2009/6/28 Polytropon free...@edvax.de:
On Sat, 27 Jun 2009 21:17:11 -0400, Daniel Underwood djuatde...@gmail.com
wrote:
Exactly. For example, the server in question is a desktop machine
at work. I regularly see transfer rates of 13MB/s. It's at a major
university, which is by itself
Daniel Underwood wrote:
laptop to connect to the server. Due to the speed and location of the
connection, it's a relatively high-risk target.
Can you tell me what you mean with that? I mean, imho a server must been
consider always a risk target.
Perhaps I don't understand.
Jos Chrispijn
Jos Chrispijn wrote:
Daniel Underwood wrote:
laptop to connect to the server. Due to the speed and location of the
connection, it's a relatively high-risk target.
Can you tell me what you mean with that? I mean, imho a server must been
consider always a risk target.
Perhaps I don't
As I believe has already been answered in this thread, the better connected
a server is to the Internet, the higher its value to several varieties of
miscreants. Given a choice between a server connected via a close to
saturated T1 somewhere in the back waters of the Internet and a server
On Sat, 27 Jun 2009 21:17:11 -0400, Daniel Underwood djuatde...@gmail.com
wrote:
Exactly. For example, the server in question is a desktop machine
at work. I regularly see transfer rates of 13MB/s. It's at a major
university, which is by itself another high-risk factor, precisely
because
On Tue, 23 Jun 2009 22:37:12 +0200
Erik Norgaard norga...@locolomo.org wrote:
You're right, as long as port-knocking as a first pass authentication
scheme is not in wide spread use, then any attackers will not waste
time port-knocking. If ever port-knocking becomes common, attackers
will
RW wrote:
On Tue, 23 Jun 2009 22:37:12 +0200
Erik Norgaard norga...@locolomo.org wrote:
You're right, as long as port-knocking as a first pass authentication
scheme is not in wide spread use, then any attackers will not waste
time port-knocking. If ever port-knocking becomes common, attackers
On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote:
RW wrote:
On Tue, 23 Jun 2009 22:37:12 +0200
Erik Norgaard norga...@locolomo.org wrote:
You're right, as long as port-knocking as a first pass authentication
scheme is not in wide spread use, then any attackers will not
Point remains: Adding port knocking does not solve any security problem, it
only adds
complexity, cost, points of failure, inconvenience etc while making your
problem appear
differently and leaving you with the illusion of being more secure.
I think that's grossly overstated, if not just
cpghost wrote:
On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote:
But port knocking can be useful and provide more security *if* you
modify the kocking sequence algorithmically and make it, e.g. a
function of time, source IP/range (and other factors). This could
prevent a whole class
On Wed, Jun 24, 2009 at 04:50:01PM +0200, Erik Norgaard wrote:
cpghost wrote:
On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote:
But port knocking can be useful and provide more security *if* you
modify the kocking sequence algorithmically and make it, e.g. a
function of time,
On Wed, 24 Jun 2009 17:12:59 +0200
cpghost cpgh...@cordula.ws wrote:
It all boils down to this: do you login from a secure machine
or not? Each tool has its own set of uses. When I want to log in
from a public terminal, I prefer OPIE;
OPIE is probably fine in almost all cases, but you may
On Mon,06/22/09 [21:16:35], Daniel Underwood wrote:
On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server. I am the only person who uses the server, but I
use it from some locations that are behind a dynamic IP (so I can't
set pf rules to filter by IP). I
connection, it's a relatively high-risk target.
What are some good practices for securing this SSH server. Is using a
stored key safer than a password in this instance? I have no
If your password is not trivial, then it is secure.
using RSA/DSA keys is as good, if you are sure nobody will get
If for some reason you would prefer to use password authentication, I
would recommend that you look into automatic brute force detection.
There are a number of utilities in ports available for this purpose,
including security/sshguard and security/denyhosts.
good, but not really important with
Wojciech Puchar wrote:
If for some reason you would prefer to use password authentication, I
would recommend that you look into automatic brute force detection.
There are a number of utilities in ports available for this purpose,
including security/sshguard and security/denyhosts.
good, but
You can't do more than maybe 10 attempts/second this way, while cracking
10 character password consisting of just small letters and digits needs
10 characters is a longer than usual password. Most people have been
conditioned into using a 7 or 8 character password, which is at least a
so
2009/6/23 Wojciech Puchar woj...@wojtek.tensor.gdynia.pl:
If for some reason you would prefer to use password authentication, I
would recommend that you look into automatic brute force detection.
There are a number of utilities in ports available for this purpose,
including security/sshguard
99% of crack attempts are done by kevin mitnick methods, not password
cracking.
You're right about the probability of password breaking, but
personally I installed denyhosts just because I got sick of this:
indeed, it's very useful but it's not a requirement at all to be secure :)
The only
99% of crack attempts are done by kevin mitnick methods, not password
cracking.
Absolutely true. Mitnick was an early exponent of Social Engineering
attacks, which are still the easiest and most effective methods for
Mitnick just chose the best possible friend - human stupidity. It never
why does the speed of a connection make it a higher risk?
Super-fast connections are ideal targets for people to install private
fileservers (among other things).
___
freebsd-questions@freebsd.org mailing list
I do not believe that tricks like running ssh on a
non standard port or using port-knocking provide
much extra security.
I can understand that varying the port is not a very strong defensive
measure, but I don't understand your point about port-knocking.
If you configure a complex and
Daniel Underwood wrote:
I do not believe that tricks like running ssh on a
non standard port or using port-knocking provide
much extra security.
I can understand that varying the port is not a very strong defensive
measure, but I don't understand your point about port-knocking.
If you
In response to Erik Norgaard norga...@locolomo.org:
Daniel Underwood wrote:
I do not believe that tricks like running ssh on a
non standard port or using port-knocking provide
much extra security.
I can understand that varying the port is not a very strong defensive
measure, but I
Bill Moran wrote:
In response to Erik Norgaard norga...@locolomo.org:
You add an extra layer of inconvenience and complexity, more things that
can fail and possibly result in an insecure server:
I would agree with you, except ...
- dynamically updating firewall rules on the interface
On Mon, Jun 22, 2009 at 22:50, pradp...@towardsfreedom.com wrote:
On Mon, 22 Jun 2009 21:16:35 -0400
Daniel Underwood djuatde...@gmail.com wrote:
Due to the speed and location of the
connection, it's a relatively high-risk target.
why does the speed of a connection make it a higher risk?
A port-knocking sequence is really nothing different than a shared password.
Technically and conceptually, that's true. But practically, I'm not
sure you're right. If in addition to attempting to enumerate the
space of possible passwords, an attacker also enumerates the space of
possible
Daniel Underwood wrote:
A port-knocking sequence is really nothing different than a shared password.
Technically and conceptually, that's true. But practically, I'm not
sure you're right. If in addition to attempting to enumerate the
space of possible passwords, an attacker also enumerates
In response to Erik Norgaard norga...@locolomo.org:
Bill Moran wrote:
In response to Erik Norgaard norga...@locolomo.org:
- dynamically updating firewall rules on the interface facing the
Internet is not on my list of good practices. loading or flushing rules
continuously is the
Bill Moran wrote:
In response to Erik Norgaard norga...@locolomo.org:
Bill Moran wrote:
In response to Erik Norgaard norga...@locolomo.org:
I do, you can put your interface in promiscuous mode and let the daemon
grab packets before they are filtered by the firewall, or open in your
On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server. I am the only person who uses the server, but I
use it from some locations that are behind a dynamic IP (so I can't
set pf rules to filter by IP). I will always, however, use the same
laptop to connect to
On 06/22/2009 06:16 PM, Daniel Underwood wrote:
On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server. I am the only person who uses the server, but I
use it from some locations that are behind a dynamic IP (so I can't
set pf rules to filter by IP). I will
On Mon, Jun 22, 2009 at 9:43 PM, Benjamin Lee b...@b1c1l1.com wrote:
On 06/22/2009 06:16 PM, Daniel Underwood wrote:
On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server. I am the only person who uses the server, but I
use it from some locations that
On Tue, Jun 23, 2009 at 9:43 AM, Benjamin Leeb...@b1c1l1.com wrote:
On 06/22/2009 06:16 PM, Daniel Underwood wrote:
On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server. I am the only person who uses the server, but I
use it from some locations that are
On Mon, Jun 22, 2009 at 9:16 PM, Daniel Underwood djuatde...@gmail.comwrote:
On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server. I am the only person who uses the server, but I
use it from some locations that are behind a dynamic IP (so I can't
set pf
On 6/22/09, Daniel Underwood djuatde...@gmail.com wrote:
On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server. I am the only person who uses the server, but I
use it from some locations that are behind a dynamic IP (so I can't
set pf rules to filter by
On Mon, 22 Jun 2009 21:16:35 -0400
Daniel Underwood djuatde...@gmail.com wrote:
Due to the speed and location of the
connection, it's a relatively high-risk target.
why does the speed of a connection make it a higher risk?
is it because bruteforce techniques can capitalize on the speed?
--
Daniel Underwood wrote:
On a BSD box at work (at an extremely fast connection and static IP),
I run an SSH server. I am the only person who uses the server, but I
use it from some locations that are behind a dynamic IP (so I can't
set pf rules to filter by IP). I will always, however, use the
38 matches
Mail list logo
