Re: Continuous brute force attempt from own server !!!
On Sat, 27 Jul 2013, Brian wrote:
> On Sat 27 Jul 2013 at 12:05:05 +0300, Lars Noodén wrote:
> > On 07/26/2013 11:26 PM, Brian wrote:
> > > Does this 'good idea' have reasons to support it?
> >
> > It is for much the same reasons that passwords are rotated. It was
> > mainly this draft that convinced me:
> >
> > http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1
> >
> > It mentions rotating the keys in several places.
>
> Thank you, that was an interesting read. The focus of the draft is on
> organisations which utilise SSH keys extensively, so in such a situation
> I can understand a recommendation for key rotation because ignoring it
> may have disastrous consequences. Users with small networks and with
> well managed access to them would rarely have a need to change passwords
> or keys at predetermined intervals.
If you have that key sitting anywhere outside of a hardened smartcard, you
should rotate it every so often, in case someone managed to snag a copy of
it while you were not paying attention. It is NOT too much pain to rotate
keys once an year, unless you're doing it wrong in the first place.
It is also good practice to never share the same key across hosts (or if
that's impratical, across security domains), and to have specific keys for
specific services. This practice can greatly reduce the damage caused by a
compromised key.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: