Re: sshd known_hosts query

On Sun, 15 Jan 2006, Tony van der Hoff wrote:
> Nix <nix-razor-pit@xxxxxxxxxxxxx> wrote in message
> <87mzhxgync.fsf@xxxxxxxxxxxxxxxxxx>
>
>> I'd say turn PasswordAuthentication off, too. Stick with key-based
>> authentication only.
>>
> Depends on yhour requirements. Sometimes you can't set keys - I certainly
> wouldn't want to accidentally leave one on a Customer's box.

Make a temporary key and revoke it when you're done.

> Key-based
> authentication PLUS passwords (provided they're strong ones) works fine.

i.e., passphrased keys? Yes, that's fine, but that's not password-
authentication, it's still wholly public key-based :)

>> Jan 15 15:23:17 esperi info: sshd[11806]: Invalid user molly from
> 208.187.226.110
>> Jan 15 15:23:19 esperi info: sshd[11808]: Invalid user molly from
> 208.187.226.110
> [snip]
>
> No, he's not made it into my blocklist - yet.

I was assuming that the IP was from some machine in a botnet, but
perhaps not. I guess if it was botnetted I'd probably see requests from
all over the shop.

> Indeed; they first have to guess a username; then they have to guess a valid
> password :( It's a wonder they achieve anything, and can only be evidence of
> a preponderance of poorly-administered sites out there...

Oh boy yes. `cisco/cisco'... although random English names is a bit of a
sign of desperation, they also tried things like `root',
`administrator', even `postgres', which gave me a second's pause because
I have a user of that name, and they tried it about a second after I'd
sshed to `postgres' on one of my machines...

> Which is why I employ a blocklist script; I enjoy seeing this:
>
> Jan 15 12:09:52 tony-lx sshd[18346]: Failed password for invalid user brd
> from 207.36.86.64 port 49575 ssh2
> Jan 15 12:10:00 tony-lx sshd[18365]: Failed password for invalid user ap
> from 207.36.86.64 port 49762 ssh2
> Jan 15 12:10:01 tony-lx sshd: refused connect from
> 207-36-86-64.ptr.primarydns.com (207.36.86.64)
>
> Zap!

Ah, but if you let them keep battering on a wall they can't get through,
while they're wasting their time with you that's one less
potentially-vulnerable site they can attack. It's a tarpit.

--
`Logic and human nature don't seem to mix very well,
unfortunately.' --- Velvet Wood
.

Relevant Pages

  • RE: 802.1x RADIUS Deployment in Wireless LAN
    ... To talk about WPA in Wi-Fi Alliance's ... EAP in combination with 802.1X is used for Authentication. ... or use Pre-shared keys (typically in homes where you can't have a RADIUS ... such features need to be built on the cards as the cards use these features ...
    (Security-Basics)
  • Re: Erasing an OTP file on a SD card.
    ... >> AES is the main protection, and OTP will not do the AES weaker. ... The keys are collected when the user writes randomly over the handheld ... If you don't have a secure way to protect the authentication process, ...
    (sci.crypt)
  • Re: Why does openssh protocol default to 2?
    ... >> RSA/DSA keys, don't do that. ... > What would you suggest for NFS mounted home dirs as a reasonable solution? ... you then fire up an agent remotely on a trusted machine ... that if you choose to forward authentication root can hijack you ...
    (FreeBSD-Security)
  • Re: Secure hash algorithm vs block cipher based authentication
    ... block ciphers used for authentication. ... If you want a message authentication code or a PRF, ... you may need to change keys ...
    (sci.crypt)
  • Why are PasswordAuthentication and UsePAM mutually exclusive?
    ... I have a fairly complicated authentication setup on a Suse 9.1 machine, ... I allow local users to login, I allow LDAP ... most newer SSH clients can connect. ... If I enable PasswordAuthentication and/or disable UsePAM, ...
    (comp.security.ssh)