[kwlug-disc] Tightening up SSH
hyperflexed at gmail.com
Mon Jul 19 09:44:40 EDT 2010
Thank you very much. I'm going to look into what's involved in public
key authentication. I kind of veered away from it because I didn't quite
understand how it was working. Does each machine need a copy of the
other's public key so they can use their private keys to verify
eachother? Should each machine have its own key?
On 07/19/2010 09:10 AM, Adam Glauser wrote:
> On 19/07/2010 8:37 AM, Johnny Ferguson wrote:
>> Recently I've been seeing a lot of activity in /var/log/auth.log (of the
>> sshd sort). Sometimes 5 straight hours of brute force attacks.
> Yikes! I guess I should start checking my logs too.
>> SO, just wondering what advice anyone could offer on hardening SSH. I
>> might be a little paranoid, but I think it's still in the range of being
> As Dave Cramer mentioned, it is best to use public key authentication
> instead of username/password authentication. The odds of a brute-force
> attack succeeding go up dramatically. I suspect that no one even
> bothers, and instead goes after the ssh servers that use
> username/password authentication. This can be a bit of a hassle however,
> as you need to have your keypair available whenever you want to sign in
> to your ssh server.
>> P.S. How do 2 machines determine an encryption key and communicate this
>> to eachother without giving the key away? Are there any good articles on
>> how SSH works and what potential vulnerabilities are?
> SSH uses the Diffie-Hellman Key Exchange protocol to establish a shared
> secret for the session. It's pretty cool stuff, the Wikipedia article*
> has a pretty good explanation of the theory. You might want to read a
> bit about modular arithmetic** first if you don't already understand it.
> RFC4419*** describes some of the security considerations surrounding the
> DH process.
> * http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
> ** http://en.wikipedia.org/wiki/Modular_arithmetic
> *** http://www.ietf.org/rfc/rfc4419.txt
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
More information about the kwlug-disc_kwlug.org