[Intrusions] Locking down SSH, dictionary attacks

Candice Quates candice at egobsd.org
Sat Mar 11 23:38:12 GMT 2006


    <snip - Andrew> 
    So, I'm wondering how to lock down SSH a bit more (on Linux, maybe
    Solaris, MacOS).
    On critical machines with few users, I have disabled password logins -
    keys only, and maybe only listen to certain addresses. And on one
    standalone machine I have set norootlogin.
    
    But what to do with multiuser machines ? Users are likely to revolt if
    told they have to generate keypairs everywhere. (We have been reluctant
    to get into Kerberos, and besides I'm not sure without some research
    whether it would help. Ditto PAM-based stuff)
    What I'd like to do is have different authentication requirements for
    root and for user accounts (other than "no root at all")
    <snip> 

A college friend of mine came up with an entertaining pam-based auth idea
for a security competition.  He set up small "captchas", which consisted
of things like "type the ascii-art word" and simple math problems.  Putting
that on top of the login stack and allowing users to log in afterwards 
worked well.  I'll post the project-in-progress once I can talk to him to
ask if it can be made public if anyone's interested.

Kerberos is great, but it does require some user training, and either 
running a login-stealing trojan or getting everyone to set new passwords.
I find that it's most useful if you're supporting a lot of hackers,
or those otherwise disposed to find the key-passing conveniences to be
cool and useful.  

Candice Quates



More information about the Intrusions mailing list