[NTLUG:Discuss] SSH
severian@pobox.com
severian at pobox.com
Wed Oct 15 23:45:03 CDT 2003
In response to the welcome remarks of David at 09:29 PM 10/15/03 -0500:
>Personally I don't bother. Network probe tools such as Nessus ignore
>the port number. They determine what service is listening on a port
>by actually contacting it and seeing what sort of greeting it sends.
>SSH has a very distinctive initial greeting, which can be readily
>identified.
Thanks. That makes it not seem worth the effort to change the port
number. I won't be accepting passwords, so it ought to be pretty
secure. I expect I need to keep the OpenSSH software up to date because
any vulnerabilities there would be my week point. But, I bet I'll be a
tough enouggh target that they will just move on.
>Nope, not true. SSH keys include the login name and hostname of the
>user, but that's just a comment field. It exists to allow us humans
>to easily distinguish between keys. The SSH program doesn't use it in
>any way.
That's perfect. That means I can just generate unique keys for each
user, disable password authentication and I ought to be pretty safe for
now. I'll give each user a little utility to log their IP addresses(if
they don't show up in a log file on the SSH server machine). After I
establish what IP ranges seem to be in use, I can add that restiction. I
asked them if they knew, but both users are non-technical and had no idea
what I was talking about.
More information about the Discuss
mailing list