On Tue, May 6, 2008 at 8:40 PM, Andrew Sayers <[EMAIL PROTECTED]> wrote: > Based on this evidence, does anybody object to a bug report being filed > against openssh-server, saying that password authentication should be > disabled by default? Of course, that leaves all my ideas in serious > trouble, but that's a secondary matter. >
One intermediate take away from the study is that using a high non-standard port is often good enough (for now). Also, having denyhosts configured with a sync download threshold of 3 will block a high percentage (I think it said %75 or so) You have to remember that security is a game of escalation and even though people should try to stay ahead of the attackers, they often don't. Should Ubuntu packages force them to do things that they don't necessarily yet understand? I think that topic is a thread of its own if people want to go down that path. More closely to the thread at hand, a reasonable amount of security could be gained by using a non-standard port, a hard username/password, and/ or using SSH keys. Cheers, Todd -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
