BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] vnc
- Subject: [Discuss] vnc
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- Date: Thu, 28 Aug 2014 16:51:20 +0000
- In-reply-to: <cb98ac9a77c99dd9313c5b1503d30ee1.squirrel@mail.mohawksoft.com>
- References: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com> <cb98ac9a77c99dd9313c5b1503d30ee1.squirrel@mail.mohawksoft.com>
> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss- > bounces+blu=nedharvey.com at blu.org] On Behalf Of > markw at mohawksoft.com > > SSH is a very BAD thing to open up to the free internet. BAD BAD BAD. > Once in, you are in. Shell access is dangerous. Blanket statement. The actual truth is: SSH *can* be bad to open up to the internet, but it doesn't take rocket science to make it good and secure. First and foremost, disable all forms of authentication other than key-based. Even if you have a complex randomly generated password, you'd have to get something like 128-ish bits of entropy into that password to make it secure from brute force attacks. In that case, you'll never memorize it and you might as well just use keys. Ensure your keys are 2048 or 3072 bits (or 4096). Also, by merely allowing password based authentication, script kiddies out there will attempt to brute force attack you. (Just watch your logs and see.) This hogs your internet and CPU significantly, even if you have a sufficiently complex password to make yourself actually secure from breach. Assuming you want to disable password authentication (and everything other than public key) This helps you generate a complete list: man sshd_config | grep Authentication sudo vi /etc/ssh/sshd_config Add, or change, the following lines: ChallengeResponseAuthentication no GSSAPIAuthentication no HostbasedAuthentication no KbdInteractiveAuthentication no KerberosAuthentication no PasswordAuthentication no PubkeyAuthentication yes RhostsRSAAuthentication no RSAAuthentication no
- Follow-Ups:
- [Discuss] vnc
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] vnc
- References:
- [Discuss] vnc
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] vnc
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- Prev by Date: [Discuss] vnc
- Next by Date: [Discuss] vnc
- Previous by thread: [Discuss] vnc
- Next by thread: [Discuss] vnc
- Index(es):