| 1 |
On December 3, 2008, Steve wrote: |
| 2 |
> I have, in the past, used DSA only keys - but this was frustrating on |
| 3 |
> several occasions when I wanted access to my server and didn't have my |
| 4 |
> SSH keys available to me... I almost always connect using a key pair |
| 5 |
> rather than a password - but the password option is very useful to allow |
| 6 |
> me to get hold of my SSH keys in the first place in some environments. |
| 7 |
> If I found a distributed attack on a valid user name, for example, I'd |
| 8 |
> consider this a critical change - however inconvenient. |
| 9 |
|
| 10 |
get yourself some portable linux device capable of either USB, ethernet or |
| 11 |
wifi connection (OpenMoko, Nokia NXXX, etc.) plug your keys there - and |
| 12 |
voila, you've got yourelf both secure terminal and key storage in one box. I |
| 13 |
would be highly suspicious initiating SSH connection with my servers from |
| 14 |
untrusted box (which is any box not built and maintained by me ;) ) as there |
| 15 |
is a chance of keylogger (no matter how friendly owner of spoken box is - you |
| 16 |
don't know if he wasn't hacked and you have no time for even casual |
| 17 |
checking). |
| 18 |
|
| 19 |
You can use variation of port-knocking and reverse your strategy based on the |
| 20 |
pattern: |
| 21 |
|
| 22 |
1. drop first connection from specified IP and record it in "first_try" table |
| 23 |
2. drop second connection from specified IP and record it in "second_try" |
| 24 |
table |
| 25 |
3. if IP is in both first_try and second_try - allow it to attempt |
| 26 |
authentication but only with the keys. (removing it from *_try tables and |
| 27 |
possibly recording it in whitelist) |
| 28 |
4. if IP fails X number of attempts within specified timeframe - remove from |
| 29 |
whitelist and record in blacklist |
| 30 |
|
| 31 |
bit tricky logic, but fairly simple to implement (I use *BSD PF so no ready |
| 32 |
recipe for iptables here ;) ). |
| 33 |
|
| 34 |
bit paranoid, but it covers your initial concern with distributed attack and |
| 35 |
single-attempts. You can further collect older entries from first_try into |
| 36 |
blacklist and do whatever you please with them. |
| 37 |
|
| 38 |
You can also collect high-frequency attempts into blacklist and have very big |
| 39 |
blacklist you can sell off on eBay :) |
| 40 |
|
| 41 |
P.S. |
| 42 |
I actually don't do any of the above. It was just a surge of creative paranoia |
| 43 |
in response to initial request :) |
| 44 |
|
| 45 |
-- |
| 46 |
Dmitry Makovey |
| 47 |
Web Systems Administrator |
| 48 |
Athabasca University |
| 49 |
(780) 675-6245 |
Archives