[darcs-users] ssh path

Jorey Bump list at joreybump.com
Fri Nov 23 13:48:45 UTC 2007


Yitzchak Gale wrote, at 11/22/2007 07:42 AM:

> Unfortunately, on today's Internet any server with
> the standard SSH port open gets continuously
> hammered by hundreds of botnet zombies that
> try to find username/password combinations by
> brute force. Disabling password authentication
> does not help - the zombies still hammer you.
> So you just can't use the standard port anymore.

How does this not apply to WebDAV, as well? When your server is hammered 
by botnets trying to brute force your WebDAV repository, will you move 
it to another port? Brute force attacks are directed against any service 
that uses password authentication, not just SSH. Disabling password 
authentication certainly does help protect the resource, but so does 
enforcing reasonable login/password best practices to avoid the low 
hanging fruit these bots seek.

Using iptables on Linux, it's trivial to block common brute force 
attacks against SSH using the recent module:

iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent 
--update --seconds 15 -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set 
-j ACCEPT

This stops brute force attacks in their tracks, and prevents the 
attempts from filling up the logs. Beyond that, I don't allow root 
logins, and make good use of AllowUsers, AllowGroups and other 
configuration parameters to harden SSH.

> Finally - although SSH is still widely used and
> widely supported, it is officially viewed as
> deprecated by the IETF. 

?

> Like other VCSs,
> we should start migrating towards WebDAV
> over an encrypted channel.

I understand why you'd want support built directly into a client, but 
why can't you mount a WebDAV directory and use it with Darcs? Why should 
  applications include extra code (with potential bugs and security 
risks) to deal with a service that can be provided by the OS? If SSH, 
WebDAV, and other protocol support is lacking on Windows, it's hardly 
fair to blame Darcs.




More information about the darcs-users mailing list