[kwlug-disc] Tightening up SSH

Lori Paniak ldpaniak at fourpisolutions.com
Mon Jul 19 23:29:49 EDT 2010


On Mon, 2010-07-19 at 22:55 -0400, unsolicited wrote:
> Darcy Casselman wrote, On 07/19/2010 10:50 PM:
> > On Mon, Jul 19, 2010 at 9:41 PM, unsolicited <unsolicited at swiz.ca> wrote:
> >> Darcy Casselman wrote, On 07/19/2010 9:12 AM:
> >>> Along with previous suggestions, I'd recommend switching to a
> >>> non-standard port.  It's not really security against a determined
> >>> attacker, but it cuts out 99.99% of the random Internet drive-bys.
> >> Could you tell me the source of this statistic please?
> > 
> > Sure! I made it up.
> > 
> >> Save yourself the irritation. Particularly when you run into a
> >> firewall that lets you talk out to known ports, but not weird ones.
> > 
> > No worries.  I'm not going to forget mine.  And, like Khalid said, you
> > can put it in your .ssh/config
> 
> That implies one is only ever using their own equipment, to hand, to 
> access their systems remotely. Part of the allure of remote access is 
> remote access from anywhere, any time, from any equipment.
> 

Through any password sniffer.  

If you access your system remotely from insecure hardware, you are
asking for trouble.  It does not matter how complex your password is,
your ssh port number or what kind of encryption you used on your USB
key, on a malicious system you are compromised. I don't think there is a
reasonably safe way to use questionable hardware short of rebooting the
system into your own USB distro.  


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20100719/2cc95567/attachment.bin>


More information about the kwlug-disc_kwlug.org mailing list