From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L7zwX-0004h6-6V for garchives@archives.gentoo.org; Wed, 03 Dec 2008 22:11:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 54BEDE0481; Wed, 3 Dec 2008 22:11:34 +0000 (UTC) Received: from smtp.athabascau.ca (smtp.athabascau.ca [131.232.10.21]) by pigeon.gentoo.org (Postfix) with ESMTP id 33317E0481 for ; Wed, 3 Dec 2008 22:11:34 +0000 (UTC) Received: from CONVERSION-DAEMON.local.athabascau.ca by local.athabascau.ca (PMDF V6.2-1x12 #31425) id <0KBB0L101MZ9YC@local.athabascau.ca> for gentoo-user@lists.gentoo.org; Wed, 03 Dec 2008 15:11:33 -0700 (MST) Received: from dimon.pc.athabascau.ca ([131.232.4.135]) by local.athabascau.ca (PMDF V6.2-1x12 #31425) with ESMTP id <0KBB0L077MZ9PR@local.athabascau.ca>; Wed, 03 Dec 2008 15:11:33 -0700 (MST) Date: Wed, 03 Dec 2008 15:11:30 -0700 From: "Dmitry S. Makovey" Subject: Re: [gentoo-user] Curious pattern in log files from ssh... In-reply-to: <4936FE82.9070509@shic.co.uk> To: gentoo-user@lists.gentoo.org Cc: Steve Message-id: <200812031511.34593.dmitry@athabascau.ca> Organization: Athabasca University X-Envelope-from: dmitry@athabascau.ca Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 Content-type: multipart/signed; boundary=nextPart3995390.WeQyHH65bf; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-transfer-encoding: 7BIT User-Agent: KMail/1.9.9 References: <4936E5E3.1040606@shic.co.uk> <200812031403.41731.dmitry@athabascau.ca> <4936FE82.9070509@shic.co.uk> X-Archives-Salt: 0ab44578-b59a-4fc1-9bf5-45c5f9fa389a X-Archives-Hash: a184606007bbe353e360531f3fb82e48 --nextPart3995390.WeQyHH65bf Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On December 3, 2008, Steve wrote: > I have, in the past, used DSA only keys - but this was frustrating on > several occasions when I wanted access to my server and didn't have my > SSH keys available to me... I almost always connect using a key pair > rather than a password - but the password option is very useful to allow > me to get hold of my SSH keys in the first place in some environments. > If I found a distributed attack on a valid user name, for example, I'd > consider this a critical change - however inconvenient. get yourself some portable linux device capable of either USB, ethernet or= =20 wifi connection (OpenMoko, Nokia NXXX, etc.) plug your keys there - and=20 voila, you've got yourelf both secure terminal and key storage in one box. = I=20 would be highly suspicious initiating SSH connection with my servers from=20 untrusted box (which is any box not built and maintained by me ;) ) as ther= e=20 is a chance of keylogger (no matter how friendly owner of spoken box is - y= ou=20 don't know if he wasn't hacked and you have no time for even casual=20 checking). You can use variation of port-knocking and reverse your strategy based on t= he=20 pattern: 1. drop first connection from specified IP and record it in "first_try" tab= le 2. drop second connection from specified IP and record it in "second_try"=20 table 3. if IP is in both first_try and second_try - allow it to attempt=20 authentication but only with the keys. (removing it from *_try tables and=20 possibly recording it in whitelist) 4. if IP fails X number of attempts within specified timeframe - remove fro= m=20 whitelist and record in blacklist bit tricky logic, but fairly simple to implement (I use *BSD PF so no ready= =20 recipe for iptables here ;) ). bit paranoid, but it covers your initial concern with distributed attack an= d=20 single-attempts. You can further collect older entries from first_try into= =20 blacklist and do whatever you please with them.=20 You can also collect high-frequency attempts into blacklist and have very b= ig=20 blacklist you can sell off on eBay :) P.S. I actually don't do any of the above. It was just a surge of creative paran= oia=20 in response to initial request :) =2D-=20 Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --nextPart3995390.WeQyHH65bf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iD8DBQBJNwQWyDrVuGfS98QRAhMFAJ9cg8uq91AAKaJjoRYwi5jdzeDs/ACeO0KO Mo3GE9PCcP2DQU4/wFin030= =9Df6 -----END PGP SIGNATURE----- --nextPart3995390.WeQyHH65bf--