Re: Mitigate FTP



if you use ssh (server) with scp (in clients) using cryptographic key
authentication and in you ssh server you disable the user-pass
functionality you will be invulnerable to a brute force. Is not
dificult to implement and users only need have the key generate by
you.
If you are intersted i will send you more details.

Sorry by my english




On Thu, Oct 16, 2008 at 7:24 PM, Gary E. Miller <gem@xxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo All!

I am surprised no one has mentioned ftp with TLS (RFC 4217). It allows
you to use familiar FTP clients and procedures but allows you to have
the peace of minid of encrypted connections. Some clients, like IBM
mainframes have FTP/TLS installed by default but push back against
SSH/SFTP.

Also, all of these (FTP, FTP/TLS, SFTP, SSH) are still vulnerable to
brute force username/password attack. Blocking hosts on multiple bad
login attempts use to work, but now I see these dictionary attacks being
launched from botnet armies that only try 3 times a host against my
server. To mitigate dictionary attacks you have to use really long
passwords, one time passwords or public/private keys. None of these is
very user friendly.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701
gem@xxxxxxxxxx Tel:+1(541)382-8588

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFI978KBmnRqz71OvMRAkOZAKC19OskJKsd9qyMCen/LGx3wFpcuwCgm/bf
70OgT5JM8kVNGfmdiZEoo7E=
=FTxJ
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • Re: [SLE] nfs server specification
    ... On Wed, 2004-12-29 at 18:26, steve wrote: ... > Both the nfs and ssh methods work but are too slow. ... LTSP has some docs on their page about server requirements. ... I have run 12 clients on a similar ...
    (SuSE)
  • Re: X.509 and ssh
    ... >> Is there any effort going on in standardizing the use of X.509 in ... PG> SSH was specifically designed to not require X.509 (which is one ... distributing them every time a server is added, removed, or rekeyed ... and many clients are simply not available for updating ...
    (comp.security.ssh)
  • Re: X.509 and ssh
    ... >> Is there any effort going on in standardizing the use of X.509 in ... PG> SSH was specifically designed to not require X.509 (which is one ... distributing them every time a server is added, removed, or rekeyed ... and many clients are simply not available for updating ...
    (comp.security.ssh)
  • Help with a simple terminal problem
    ... SSH as clients. ... I'm talking to a Windows 2000 server. ... , the PuTTY or commercial SSH ...
    (comp.security.ssh)
  • RE: Commentary on the seven words
    ... When I was an operating systems programmer we all too often forgot that the Operating system existed to support the application, not the other way around. ... A Because the application that we run uses a telnet client that doesn't support ssh - and that's why I can't run ssh on this system. ... I administrate one system that has 128 clients on it and it's ...
    (RedHat)