New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Yes.
I have two words for you:
youmyfriendare goingtohollywood
I applaud you, most people would buy a VPS and change the root password and leave it at that, so congratulations on being smart and wanting to secure your server!
Thank you very much!
Make ssh key
Name your ssh key "key" and that code below pastes the pub into auth* keys and gives you your priv key to use.
The fact that you know what fail2ban/authentication keys, you probably have done that before, so i have no idea why you didnt use google.
I thought maybe there is more that i don't know about and is this what i know enough
yes secure > /bin/bash
should keep people out.cat "key"
Fail. You need to make the key pair on your client machine, and paste the public key to the server. There is no reason for a private key to ever go over the network. And I recommend
-t ecdsa -b 521
over-t rsa -b 4096
, it's faster and probably stronger. http://crypto.stackexchange.com/questions/2482/how-strong-is-the-ecdsa-algorithmValid point.
I've got no clue about cryptography and so far I assumed I wouldn't get hacked on my servers over ssh by making the keys on the server. I've been making my keys in the last 1,5 month on my servers, so I assume this is a bad habit needing to stop. Thanks.
Though, my projects aren't worth hacking, though botnets don't care about that.
secure ssh https://www.namhuy.net/999/how-to-install-config-and-secure-openssh-server.html or better yet use ssh keys https://www.namhuy.net/2433/ssh-login-without-password.html
i have fail2ban, using key, using sftp, firewall blocked all incoming except ssh which is not 22, blocked 25, now i need monitoring like Oessc. Is this secure enough?
No, you fail. DSA has problems with weak random number generators. The performance gain is non existent on any VPS OP might ever use. If OP is unlucky then it does not work on his client device.
RSA works flawlessly and is well tested.
If the connection can be spied on then it obviously doesn't fucking matter if he transfers they key used for the connection over aforementioned connection.
No? If an attacker that can only passively eavesdrop sees a private key, he/she can now log in. If only a public key, then not.
ecdsa is not dsa. Please produces cites showing why ecdsa is weak. Update: I think I found it, yes, ecdsa has problems with completely broken random number generators (reusing k value). I think it's unlikely RSA works properly with completely broken random number generators either.
Entropy is another reason why you generate the keypair on a real desktop rather than in a VPS, by the way.
First of all a rule of thum: don't trust NIST.
Yes, ECDSA is bad for SSH, but RSA is vunerable to weak random number generators too. The Linux random number generator isn't that good at all if you don't provide enough entropy. Well, on OpenSSH, 4096bit RSA keys will be safe but the EdDSA ed25519 algorithm will be better, but it will broke compatibility with old versions of OpenSSH (<6.5).
To generate those keys you should use:
ssh-keygen -t ed25519
Other option to look is
-a
that defaults to 16 rounds. Changing the default to a higher number will slow down the passphrase verification, making brute force attacks more difficult. A number of 1000 rounds will take ~30sec to verify the passphrase;The key exchange cipher is important too, from OpenSSH 6.7 it supports the diffie-hellman EC ciphers and from 6.5 the curve25519-sha256 cipher. I would not trust the NIST ciphers as it has a bad history of being weak on purpose. To specify the key-ex cipher avaiable and it's order to use what is safest you should add to your
sshd_config
:If you use GitHub, it still use some insecure ciphers so you can add it to match only the GitHub servers:
Depending on your version, some other steps should be required so, take a time to actually READ this page and finish your configuration.
Interesting. My servers' ssh connections frequently time out and it's damn annoying. I'm not sure what I'do if my keys took 30 to decipher themselves by the passhphrase.
It's not an unreasonable choice by any means. The tradeoff in crypto is always that older algorithms have more known flaws, while newer algorithms might have more unknown flaws. Admittedly, ed25519 is designed to require strong RNG only during key generation, and that is a plus over ecdsa. I do not worry about this, because I believe you have to be doing something pretty unusual for randomness to totally fail on Linux (e.g., you're running ssh from a headless system that lacks the usual sources of entropy). Broken OpenSSL RNG in 2008 was, of course, quite an eye-opener for everyone. But, remember, ed25519 is just one step of the process. Thinking you have security over your whole process despite broken RNG can't be right.
Set
ServerAliveInterval 300
to avoid timeouts ...But fiddling with
-a
is IMHO pure security theatre.Stribika's blog article has a nice article on SSHD config. Essentially, use a good-quality set of pre-generated group parameters in
/etc/ssh/moduli
for DH-SHA2. Combine it with a good selection of Ciphers and MACs.I use HAVEGED to populate the entropy pool.
To mitigate an attack, I would suggest adding