On Tue, Aug 03, 2010 at 12:06:13PM -0400, Richard Pieri wrote: > > They can launch the same brute force attack and/or go for exploits > > against ssh. Or an ipsec vpn. Or anything public-facing. But >=20 > No, they can't, not with SSH. A brute-force attack cannot work > without the correct half of the key pair. =20 Sure it can; all you need to do is brute-force the key. It's just a string of bits, after all... What makes it effective is it takes much, much longer to do that, such as to make it impractical. But it can be done. > There are other potential avenues of attack against SSH but they are > harder than SSL because SSH is auth + encryption while SSL is just > encryption, unless you use X.509 authentication. This is crazy. Because SSL + auth-digest is auth + encryption... And auth + encryption =3D auth + encryption. It doesn't matter that it's at a different layer; it's still auth required. Actually it does matter, because since the server provides a public service, your method *does not work*. Granted, the authentication is weaker. But Jarod's MythTV server isn't Fort Knox; it's good enough. > > seriously, who is going to expend the effort brute-force attacking my > > mythtv box to delete some recordings? >=20 > "Whoever broke into David Kramer's MythTV box" is a good start to that li= st. False. They did no brute-force hacking; David's server was open. If it were not, it's almost a guarantee that there would have been no follow-up brute force attack. =20 > The idea is to make it so damned difficult that the attacker gives up. More correctly, the idea is to make it difficult enough that the rewards are no longer worth the attacker's time. By adding auth-digest, Jarod did exactly that. It's not going to stop a hard-core hacker that is targeting Jarod explicitly; but then very little will. It *will* stop the script kiddies, if Jarod has any sense about choosing passwords. There's some gray area in between; that's where it's up to Jarod to decide how much effort it's worth to put into securing his system vs. the cost (time or money) to recover =66rom the likely exploits leveled at him. That's what security is about. --=20 Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=3D-=3D-=3D-=3D- This message is posted from an invalid address. Replying to it will result= in undeliverable mail due to spam prevention. Sorry for the inconvenience.