undefined | Better HN

0 pointssemi-extrinsic8y ago0 comments

No, the best solution is to only allow login by SSH keys. No passwords => brute-forcing is impossible. So your threat model for someone gaining access no longer includes someone using weak passwords.

0 comments

pmoriarty8y ago

If your ssh port is wide open and there's a remotely exploitable vulnerability, then using keys may not save you.

But there's no reason you couldn't use both keys and port knocking at the same time.

j / k navigate · click thread line to collapse

0 pointssemi-extrinsic8y ago0 comments

No, the best solution is to only allow login by SSH keys. No passwords => brute-forcing is impossible. So your threat model for someone gaining access no longer includes someone using weak passwords.

0 comments

pmoriarty8y ago

If your ssh port is wide open and there's a remotely exploitable vulnerability, then using keys may not save you.

But there's no reason you couldn't use both keys and port knocking at the same time.

j / k navigate · click thread line to collapse