Comments on: Disable SSH Password Authentication with OS X 10.5 Leopard http://anthonyvance.com/blog/security/disable_ssh_passwords/ Assistant Professor—Information Systems—Brigham Young University Thu, 29 Jul 2010 14:52:59 +0000 http://wordpress.org/?v=2.5.1 By: Dominik Hoffmann http://anthonyvance.com/blog/security/disable_ssh_passwords/#comment-173 Dominik Hoffmann Sat, 13 Jun 2009 13:47:46 +0000 http://anthonyvance.com/security/disable_ssh_passwords#comment-173 I found that my Apple Xserve at home was sometimes completely swamped with what turned out to be one of those brute force ssh attacks. After disallowing password logins I essentially got my server back. I found that my Apple Xserve at home was sometimes completely swamped with what turned out to be one of those brute force ssh attacks. After disallowing password logins I essentially got my server back.

]]> By: Anthony http://anthonyvance.com/blog/security/disable_ssh_passwords/#comment-145 Anthony Sat, 23 May 2009 10:32:17 +0000 http://anthonyvance.com/security/disable_ssh_passwords#comment-145 James: It's true that nmap can easily discover SSH running on alternative ports. Changing ports alone will not secure against brute-force login attempts. However, it will: 1. Reduce the number of SSH log entries of scanners probing the default port 22. In my experience, this is a considerable amount of logging that can be avoided (see <a href="http://dmiessler.com/blog/security-and-obscurity-does-changing-your-ssh-port-lower-your-risk" rel="nofollow">here</a> for a demonstration of this). Second, in the case of a zero-day exploit, automated scanners typically only scan the default port in search of a vulnerability. Why? When scanning the entire IP-space, scanning even one additional port doubles the time to complete the scan. And in the case of a zero-day exploit, time is of the essence as administrators race to patch their machines. So while changing the default port alone doesn't protect against brute-force login attempts (this post is about using public-key authentication after all), it does provide an added measure of security in the case of zero-day exploits. See further discussion of this point <a href="http://www.dslreports.com/forum/remark,20171921#20177082" rel="nofollow">here</a> and <a href="http://www.grc.com/sn/sn-188.txt" rel="nofollow">here</a>. James:

It’s true that nmap can easily discover SSH running on alternative ports. Changing ports alone will not secure against brute-force login attempts. However, it will:

1. Reduce the number of SSH log entries of scanners probing the default port 22. In my experience, this is a considerable amount of logging that can be avoided (see here for a demonstration of this).

Second, in the case of a zero-day exploit, automated scanners typically only scan the default port in search of a vulnerability. Why? When scanning the entire IP-space, scanning even one additional port doubles the time to complete the scan. And in the case of a zero-day exploit, time is of the essence as administrators race to patch their machines.

So while changing the default port alone doesn’t protect against brute-force login attempts (this post is about using public-key authentication after all), it does provide an added measure of security in the case of zero-day exploits. See further discussion of this point here and here.

]]> By: James M http://anthonyvance.com/blog/security/disable_ssh_passwords/#comment-160 James M Fri, 22 May 2009 23:53:09 +0000 http://anthonyvance.com/security/disable_ssh_passwords#comment-160 Put out of your mind the notion that changing the ssh port adds one bit of security to your host. The dictionary attackers are nmap'ing and trying every port. It might buy you a few seconds of obscurity but nothing more. Put out of your mind the notion that changing the ssh port adds one bit of security to your host. The dictionary attackers are nmap’ing and trying every port. It might buy you a few seconds of obscurity but nothing more.

]]> By: Bill http://anthonyvance.com/blog/security/disable_ssh_passwords/#comment-147 Bill Mon, 11 May 2009 17:52:14 +0000 http://anthonyvance.com/security/disable_ssh_passwords#comment-147 Great tip. All you need to do to enable this is "sudo killall -1 sshd" and it will kick your current session (assuming you are ssh'd in) and pick up the new settings. If you are remote to the system, test your key authentication first! (grin) Great tip.

All you need to do to enable this is “sudo killall -1 sshd” and it will kick your current session (assuming you are ssh’d in) and pick up the new settings.

If you are remote to the system, test your key authentication first! (grin)

]]> By: Resuming SCP file transfers « Anthony Vance http://anthonyvance.com/blog/security/disable_ssh_passwords/#comment-144 Resuming SCP file transfers « Anthony Vance Fri, 12 Dec 2008 10:23:16 +0000 http://anthonyvance.com/security/disable_ssh_passwords#comment-144 [...] which works like a charm. This tip is posted in numerous places online, but my SSH setup at home is slightly different, so I have to modify the SSH option as [...] [...] which works like a charm. This tip is posted in numerous places online, but my SSH setup at home is slightly different, so I have to modify the SSH option as [...]

]]>