[Gllug] ssh brute force attacks

Lesley Binks lesleyb at pgcroft.net
Wed Dec 10 14:46:57 UTC 2008 

On Tue, Dec 09, 2008 at 09:06:14AM +0000, Hari Sekhon wrote:
> Nix wrote:
> > On 8 Dec 2008, Hari Sekhon said:
> >   
> >> 1) You still end up with lots of garbage in your logs from failed 
> >> attempts by not preventing attempts
> >>     
> >
> > Ooh dear. Use a decent syslogd like syslog-ng to filter them out.
> >   
> Already done, but filtering out this stuff is a terrible thing to do. I 
> have built log servers with complex stratification of logs and 
> monitoring rule sets but I would never, ever just ignore garbage in the 
> logs by filtering it out at source or sending it to a destination I 
> don't check! That's almost as bad as not having logs because you 
> lose/discard part of your information. The best thing is to investigate 
> and prevent problem logs for tighter administration.
> 
> >> 2) You may need to use passwords at some time, because not everyone will 
> >> have keys or can be trusted to properly secure their keys etc...
> >>     
> >
> > If someone doesn't have a key, give him one. If he won't accept one, he
> > can't log in. It's that simple. Not everyone can be trusted to secure
> > their keys? Then passphrase them: if they can't keep the passphrase
> > secure, then they can't keep their passwords secure either.
> >   
> I think keys are the way to go, I use them extensively myself, and I 
> have forced this in some usage cases, not sure about all cases though, I 
> think it may depend on the users, but you have good points here.
> 
Okay ... what's the situation with a nicked/lost laptop carrying such
keys?  Supposing they can crack the laptop passwords or gain access to
disk info someother way - how secure is key based authentication then?
I just feel it's bolted the doors in one place but left them wide open in
another.

As far as I can see they've only one problem to solve - the laptop
password - as opposed to having yet another password to crack which is
largely dependent on their skill level.

I've seen a lot of people say how fantastic it is but I remain to be
convinced that keybased is the *only* way to go and is the most secure way
of dealing with things in every situation.

But then I am not supporting any number of users who might not choose secure passwords.

Regards

Lesley

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list