Re: Reporting brute force ssh login attempts
On Wed, Nov 15, 2006 at 09:04:08PM -0600, Nate Bargmann wrote:
>
> Is using only version 2 public key authentication not possible? I'm
> just learning ssh, so maybe I'm misled thinking that is less vulnerable
> to a brute force attack.
>
Whether or not just using ssh2 with public keys is possible depends
greatly on his requirements and his users. If the users can be
convinced or trained to use keys, then it is by far the best way to go.
However, users must be taught about proper key discipline, including
things like having good passphrases on keys (something which I did not
do for a long time) and having different keys for different hosts.
Restricting access to only key-based logins makes a brute force attack a
practical impossibility. However, the concern becomes that someone can
compromise a user's key. Now, the possibility that a key is compromised
is dramatically less than that of a password getting brute forced. That
is because the adversary must gather quite a bit of intelligence (i.e.,
identify one or more users of the target system) and then somehow
compromise that user's computer(s) and he associated key passphrase.
That is not impossible, but neither is it a small task. That is what
makes keys-based logins (espcially with password logins completely
disabled) so nice. It greatly diminishes your attractiveness as a
target.
Regards,
-Roberto
--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com
Reply to: