of tokens, there is still
another option I saw last week. If one wants to login, send the user an
one-time-password via an SMS-message on his GSM...
(It seems that ordinary lusers are more carefull about their private GSM
and pin-code than with company-tokens....)


hw
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

Relevant Pages

  • Re: ipfw plus authentication (authpf is cool but....)
    ... their ipaddress, mac address, workstation os, etc. in our ldap directory. ... gain network access is indeed belongs to that user. ... router first before being allowed to access any server. ... user will authenticate to a web based login form which is tied up ...
    (freebsd-questions)
  • Re: Sites - Public / Global adress.
    ... The domain members and the domain controllers need to be on ... this normally would be a "private" network address. ... > they are not sure what site they are in and try and authenticate from ...
    (microsoft.public.windows.server.networking)
  • Re: Authenticating users through firewalls VPN
    ... Grab DrTCP and try reducing the MTU size. ... VPN to my internal network. ... it won't authenticate me so will not let me, for example, browse the ...
    (microsoft.public.windows.server.sbs)
  • Re: Intranet / IIS?
    ... If it's protected then IIS will attempt to authenticate everyone. ... securing things would be better than developing my own login etc, ... external visitors to the network are challenged to login (ideally ...
    (microsoft.public.dotnet.framework.aspnet)