[kwlug-disc] Tightening up SSH

Lori Paniak ldpaniak at fourpisolutions.com
Tue Jul 20 00:06:15 EDT 2010


On Mon, 2010-07-19 at 23:46 -0400, unsolicited wrote:
> 
> Lori Paniak wrote, On 07/19/2010 11:29 PM:
> > On Mon, 2010-07-19 at 22:55 -0400, unsolicited wrote:
> >> Darcy Casselman wrote, On 07/19/2010 10:50 PM:
> >>> On Mon, Jul 19, 2010 at 9:41 PM, unsolicited <unsolicited at swiz.ca> wrote:
> >>>> Darcy Casselman wrote, On 07/19/2010 9:12 AM:
> >>>>> Along with previous suggestions, I'd recommend switching to a
> >>>>> non-standard port.  It's not really security against a determined
> >>>>> attacker, but it cuts out 99.99% of the random Internet drive-bys.
> >>>> Could you tell me the source of this statistic please?
> >>> Sure! I made it up.
> >>>
> >>>> Save yourself the irritation. Particularly when you run into a
> >>>> firewall that lets you talk out to known ports, but not weird ones.
> >>> No worries.  I'm not going to forget mine.  And, like Khalid said, you
> >>> can put it in your .ssh/config
> >> That implies one is only ever using their own equipment, to hand, to 
> >> access their systems remotely. Part of the allure of remote access is 
> >> remote access from anywhere, any time, from any equipment.
> >>
> > 
> > Through any password sniffer.  
> > 
> > If you access your system remotely from insecure hardware, you are
> > asking for trouble.  It does not matter how complex your password is,
> > your ssh port number or what kind of encryption you used on your USB
> > key, on a malicious system you are compromised. I don't think there is a
> > reasonably safe way to use questionable hardware short of rebooting the
> > system into your own USB distro.
> 
> I didn't say don't use keys.
> 
> By your argument, and I presume you use a password to log in to your 
> own laptop, you should not be using your own laptop. Keys or no.
> 

My laptop does not qualify as insecure hardware.

If you are booting your own USB-based distro then you can configure the
communication tools on it use ports of your choosing.  Or run OpenVPN
with your personal certificates and tunnel all communications over that
back to a trusted server for ultimate paranoia management. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20100720/c5118417/attachment.bin>


More information about the kwlug-disc_kwlug.org mailing list