Interesting, I'm going to have to try that. I move SSH to a random port off in the boonies, that alone eliminated bruteforce attempts on my end. Still passwords are so 1970s. Certs are where all the cool kids are stashing their goodies now days :)
On Mon, Feb 3, 2014 at 12:08 PM, Michael Torrie <torr...@gmail.com> wrote: > On 02/03/2014 11:52 AM, S. Dale Morrey wrote: > > I misunderstood the without-password to mean they can login without a > > password. > > Guess that makes more sense. I can't imagine a situation except for > > possibly embedded and not connected to the internet that you would want > > root to login without a password. > > I configured my VPS to disallow ssh password logins for _all_ users, > including root, except from specific IP addresses. Combine that with a > fail2ban script, and I don't have any problems with brute-force ssh > attacks anymore. I don't bother with moving my sshd to a different > port, or port-knocking. > > Also I have started putting passwords on all my important ssh keys > (encrypts the keys), just for added safety in case a key file gets > lifted off my computer somehow. ssh-agent and the agents built into > most modern desktop environments can cache the keys and it makes it > fairly painless to use. > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
