Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Security Practices

from [Mark Senior] Network Security [Permanent Link]
Subject: RE: Security Practices
Date: Tue, 17 May 2005 11:14:47 -0600 
It sounds like you're well into the territory where the ciphers you use
are no longer the weakest link.

Spending more time on server hardening and host IDS; examining the long
term storage of the sensitive data; disabling features of the ssh server
you're not going to use (port forwarding, X11 forwarding, sftp - depends
on your requirements); requiring public key authentication rather than
passwords (if you can be sure your users will keept their private keys
encrypted at their end); all will get you more benefit.

On the cipher front though - CBC and CTR use different methods of
setting the initialization vector for the block cipher operations.  Both
are perfectly reasonable modes of AES. Using 4096 bit RSA keys certainly
won't do any harm (except slow down session establishment at bit), but
it won't get you much practical benefit over 2048 either.  Using SHA-1
MACs only might make a meaningful difference, however, as MD5 is getting
a bit old and hoary.

Regards
Mark


-----Original Message-----
From: David Busby [mailto:busby@edoceo.com] 
Sent: May 16, 2005 23:28
To: secureshell@securityfocus.com
Subject: Security Practices

List,
   I'm trying to get my a sshd setup as secure as possible, 
some folks I know what to send financial data over this.  
Right now I've got 2048bit RSA keys, aes256-cbc cipher 
(only), but all the MACs.  I'm thinking that I'll make my key 
4096bits to add some security.  Which cipher is the best?  I 
picked AES256 cause I believe AES to be the best, 256 was the 
largest.  What is the difference between CBC and CTR?  MAC of 
hmac-md5 is the best choice there correct?  Assume best means 
most secure even at the sacrifice of performance.  Thanks!

imperium bin # ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004 imperium bin # 
uname -a Linux imperium 2.6.10-gentoo-r6-edoceo #4 Sun May 1 
03:48:25 PDT 2005
i686 AMD Athlon(TM) XP 1700+ AuthenticAMD GNU/Linux

/djb



This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.


This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Security Practices, Nigel Stepp
Next by Date:  RE: Security Practices, Bryan McAninch
Previous by Thread:  RE: Security Practices, List Account
Next by Thread:  RE: Security Practices, Mark Senior
Indexes:  [Date] [Thread] [Top] [All Lists]