Re: [gentoo-user] Curious pattern in log files from ssh...

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Dmitry S. Makovey" <dmitry@athabascau.ca>
To: gentoo-user@lists.gentoo.org
Cc: Steve <Gentoo_sjh@shic.co.uk>
Subject: Re: [gentoo-user] Curious pattern in log files from ssh...
Date: Wed, 03 Dec 2008 15:11:30 -0700	[thread overview]
Message-ID: <200812031511.34593.dmitry@athabascau.ca> (raw)
In-Reply-To: <4936FE82.9070509@shic.co.uk>

[-- Attachment #1: Type: text/plain, Size: 2291 bytes --]

On December 3, 2008, Steve wrote:
> I have, in the past, used DSA only keys - but this was frustrating on
> several occasions when I wanted access to my server and didn't have my
> SSH keys available to me... I almost always connect using a key pair
> rather than a password - but the password option is very useful to allow
> me to get hold of my SSH keys in the first place in some environments.
> If I found a distributed attack on a valid user name, for example, I'd
> consider this a critical change - however inconvenient.

get yourself some portable linux device capable of either USB, ethernet or 
wifi connection (OpenMoko, Nokia NXXX, etc.) plug your keys there - and 
voila, you've got yourelf both secure terminal and key storage in one box. I 
would be highly suspicious initiating SSH connection with my servers from 
untrusted box (which is any box not built and maintained by me ;) ) as there 
is a chance of keylogger (no matter how friendly owner of spoken box is - you 
don't know if he wasn't hacked and you have no time for even casual 
checking).

You can use variation of port-knocking and reverse your strategy based on the 
pattern:

1. drop first connection from specified IP and record it in "first_try" table
2. drop second connection from specified IP and record it in "second_try" 
table
3. if IP is in both first_try and second_try - allow it to attempt 
authentication but only with the keys. (removing it from *_try tables and 
possibly recording it in whitelist)
4. if IP fails X number of attempts within specified timeframe - remove from 
whitelist and record in blacklist

bit tricky logic, but fairly simple to implement (I use *BSD PF so no ready 
recipe for iptables here ;) ).

bit paranoid, but it covers your initial concern with distributed attack and 
single-attempts. You can further collect older entries from first_try into 
blacklist and do whatever you please with them. 

You can also collect high-frequency attempts into blacklist and have very big 
blacklist you can sell off on eBay :)

P.S.
I actually don't do any of the above. It was just a surge of creative paranoia 
in response to initial request :)

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

next prev parent reply	other threads:[~2008-12-03 22:11 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-12-03 20:02 [gentoo-user] Curious pattern in log files from ssh Steve
2008-12-03 20:16 ` [gentoo-user] " Nikos Chantziaras
2008-12-03 20:19   ` Paul Hartman
2008-12-03 20:52     ` Nikos Chantziaras
2008-12-03 20:17 ` [gentoo-user] " Albert Hopkins
2008-12-03 20:18 ` Paul Hartman
2008-12-03 20:49 ` Simon
2008-12-04 11:31   ` Steve
2008-12-05  7:16     ` Mick
2008-12-03 20:54 ` Alan McKinnon
2008-12-03 21:03 ` Dmitry S. Makovey
2008-12-03 21:47   ` Steve
2008-12-03 22:11     ` Dmitry S. Makovey [this message]
2008-12-03 22:55       ` Steve
2008-12-03 23:21         ` Paul Hartman
2008-12-03 23:46           ` Dmitry S. Makovey
2008-12-03 23:55           ` Steve
2008-12-04  0:07             ` Dmitry S. Makovey
2008-12-04  0:39               ` Steve
2008-12-04 15:50                 ` Dmitry S. Makovey
2008-12-04 22:44                   ` Adam Carter
2008-12-05  0:15                     ` Dmitry S. Makovey
2008-12-04 23:42                   ` Shawn Haggett
2008-12-03 22:54     ` Adam Carter
2008-12-04 11:24 ` Evgeniy Bushkov
2008-12-04 22:41   ` Adam Carter
2008-12-04 22:53     ` Adam Carter
2008-12-05 15:05     ` Evgeniy Bushkov
2008-12-07  5:52       ` Joshua Murphy
2008-12-04 19:03 ` Christian Franke
2008-12-04 20:22   ` Dmitry S. Makovey
2008-12-04 21:20   ` Alan McKinnon
2008-12-05 11:24     ` Steve

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200812031511.34593.dmitry@athabascau.ca \
    --to=dmitry@athabascau.ca \
    --cc=Gentoo_sjh@shic.co.uk \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox