On Wednesday 15 March 2006 11:06, Goswin von Brederlow wrote:
> He trying to solve that a tcp connect to port 22 establishes a
> connection and thereby reveals that the server is running an sshd and
> attcking it makes sense.
>
> His idea is to add a 100% non responsive knocking (using udp) before
On Wed, Mar 15, 2006 at 05:06:34PM +0100, Goswin von Brederlow wrote:
His idea is to add a 100% non responsive knocking (using udp) before
the actual ssh handshake so unauthorized clients can't even determine
that sshd is running. Not that I find that usefull but thats the idea.
Traditional por
Neal Murphy wrote:
The point is to reduce brute-forace attacks to the point of nearly total
ineffectiveness.
I use OpenSSH public/private key authentication to achieve this. Based on needs one could
also use two factor authentication (e.g. one time password tokens) or even a combination
of
Michael Stone <[EMAIL PROTECTED]> writes:
> On Wed, Mar 15, 2006 at 02:35:53PM +0100, Goswin von Brederlow wrote:
>>Michael Stone <[EMAIL PROTECTED]> writes:
>>> No, anyone can generate encrypted parts. IMHO, there's not much chance
>>> that the decryption routines in your magic udp parser are goi
On Wed, Mar 15, 2006 at 02:35:53PM +0100, Goswin von Brederlow wrote:
Michael Stone <[EMAIL PROTECTED]> writes:
No, anyone can generate encrypted parts. IMHO, there's not much chance
that the decryption routines in your magic udp parser are going to be
less vulnerable than those in openssh itsel
Michael Stone <[EMAIL PROTECTED]> writes:
> On Mon, Mar 13, 2006 at 03:03:24PM -0500, Neal Murphy wrote:
>> Yes, allowing UDP packets in is, in a sense, an open port, but it's
>> a one-way port. UDP packets have a fixed maximum size and the
>> information carried in the packet is trivial in nature
"Michel Messerschmidt" <[EMAIL PROTECTED]> writes:
> Neal Murphy said:
>> The point is to obscure the ssh server from everyone, including those
> who
>> are authorized to access it remotely.
>
> You're right, this is just the old idea of "security by obscurity".
And quite pointless. Better instal
On Mon, Mar 13, 2006 at 11:06:38PM -0500, Neal Murphy wrote:
The point is to obscure the ssh server from everyone, including those who are
authorized to access it remotely. The point is to reduce brute-forace attacks
to the point of nearly total ineffectiveness.
No more so than simply configu
Neal Murphy said:
> The point is to obscure the ssh server from everyone, including those
who
> are authorized to access it remotely.
You're right, this is just the old idea of "security by obscurity".
> The point is to reduce brute-forace attacks to the point of nearly total
> ineffectiveness.
On Monday 13 March 2006 20:07, Michael Stone wrote:
> On Mon, Mar 13, 2006 at 03:03:24PM -0500, Neal Murphy wrote:
> >The idea is to present information to the server that only the server can
> >decrypt, and that, in theory, only the authorized user could have
> > generated.
>
> Much like an authen
On Mon, Mar 13, 2006 at 03:03:24PM -0500, Neal Murphy wrote:
The idea is to present information to the server that only the server can
decrypt, and that, in theory, only the authorized user could have generated.
Much like an authentication system. What's the point of all this over
just authent
On Monday 13 March 2006 09:38, [EMAIL PROTECTED] wrote:
> On Mon, Mar 13, 2006 at 03:19:30AM -0500, Neal Murphy wrote:
> > It seems kind-of counterproductive to set up SSH for secure access, then
> > advertise to the universe that it's there. Thus my idea:
> >
> > Consider:
> > - sshd listens on
On Mon, Mar 13, 2006 at 03:19:30AM -0500, Neal Murphy wrote:
> It seems kind-of counterproductive to set up SSH for secure access, then
> advertise to the universe that it's there. Thus my idea:
>
> Consider:
> - sshd listens on a pre-shared UDP port for 'a knock on the door',
> specificall
Hi Guys,
> [...]
I use fail2ban and I'm very happy with it.
Just my 2 cents, regards,
johannes
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
* Neal Murphy <[EMAIL PROTECTED]> [2006-03-13 03:19 -0500]:
> Consider:
[...]
Sounds like putting http://ingles.homeunix.org/software/ost/
into ssh(d).
Nicolas
--
http://www.rachinsky.de/nicolas
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [
On Mon, Mar 13, 2006 at 03:19:30AM -0500, Neal Murphy wrote:
[...]
> My idea is akin to a monastery that has no visible way in or out. If someone
> wants in, he has to know where to knock, using the Super Secret Squirrel
> coded knock. Then he has to wait a bit before he tries to pass his
> cr
On Monday 13 March 2006 01:24, fgeek wrote:
> > Hello,
> >
> > once in a while (say, every two weeks) I get a brute-force
> > login/password scan attempt in my server (i.e., a single ip tries
> > dictionary account names and passwords at random). SSH access is
> > needed by many users, and (RSA/DS
17 matches
Mail list logo
