C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
I thought passwords would be encrypted.using a password one character off from the previous
I took it down 144 days ago because I went somewhere for summer vacation and took the server (it's in a virtual machine) with me. Before that it has been running for at least 2 years.cyberfish@servhost:~$ cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 15
model : 3
model name : Intel(R) Celeron(R) CPU 2.40GHz
stepping : 4
cpu MHz : 2392.035
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 5
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc up pebs bts pni dtes64 monitor ds_cpl cid xtpr
bogomips : 4784.07
clflush size : 64
power management:
cyberfish@servhost:~$ uptime
20:35:54 up 144 days, 35 min, 1 user, load average: 0.00, 0.03, 0.01
Apache, Postfix, SMBD in a virtual machine with snapshot backup. Host has RAID-5.
Just upgraded from P3 to Celeron a few years ago.
Slicehost is unmanaged, but it has good documentation and support.Originally Posted by DavidP
I do not know about the current state of affairs, but back when I had an account with them, GrokThis had very good support. However, if I remember correctly, I did not choose VPS Village in the end because I felt Slicehost's admin console and documentation was better. (Though in retrospect the documentation is actually more widely applicable than just Slicehost, so somewhat ironically this should not have been a factor.)Originally Posted by MK27
This should be true of any VPS as well, though your choice of OS may or may not be limited. But I guess that having physical access to the hardware is a nice feelingOriginally Posted by jeffcobb
Why not disable password authentication? Alternatively, use a sudoer account, disable root login via SSH, and install denyhosts.Originally Posted by jeffcobb
Look up a C++ Reference and learn How To Ask Questions The Smart WayOriginally Posted by Bjarne Stroustrup (2000-10-14)
This is excessively paranoid. I started work last year on a dedicated server for a "medium profile" public figure. We use ssh there; I had some security concerns because of some work I was doing and wanted to discuss this with one of the other staff, who's a C++ programmer for NASA. These had nothing to do with ssh , but in any case, he said there'd been no successful, noticeable break-ins on the site in a decade.
@zacs7: what counts as "an attack" here? some bot scanning ports? They're irritating, but I do not think they are actually attempting anything malicious beyond surveying.
Last edited by MK27; 01-27-2010 at 09:30 AM.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
If you did want to get a really cheap computer, I have three of the Atom based processors. The whole system only cost me $140 each (that's with a 200GB HD and 2GB memory). Here is a list of these.
My thoughts as well. I used to administer some servers running Mac OS X, on which we had SSH running non-stop on the standard port.This is excessively paranoid.
What about using public/private key authentication in addition to a password?
Last edited by MK27; 01-27-2010 at 10:06 AM.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
I always do that. Although it is probably true that using a non-standard port makes you less of a target, I find it somewhat of an attempt at security through obscurity. I reason that as long as the accounts that can be accessed via SSH have good passwords (especially with denyhosts limiting the number of incorrect tries), or are restricted to key based authentication, it should be good enough.Originally Posted by DavidP
I do not think that that makes it any more secure than just using a password. In fact, it might arguably make it less secure, since there are two things to keep secret instead of one (i.e., the password and the private key, or the password and the password protecting the private key), yet either one is enough. But if you disable password authentication and just use key based authentication, then you still have only one thing to keep secret.Originally Posted by DavidP
Look up a C++ Reference and learn How To Ask Questions The Smart WayOriginally Posted by Bjarne Stroustrup (2000-10-14)
Re: VPS vs using your own hardware: That may be....for a control freak having physical access to the HW is nice though. Just a personality quirk plus knowing I can up my hardware anytime I need at no additional cost (as long as the hardware is lying about the house) is nice too. However I know this is not for everyone and to an extent, while this has some practical advantages, my setup has also been a fun learning experience as well, knowing I can go from bare metal to working webserver. Same thing goes for my mail server.
Re: SSH. All good points and suggestions. As rarely as I need to do this (like once every other year) this crosses the pain threshold. I may still do this at some point but logging into the firewall and disabling the port forward rule takes seconds. Still not a good excuse for slothfulness but its the only one I have...
^__^
Jeff
The attacks are real. Here is one posting on the subject:
Slow brute force server security - distributed slow SSH brute-force attacks - slow vs fast brute force attacks run over days or weeks and are distributed from an IP net of hundreds of IPs
This is just one of many. It describes exactly what I was seeing. With your SSH on a standard port you are one password away from being owned. Setting a strong password here really doesn't seem paranoid.
Further, moving the ssh to a non-standard port stopped the attempts altogether...so if I have discouraged the zombies from even trying, is that considered overly paranoid?
That article, AFAICT, is exclusively about brute force attempts to crack passwords. I do not think a brute force attack on a key is very feasible (educated guess ).
I'm pretty inexperienced here, but I am surprised to learn anybody uses ssh without keys. I thought the whole point of ssh was the public/private key system -- otherwise you might as well just use rlogin or something.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
First, if you use a dodgy/lame key (password) then its entirely possible it will get hacked and there are folks out there actively trying this. For every one of us "paranoids" out there, there are 50 knot-heads with a password like "sekrit". The hackers are not trying to get the careful ones, they are after the idiots. Darwin in action here.
As for the "keyless" systems there are keys and then there are keys. Two basic types of SSH keys are ones you type from the keyboard and the ones I think you are thinking of as "keyless" are the public/private keys set up so that if you issue a keyset to a remote user, they can log in simply by using their name b/c the computer is auto-supplying the stronger key. It is not meaning "leave your system wide open".
In ssh nomenclature, what you refer to as "keyless" are called keys, and they are clearly distinct from passwords. You cannot enter them on the keyboard. They are more than 1600 bytes. This is what I meant by "infeasible" by brute force. Isn't that 2^8^1600? Even if you made 4 attempts per second, I think this will take you more than a billion years...and you still won't be 1% done.
And since it is a "horseshoes and handgrenades" type game, brute force is the only option. Like I said, it was my understanding that this was the whole purpose of ssh and using it without them is akin to installing a laser perimeter alarm -- then never plugging it in.
This is probably why my man at NASA says no one has got in that way in 10 years (ie, the entire time). If brute force attacks are all you guys are worried about, I'm gonna say you're beyond paranoid -- you're totally insane
Last edited by MK27; 01-27-2010 at 02:08 PM.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
True enough; and I was generalizing. For password-based authentication however it makes nothing I said any the less valid. There is the old joke about "being paranoid doesn't mean they are not out to get you" but when I look at my server logs and find attempts to get in through everything from ssh to MS services from China, et al I can honestly say they ARE out to get you. I/we may seem paranoid to you; you seem naive to me, that's for sure. I cannot speak to your friend at NASA but if security was as simple as you would have us believe, I would wager far fewer machines would be hacked and set up as part of zombie nets...the thing with the above-mentioned attack is that while brute force, due to the nature of the relaxed timing it often falls below the radar of the typical IDS and therefore can go on for years w/o detection. To me, the attack that you cannot even see coming, lame or not is one of the most dangerous kinds...