[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] safety with scp



Hi folks!

On 10 Nov 2005, at 11:19, piet wrote:

b@rry wrote:
there are thousands of scan attempts being run against all ssh servers out
there.
 I would do two main things.
1. Disable password authentication and enable RSA key authentication. This way you can manage your keys, change the key regularly and set a high
bit value (2048 or higher) to get max key strength.
This also emsures that no script kiddies get onto your box with dictionary
based ssh attacks
2. Choose an obfuscated port, don't use 22, use something at the wrong end of the scanning spectrum, say *sucks thumb* port 53245 (check that this is
not)
Many scanners will only scan authorised ports as the high ports are a waste of time, if it is only you using it, then you don't have to worry about
notifying people of you obscure port number...
  Some others.
 MAKE SURE you are only allowing protocol 2
Disable agent forwarding.
Set your server host key to a stronger key strength.
 Anyway, that should all help...
_____ From: piet [mailto:prooroa@xxxxxxxxxx] Sent: 10 November 2005 11:59 AM
To: SuSE-Security
Subject: [suse-security] safety with scp
Good morning group,
I want to access my server(home based SuSE-box) through the Internet so I can upload images with winscp from my XP-laptop.
Is it safe to just open port 22 for the external world,
or do I need extra safety measures?
regards,
piet
using another port I get, but my server (only 80 is open for some time now is scanned on hi ports night and day.
at the moment 6630 happens to be popular,
in other words is it safe enough.
What I want to do isn't top secret I just want a safe way to get rid of my images when on the road.
so:
no password login (I do use now) and use keys
and do portforwarding, am I right?

Just keep in mind the two things: dictionary based attacks (dealt with by using only public key auth) and bugs in sshd. You should definitely keep the security updates up-to-date.

Can I also use the macadres of my laptop, or is that not safe enough??

MAC address ist lost at the first router as it is not part of the IP protocol (not IPv4, more specifically), so the only MAC address you'll see at home is the one from your ISP's hardware. Once the notebook is out of your house there's nothing in the protocols that you can use; the only possibility lies in ssh host authentication.

Ciao,
                    Roland

--
TU Muenchen, Physik-Department E18, James-Franck-Str. 85747 Garching
Telefon 089/289-12592; Telefax 089/289-12570
--
A mouse is a device used to point at
the xterm you want to type in.
Kim Alm on a.s.r.
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS/CS/M/MU d-(++) s:+ a-> C+++ UL++++ P-(+) L+++ E(+) W+ !N K- w--- M + !V Y+
PGP++ t+(++) 5 R+ tv-- b+ DI++ e+++>++++ h---- y+++
------END GEEK CODE BLOCK------


Attachment: PGP.sig
Description: This is a digitally signed message part