[H-GEN] brute-force ssh(s) attacks [Was: Installing a website!]

David Jericho david.jericho at aarnet.edu.au
Tue Aug 9 21:21:49 EDT 2005


Willie Yeo wrote:
> 1) disallow root ssh access

A logical thing to do.

> 2) allow specific users to have ssh access to the box

pam can be a right pain to learn, the documentation is useless.[1]

> 3) using 'sudo' instead of 'su' for specific super-user stuff

sudo is not a security tool. If an intruder has already got into the
system via SSH, there's a very good chance they know, or at least known
how to get, the password for that user account. From there, it's a
single step to full root.

> 4) change the port of sshd listening ;)

This is about as effective as covering your eyes while standing infront
of the Ravenous Bug-Blatter Beast of Trall. While this may actually work
with the most stupid creature in the universe, you're about to be eaten
by the Grue that's sneaking up behind you.

It's literally an extra line of code in almost any language to probe a
range of ports.

> 5) put a one-time password system :D

Or as Robert Brockway suggested, use the key service _with_ a solid
passphrase.

OTP has the advantage that a one-time sniff on the client you're using
won't compromise your system, where as if someone manages to nab your
key and passphrase, they've got access.

Of course, this also involves some physical media (such as paper)
containing your OTP keys. Using an application or web CGI to calculate
the next OTP suffers the same problem as using a passphrase and key.

[1] Re my "polite" rant on #humbug yesterday. Why is it that AAA
mechanisms are amongst the worst documented?

-- 
David Jericho
Systems Administrator, AARNet
Phone:     +61 7 3317 9576
Mobile:    +61 4 2302 7185





More information about the General mailing list