Re: Continuous brute force attempt from own server !!! (OT question)
On 20130727_140629, Henrique de Moraes Holschuh wrote:
> On Sat, 27 Jul 2013, Brian wrote:
> > On Sat 27 Jul 2013 at 12:05:05 +0300, Lars Noodén wrote:
> > > On 07/26/2013 11:26 PM, Brian wrote:
> > > > Does this 'good idea' have reasons to support it?
> > >
> > > It is for much the same reasons that passwords are rotated. It was
> > > mainly this draft that convinced me:
> > >
> > > http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1
> > >
> > > It mentions rotating the keys in several places.
> >
> > Thank you, that was an interesting read. The focus of the draft is on
> > organisations which utilise SSH keys extensively, so in such a situation
> > I can understand a recommendation for key rotation because ignoring it
> > may have disastrous consequences. Users with small networks and with
> > well managed access to them would rarely have a need to change passwords
> > or keys at predetermined intervals.
>
> If you have that key sitting anywhere outside of a hardened smartcard, you
> should rotate it every so often, in case someone managed to snag a copy of
> it while you were not paying attention. It is NOT too much pain to rotate
> keys once an year, unless you're doing it wrong in the first place.
>
> It is also good practice to never share the same key across hosts (or if
> that's impratical, across security domains), and to have specific keys for
I'm lurking here, hoping to learn things:
In this case, what is a 'security domain'?
Don't make fun of me. I really haven't, to my memory, come across the
term, before.
> specific services. This practice can greatly reduce the damage caused by a
> compromised key.
>
--
Paul E Condon
pecondon@mesanetworks.net
Reply to: