[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Continuous brute force attempt from own server !!! (OT question)

Thanks for the amusing responses. 

With our new knowledge of who actually reads our emails, rules for
cycling passwords have lost pride of place in a ranking of
things-to-worry-about. 

I intended the question to be answered in the context of the post by
Henrique de Moraes Holschuh, where 'across security domains' is
considered less desirable than 'across hosts'. I know what hosts are
when writing computer stuff, but, come to think about it what does it
mean to rotate keys? Is the idea that a particular key string is to be
reused on some host after it has been removed from service on some
other host? I had thought that it was best to never use a retired key
string again - but security is tricky - maybe there might be some
point in using old strings as the keys on some (unmentioned) honey pot
servers.

On 20130727_162740, Paul E Condon wrote:
> On 20130727_140629, Henrique de Moraes Holschuh wrote:
> > On Sat, 27 Jul 2013, Brian wrote:
> > > On Sat 27 Jul 2013 at 12:05:05 +0300, Lars Noodén wrote:
> > > > On 07/26/2013 11:26 PM, Brian wrote:
> > > > > Does this 'good idea' have reasons to support it?
> > > > 
> > > > It is for much the same reasons that passwords are rotated.  It was
> > > > mainly this draft that convinced me:
> > > > 
> > > > http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1
> > > > 
> > > > It mentions rotating the keys in several places.
> > > 
> > > Thank you, that was an interesting read. The focus of the draft is on
> > > organisations which utilise SSH keys extensively, so in such a situation
> > > I can understand a recommendation for key rotation because ignoring it
> > > may have disastrous consequences. Users with small networks and with
> > > well managed access to them would rarely have a need to change passwords
> > > or keys at predetermined intervals.
> > 
> > If you have that key sitting anywhere outside of a hardened smartcard, you
> > should rotate it every so often, in case someone managed to snag a copy of
> > it while you were not paying attention.  It is NOT too much pain to rotate
> > keys once an year, unless you're doing it wrong in the first place.
> > 
> > It is also good practice to never share the same key across hosts (or if
> > that's impratical, across security domains), and to have specific keys for
> 
> I'm lurking here, hoping to learn things: 
> In this case, what is a 'security domain'?  
> Don't make fun of me. I really haven't, to my memory, come across the
> term, before.
> 
> > specific services.  This practice can greatly reduce the damage caused by a
> > compromised key.
> > 
> 
> 
> 
> -- 
> Paul E Condon           
> pecondon@mesanetworks.net
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20130727222740.GA19973@big">http://lists.debian.org/[🔎] 20130727222740.GA19973@big
> 

-- 
Paul E Condon           
pecondon@mesanetworks.net
Reply to: