This is a discussion on making a home server within the Tech Board forums, part of the Community Boards category; Originally Posted by zacs7 Code: zac@mercury:~ $ uptime 14:26:08 up 206 days, 2:21, 4 users, load average: 0.17, 0.30, 0.13 ...
I thought passwords would be encrypted.using a password one character off from the previous
I took it down 144 days ago because I went somewhere for summer vacation and took the server (it's in a virtual machine) with me. Before that it has been running for at least 2 years.cyberfish@servhost:~$ cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 15
model : 3
model name : Intel(R) Celeron(R) CPU 2.40GHz
stepping : 4
cpu MHz : 2392.035
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 5
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc up pebs bts pni dtes64 monitor ds_cpl cid xtpr
bogomips : 4784.07
clflush size : 64
20:35:54 up 144 days, 35 min, 1 user, load average: 0.00, 0.03, 0.01
Apache, Postfix, SMBD in a virtual machine with snapshot backup. Host has RAID-5.
Just upgraded from P3 to Celeron a few years ago.
Slicehost is unmanaged, but it has good documentation and support.Originally Posted by DavidP
I do not know about the current state of affairs, but back when I had an account with them, GrokThis had very good support. However, if I remember correctly, I did not choose VPS Village in the end because I felt Slicehost's admin console and documentation was better. (Though in retrospect the documentation is actually more widely applicable than just Slicehost, so somewhat ironically this should not have been a factor.)Originally Posted by MK27
This should be true of any VPS as well, though your choice of OS may or may not be limited. But I guess that having physical access to the hardware is a nice feelingOriginally Posted by jeffcobb
Why not disable password authentication? Alternatively, use a sudoer account, disable root login via SSH, and install denyhosts.Originally Posted by jeffcobb
@zacs7: what counts as "an attack" here? some bot scanning ports? They're irritating, but I do not think they are actually attempting anything malicious beyond surveying.
Last edited by MK27; 01-27-2010 at 08:30 AM.
My thoughts as well. I used to administer some servers running Mac OS X, on which we had SSH running non-stop on the standard port.This is excessively paranoid.
What about using public/private key authentication in addition to a password?
"Circular logic is good because it is."
Last edited by MK27; 01-27-2010 at 09:06 AM.
I always do that. Although it is probably true that using a non-standard port makes you less of a target, I find it somewhat of an attempt at security through obscurity. I reason that as long as the accounts that can be accessed via SSH have good passwords (especially with denyhosts limiting the number of incorrect tries), or are restricted to key based authentication, it should be good enough.Originally Posted by DavidP
I do not think that that makes it any more secure than just using a password. In fact, it might arguably make it less secure, since there are two things to keep secret instead of one (i.e., the password and the private key, or the password and the password protecting the private key), yet either one is enough. But if you disable password authentication and just use key based authentication, then you still have only one thing to keep secret.Originally Posted by DavidP
Re: SSH. All good points and suggestions. As rarely as I need to do this (like once every other year) this crosses the pain threshold. I may still do this at some point but logging into the firewall and disabling the port forward rule takes seconds. Still not a good excuse for slothfulness but its the only one I have...
Slow brute force server security - distributed slow SSH brute-force attacks - slow vs fast brute force attacks run over days or weeks and are distributed from an IP net of hundreds of IPs
This is just one of many. It describes exactly what I was seeing. With your SSH on a standard port you are one password away from being owned. Setting a strong password here really doesn't seem paranoid.
Further, moving the ssh to a non-standard port stopped the attempts altogether...so if I have discouraged the zombies from even trying, is that considered overly paranoid?
I'm pretty inexperienced here, but I am surprised to learn anybody uses ssh without keys. I thought the whole point of ssh was the public/private key system -- otherwise you might as well just use rlogin or something.
As for the "keyless" systems there are keys and then there are keys. Two basic types of SSH keys are ones you type from the keyboard and the ones I think you are thinking of as "keyless" are the public/private keys set up so that if you issue a keyset to a remote user, they can log in simply by using their name b/c the computer is auto-supplying the stronger key. It is not meaning "leave your system wide open".
And since it is a "horseshoes and handgrenades" type game, brute force is the only option. Like I said, it was my understanding that this was the whole purpose of ssh and using it without them is akin to installing a laser perimeter alarm -- then never plugging it in.
This is probably why my man at NASA says no one has got in that way in 10 years (ie, the entire time). If brute force attacks are all you guys are worried about, I'm gonna say you're beyond paranoid -- you're totally insane
Last edited by MK27; 01-27-2010 at 01:08 PM.