[Intrusions] Locking down SSH, dictionary attacks
candice at egobsd.org
Sat Mar 11 23:38:12 GMT 2006
<snip - Andrew>
So, I'm wondering how to lock down SSH a bit more (on Linux, maybe
On critical machines with few users, I have disabled password logins -
keys only, and maybe only listen to certain addresses. And on one
standalone machine I have set norootlogin.
But what to do with multiuser machines ? Users are likely to revolt if
told they have to generate keypairs everywhere. (We have been reluctant
to get into Kerberos, and besides I'm not sure without some research
whether it would help. Ditto PAM-based stuff)
What I'd like to do is have different authentication requirements for
root and for user accounts (other than "no root at all")
A college friend of mine came up with an entertaining pam-based auth idea
for a security competition. He set up small "captchas", which consisted
of things like "type the ascii-art word" and simple math problems. Putting
that on top of the login stack and allowing users to log in afterwards
worked well. I'll post the project-in-progress once I can talk to him to
ask if it can be made public if anyone's interested.
Kerberos is great, but it does require some user training, and either
running a login-stealing trojan or getting everyone to set new passwords.
I find that it's most useful if you're supporting a lot of hackers,
or those otherwise disposed to find the key-passing conveniences to be
cool and useful.
More information about the Intrusions