[clug] mc-root anyone?
Paul Wayper
paulway at mabula.net
Sun Jun 21 09:12:29 GMT 2009
On 18/06/09 22:33, Kim Holburn wrote:
> Security by obscurity is OK but it doesn't give you that much. A good
> scan can tell you what's on an open port.
Some people call this "defence in depth" :-)
All I'm saying here is that putting SSH on a different port will work now, and
(I guess) for the next three to five years. Sooner or later someone's going
to put a port scan into their SSH scanners; when that happens, the entire
internet is going to catch fire. People will be panicking, doom will be
predicted, Microsoft will say that Windows is more secure because it doesn't
use SSH, calls for a new SSH will echo across the world, and finally people
will realise that they still need decent passwords, fail2ban, or ssh keys -
just as we've known for years.
You can use the easy but short-term solution - changing the SSH listen port -
or the trickier but longer-term solution - getting better security.
Port knocking will still be 'security through obscurity' in the bad sense
until it develops reasonable cryptographically secure challenge and response -
and then it will be much like SSH keys. It sounds like an interesting idea
but in practice you still need something like fail2ban on it to provide a
level of security that goes beyond "guess the couple of random numbers".
Have fun,
Paul
More information about the linux
mailing list