Posted by: Anonymous
on January 26, 2008 02:19 AM
I think SSH access is OK, but disabling SSH login by password is a good idea. Permit authentication by key pair only (and of course, don't use a key pair with no password <g>) for your remote SSH access. Granted, this leaves you vulnerable if someone does all of the following:
A) Steals your laptop
B) Coerces your SSH key passphrase from you by force/threat of force (you're not storing the key unencrypted on your notebook, right?)
C) Knows your home domain or IP address
However, the risk of all three of those happening is sufficiently low for me or most ordinary people that this level of security is more than good enough. But if for any reasons that's not, even if you're just paranoid (but are you paranoid enough?), then add port-knocking to the mix.
That level of security is more than enough to defeat any automated attacks run by bots. Those are just looking for low-hanging fruit to turn into spam bots. Mostly, they are looking for Windows machines, too. For the few people able to even take a shot at defeating a system using key-based SSH authentication or port-knocking (that doesn't mean succeed, it just means make the attempt), most of them are unlikely to bother unless they already know you have something they want. No one just looking to build a botnet or spread malware will bother with you if you have really tight security. The people who might bother with really tight security are typically more interested in higher-profile or higher-profit targets than a home user with a very well-secured machine.