| Summary: | Change sshd default setting to publickey only | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Justus Ranvier <gentoo> |
| Component: | Default Configs | Assignee: | Gentoo's Team for Core System packages <base-system> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | enhancement | CC: | security |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
That's what stuff like fail2ban is for. Changing the default would screw tons of people (and you can always do it yourself if it fits your situation). Re-assigning to maintainer. and I think this could be closed as invalid since it has been the default behaviour of all main distros for ages. If your box is so vulnerable, subscribe to security-basics@securityfocus.com (or so). This is often discussed, and, each time, redundant. Personnally i'm now using fail2ban. sorry, but not a chance will this change be made |
The default configuration of sshd as is is shipped allows challenge-response authentication. This is unsafe for any computer with a direct connection to the internet. A safer default is to set "ChallengeResponseAuthentication" to "no" since the odds of an attacker brute-forcing a public key are much lower than the odds of brute-forcing a password. I get several of these attacks per day from various locations: Aug 15 08:42:58 [sshd] Invalid user mariusz from 67.19.131.244 - Last output repeated 12 times - Aug 15 08:43:04 [sshd] Invalid user barbara from 67.19.131.244 - Last output repeated 12 times - Aug 15 08:43:10 [sshd] Invalid user szpunar from 67.19.131.244 - Last output repeated 12 times - Aug 15 08:43:15 [sshd] Invalid user andrzej from 67.19.131.244 - Last output repeated 12 times - Aug 15 08:43:21 [sshd] Invalid user szef from 67.19.131.244 - Last output repeated 12 times - and so on