Full Disclosure mailing list archives

Re: targetted SSH bruteforce attacks

From: Xin LI <delphij () gmail com>
Date: Thu, 17 Jun 2010 17:10:48 -0700

On Thu, Jun 17, 2010 at 1:21 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote:

--On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delphij () gmail com>
wrote:

On FreeBSD you can probably just use the following pf.conf line to
block most of such attacks:

block in quick proto tcp from any os "Linux" to any port ssh

(Note that with this you may lose the ability to login from any Linux
based box including from an Android phone, etc)

Of course it's wise to disable password authentication and just use
public key authentication.


Why?  Ssh is encrypted, so you're not exposing a password when you login.
 How does public key authentication make you more secure (in a practical
sense)?


Well, I usually avoid the term "more secure" since it really depends
on the real usage and scenario.

The benefits of using public key authentication are:
 - A typical 2048 bit key pair offered much more entropy than password
average people can comfortably remember, making it practically
impossible to brute force crack.
 - It does not transfer any credential information that can be used if
being cracked.  i.e. the authentication process is some kind of
zero-knowledge proof, say, "I have the key but you won't see it"
rather than "I have the password and here it is" (*).  Password
authentications are usually just plain text over an encrypted channel.

Downsides are mostly at the human side, e.g.:
 - Survey says that many people won't encrypt their private key and
protect it properly, nor treat forward agents in a secure manner;
 - It's not quite convenient if one don't have immediate access to
their private key, i.e. a system administrator traveling without his
laptop but arguably, this case should never happen since using
passwords on untrusted system is much more dangerous.


(*) This can of course be improved, though but I am not aware of any
alternative that does not impose more restrictions.

Cheers,
-- 
Xin LI <delphij () delphij net> http://www.delphij.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: targetted SSH bruteforce attacks, (continued)
- - Re: targetted SSH bruteforce attacks Gregory Bellier (Jun 17)
    - Re: targetted SSH bruteforce attacks Gary Baribault (Jun 17)
  - Re: targetted SSH bruteforce attacks Samuel Martín Moro (Jun 17)
    - Re: targetted SSH bruteforce attacks yersinia (Jun 23)
    - Re: targetted SSH bruteforce attacks Cody Robertson (Jun 23)
    - Re: targetted SSH bruteforce attacks Gary Baribault (Jun 23)
    - Re: targetted SSH bruteforce attacks Cody Robertson (Jun 23)
  - Re: targetted SSH bruteforce attacks Xin LI (Jun 17)
    - Re: targetted SSH bruteforce attacks Paul Schmehl (Jun 17)
    - Re: targetted SSH bruteforce attacks John Jacobs (Jun 17)
    - Re: targetted SSH bruteforce attacks Xin LI (Jun 17)
    - Re: targetted SSH bruteforce attacks Valdis . Kletnieks (Jun 18)
    - Re: targetted SSH bruteforce attacks Marsh Ray (Jun 21)
    - Message not available
    - Re: targetted SSH bruteforce attacks Marc Olive (Jun 22)
    - Re: targetted SSH bruteforce attacks bugs (Jun 26)
  - Re: targetted SSH bruteforce attacks Mr. MailingLists (Jun 17)
    - Re: targetted SSH bruteforce attacks Sebastian Rother (Jun 17)
    - Re: targetted SSH bruteforce attacks Thor (Hammer of God) (Jun 17)
    - Re: targetted SSH bruteforce attacks BMF (Jun 17)
  - Re: targetted SSH bruteforce attacks Mark Byrne (Jun 17)
  - Re: targetted SSH bruteforce attacks Pavel Kankovsky (Jun 17)

(Thread continues...)