On 5/9/05, bruce <bedouglas@xxxxxxxxxxxxx> wrote: > it appears that most of the attacks are automated scripts.. > > so, given that ssh is open, what would be the downside of building in a kind > of basic challenge response/question system... much like what you have with > yahoo groups/other sites... > > since you can't distort some word, given the terminal nature of ssh, would > it be possible to insert/force the user to answer some random question, > prior to being able to attempt to log into the system?? > On the same token, you could use S/Key to create OTPs... one time passwords. Each time you try to login, you would be presented with a number or code, and since only you know how to translate that number into the correct one time password, you are the only one who will get in. Next time you try, you get a different number and a different password is required. Similarly, every time a hacker attempts to connect, they would need a different password. Another method, which I use whenever I can, is to authenticate with keys. Unless someone gets a hold of my private key file, AND my passphrase to decrypt it, they are not going to be able to log into the system. Some people mention moving the SSH port from 22 to some other number, for example 2022. But that presents other problems. What happens if you are in a corporate environment and network security left port 22 open for outbound SSH, but did not leave 2022 open? You don't connect. But this is not a great solution for another reason, anyone who port scans your machine and finds port 2022 (or whatever other port you used), can easily try to connect to it and determine that it is your SSH daemon that is accepting the connections. Then they only have to point their tool at your new port number and they keep trying to hack you. -- David Registered Linux User 383030 (since everyone else was doing it 8-) ----------------------------------------------------------------------- There are only 10 kinds of people in this world, those who understand binary, and those who don't.
