[Gllug] ssh brute force attacks

Jose Luis Martinez jjllmmss at googlemail.com
Wed Dec 10 16:28:02 UTC 2008 

2008/12/10 Lesley Binks <lesleyb at pgcroft.net>:
> On Tue, Dec 09, 2008 at 09:06:14AM +0000, Hari Sekhon wrote:
>> Nix wrote:
>> > On 8 Dec 2008, Hari Sekhon said:
>> >
>> >> 1) You still end up with lots of garbage in your logs from failed
>> >> attempts by not preventing attempts
>> >>
>> >
>> > Ooh dear. Use a decent syslogd like syslog-ng to filter them out.
>> >
>> Already done, but filtering out this stuff is a terrible thing to do. I
>> have built log servers with complex stratification of logs and
>> monitoring rule sets but I would never, ever just ignore garbage in the
>> logs by filtering it out at source or sending it to a destination I
>> don't check! That's almost as bad as not having logs because you
>> lose/discard part of your information. The best thing is to investigate
>> and prevent problem logs for tighter administration.
>>
>> >> 2) You may need to use passwords at some time, because not everyone will
>> >> have keys or can be trusted to properly secure their keys etc...
>> >>
>> >
>> > If someone doesn't have a key, give him one. If he won't accept one, he
>> > can't log in. It's that simple. Not everyone can be trusted to secure
>> > their keys? Then passphrase them: if they can't keep the passphrase
>> > secure, then they can't keep their passwords secure either.
>> >
>> I think keys are the way to go, I use them extensively myself, and I
>> have forced this in some usage cases, not sure about all cases though, I
>> think it may depend on the users, but you have good points here.
>>
> Okay ... what's the situation with a nicked/lost laptop carrying such
> keys?  Supposing they can crack the laptop passwords or gain access to
> disk info someother way - how secure is key based authentication then?
> I just feel it's bolted the doors in one place but left them wide open in
> another.

You are correct, key based authentication is far from perfect.

Lets be more extreme: somebody can coherce you to provide the password
to the laptop. That would be it security wise.


>
> As far as I can see they've only one problem to solve - the laptop
> password - as opposed to having yet another password to crack which is
> largely dependent on their skill level.
>
> I've seen a lot of people say how fantastic it is but I remain to be
> convinced that keybased is the *only* way to go and is the most secure way
> of dealing with things in every situation.

The more secure way that I have seen is one time passwords combined
with personal, static ones, I have seen this implemented with tokens,
but there are also solutions out there using mobile phones or pagers.

With this setup you can assign also a "panic" password, which somebody
could type if under duress, this would alert the system administrators
about their machines having being compromised without endangering the
well being of somebody with a gun pointed to his head !


>
> But then I am not supporting any number of users who might not choose secure passwords.

Choose? There is no choice, there shouldn't be.

>
> Regards
>
> Lesley
>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list