[CoLoCo] REMOTE SERVER

Mitch Mahan mitch at kci.net
Mon Oct 8 21:00:47 BST 2007 

I think you guys take things over the top;

Most programs that brute-force SSH passwords start with "ridiculous"
defaults and mainly go after your root user (how do they know what usernames
you have on your box?).

1) Shutoff root SSH access.
2) Install DenyHosts or another Brute-force detection program
	- DenyHosts adds IP's of brute-force attacks to your deny.hosts
entry after 3 unsuccessful tries. Nomore ssh for the brute-forcer.
3) Keys / no-keys -> Who cares? Having password auth is very convenient and
you'll never convince me to turn it off.
4) Turn off ftp!

Done.
- Mitch

-----Original Message-----
From: ubuntu-us-co-bounces at lists.ubuntu.com
[mailto:ubuntu-us-co-bounces at lists.ubuntu.com] On Behalf Of Kevin Fries
Sent: Monday, October 08, 2007 1:43 PM
To: Ubuntu Colorado Local Community Team
Subject: Re: [CoLoCo] REMOTE SERVER


On Mon, 2007-10-08 at 11:24 -0600, Jim Hutchinson wrote:
> For passwords there is a program you can install on Ubuntu that makes
> "random" passwords. I forget the program though. Maybe someone else
> knows.
> 
> A trick I use is to create a random prefix and suffix and sandwich
> something memorable between. for example:
> 
> prefix = 6$Y
> suffix = G!9
> my gmail password = 6$YgoogG!9
> my yahoo password = 6$YyahoG!9
> 
> and so on. Btw, those are examples so have fun hacking my mail. I
> don't know if those are more or less secure since you are repeating
> part of your password everywhere but it makes it easy to remember.

Always remember, tricks like this make it tougher to guess.  The reason
behind the old upper case, lower case, number and special character is
to increase the number of characters needed to crack your password.  The
more character sets, the lower the odds of guessing it.  But remember,
someone is always winning the lottery, and their odds were just as long.
With the speed of modern computers, this can be a real issue.  It just
does not take as long to crack passwords as it used to.

For email and programs that can not be secured via a private encryption
key, these tools are the best you have.  But the OP wanted access to the
box to admin or fix problems.  In these cases, eliminating ssh passwords
all together eliminates even the lucky shot in the dark.  Besides, its
actually easier to setup SSH to do things in a more secure way, than it
is to set up all those access rights.  Ubuntu actually accepts keys in
its default configuration, all you have to do is turn passwords to no.

To the OP, trust me, set up the keys... 

If that is too easy, and you are bored, make it harder in a more
constructive way.  For instance, if you ran Webmin on that server box,
set it up to only respond to localhost.  Then setup your laptop so that
xinetd listens on port 10001 (leaving 10000 to webmin your local box).
Have xinetd start the SSH tunnel, automatically when you hit that port.
With the keys enabled, webmin would come up from your machine(s) and
only your machine(s) and handle the security silently in the background.
>From a web browser, localhost:10001 should be your remote server.  Even
this exercise is easier than that original linux.com post.


-- 
Kevin Fries
Senior Linux Engineer
Computer and Communications Technology, Inc
A Division of Japan Communications Inc.

-- 
Ubuntu-us-co mailing list
Ubuntu-us-co at lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-co

More information about the Ubuntu-us-co mailing list