Karl Larsen wrote:
If you're the only one who ever SSHes into your system, set it up to use public key authentication only and always walk around with a thumbdrive that has your private key on it. This will be sufficient to stop all non-targeted attacks (by "targeted" I mean someone wants to break into your machine, specifically. These are normally quite rare and often not worth planning against). Changing SSH ports does not provide any extra security, it simply reduces the size of your ssh log file (because the script kiddies will not notice it). Another reason is convenience (if, for example, you have a router set up to forward ports to ssh on multiple internal machines).Alan M. Evans wrote:This whole line of reasoning is false. I don't care if Hacker, the bad guy, gets on my computer with ssh. He then needs to come up with a valid login name and password. If he fails at this in some set time it all quits.On Wed, 2007-10-03 at 15:40 -0500, Steve Siegfried wrote:Changing ports for ssh isn't actually that hot of an idea. Most port scanners can detect ssh implementations since they normally self-identify. For example,if you're running ssh on the normal port (22), try executing: /usr/bin/telnet YOUR.HOST.IP.ADDR 22 and see what pops out.Of course. But most attacks aren't scanning every port on your machine and trying to identify unknown services. Mostly they're just going forthe low-hanging fruit on the standard port numbers.Until you can convince me that my system is at risk from ssh when using a real password I am going to sleep well.
To answer your original question: yes, if you have "passwords that are safe for an hour," your computer is safe -- for 1 hour. With a safe, it's expected that the perpetrator will be caught within that hour and will not be allowed to resume the cracking. With your computer, you might not notice the problem until you look at the log (days/weeks later?) and even if you notice it in time, you can't apprehend the intruder -- you must block them somehow and not allow them to continue hacking, which is pretty hard because they can use proxies/etc and appear to come from some other IP address. This is pretty much why the safe security ratings don't make much sense in computer world. You must use other techniques to block access: a combination of not allowing trying too many times + using public key authentication (disabling password authentication) works well enough.
If you can't be bothered with public key authentication, at least set up ssh to block attempts after N tries. That, and a good password, can go a pretty long way.
HTH
