That means ssh will ask for password only for valid accounts.That means that you can brute force the machine for valid accounts, knowing that if ssh asks for a password, the account really exists on the machine.
He meant that fact is a security risk, and he is right, because once you know what valid accounts there are on the machine, you can focus on them and brute force for a password on them...
Disable password-based logins and use ssh keys... It's so much harder to break than a password that is, i believe, 16 char long maximum (?)
Just leave the ssh open for invalid logins too (eg, ask for a password for any login, valid or invalid)... Don't let them know what logins exist on the machine...
Rod Rodolico wrote:
They never found a valid account. I just saw them trying hard, and was afraid they would actually find one that had shell access. Actually, I don't remember them finding a real account of anyone on the box (though I didn't do a point by point comparison). This was more a preventive, just in case they did. If I'm not understanding what you mean, please let me know. I doubt this will be the last time I have to do this. RodFrom a security point of veiw that is actually a bad idea, as the people trying to connect will now immediatly know if the have found a valid account and can then work on finding the password for that account. R. W. Rodolico wrote:No, just the fact that they did not get in. Example: Jun 13 08:30:38 stargazer sshd[11700]: Failed password for illegal user testuser from ::ffff:69.0.78.35 port 50494 ssh2 Jun 13 08:30:42 stargazer sshd[11702]: Illegal user testuser from ::ffff:69.0.78.35 Rod P.S. I did change the port, but they found it again. However, I have set up ssh now where it rejects all but two accounts even before attempting to authenticate. RWRCiao, I noticed that *BSD log in the syslog the attempted password too...is there a way to do the same on linux too ? -- Bye Enrico - Windows gives you just a little piece of the horizon. Use Linux. e vederai color che son contenti nel foco, perche speran di venire quando che sia a le beate genti. -- Inferno, Canto I, vv.118-120 -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-- Jean-Christophe Montigny Responsable Commission Web, Association Planètes Responsable serveurs assoces.com, Association Planètes Etudiant de deuxième année à Grenoble Ecole de Management Majeure Conseil en Organisation des Systèmes d'Information
begin:vcard fn:Jean-Christophe Montigny n:Montigny;Jean-Christophe org;quoted-printable:Association Pl@n=C3=A8tes adr;quoted-printable:;;12, rue Pierre S=C3=A9mard;Grenoble;FR;38000;France email;internet:jcm@assoces.com title:Responsable Com Web x-mozilla-html:FALSE url:http://planetes.assoces.com/ version:2.1 end:vcard