1 |
On December 3, 2008, Steve wrote: |
2 |
> I have, in the past, used DSA only keys - but this was frustrating on |
3 |
> several occasions when I wanted access to my server and didn't have my |
4 |
> SSH keys available to me... I almost always connect using a key pair |
5 |
> rather than a password - but the password option is very useful to allow |
6 |
> me to get hold of my SSH keys in the first place in some environments. |
7 |
> If I found a distributed attack on a valid user name, for example, I'd |
8 |
> consider this a critical change - however inconvenient. |
9 |
|
10 |
get yourself some portable linux device capable of either USB, ethernet or |
11 |
wifi connection (OpenMoko, Nokia NXXX, etc.) plug your keys there - and |
12 |
voila, you've got yourelf both secure terminal and key storage in one box. I |
13 |
would be highly suspicious initiating SSH connection with my servers from |
14 |
untrusted box (which is any box not built and maintained by me ;) ) as there |
15 |
is a chance of keylogger (no matter how friendly owner of spoken box is - you |
16 |
don't know if he wasn't hacked and you have no time for even casual |
17 |
checking). |
18 |
|
19 |
You can use variation of port-knocking and reverse your strategy based on the |
20 |
pattern: |
21 |
|
22 |
1. drop first connection from specified IP and record it in "first_try" table |
23 |
2. drop second connection from specified IP and record it in "second_try" |
24 |
table |
25 |
3. if IP is in both first_try and second_try - allow it to attempt |
26 |
authentication but only with the keys. (removing it from *_try tables and |
27 |
possibly recording it in whitelist) |
28 |
4. if IP fails X number of attempts within specified timeframe - remove from |
29 |
whitelist and record in blacklist |
30 |
|
31 |
bit tricky logic, but fairly simple to implement (I use *BSD PF so no ready |
32 |
recipe for iptables here ;) ). |
33 |
|
34 |
bit paranoid, but it covers your initial concern with distributed attack and |
35 |
single-attempts. You can further collect older entries from first_try into |
36 |
blacklist and do whatever you please with them. |
37 |
|
38 |
You can also collect high-frequency attempts into blacklist and have very big |
39 |
blacklist you can sell off on eBay :) |
40 |
|
41 |
P.S. |
42 |
I actually don't do any of the above. It was just a surge of creative paranoia |
43 |
in response to initial request :) |
44 |
|
45 |
-- |
46 |
Dmitry Makovey |
47 |
Web Systems Administrator |
48 |
Athabasca University |
49 |
(780) 675-6245 |