[unisog] step up in SSH scanning starting today?
alex-unisog at digriz.org.uk
Tue May 13 20:29:04 GMT 2008
Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> [20080513 15:47:21 -0400]:
> On Tue, 13 May 2008 13:28:33 EDT, "Couples, Christopher" said:
> [snipped ssh brute forcing countermeasures]
> The *best* solution, ....
...is just to use public key authentication. In a world of USB tokens,
midpssh and 'ssh-add'/'ssh -A' there hardly is any excuse anymore.
Sorry to be brutal but tis all true :) Make sure your users have *one* ssh
key pair per device, the idea is to have many key pairs but only one per
device for revocation reasons. If one of the keys is compromised your
passphrase only has to be good enough to last the time it would take you to
revoke and replace the key; not to last the lifetime of the user account
that is typically the case.
As for the brute forcing someones private key's as suggested by a previous
poster, erm 1024 bit's ain't what I would recommend brute forcing :-/ Okay,
with the Debian issue this probably is all of a sudden feasible however other
than this the only references to private key brute forcers I can find are
against the encrypted private keyfile the user carries around with them.
For those worried about, and that run into the common chicken-and-the-egg
issue, how to get to a system when you might not have your new public key on
that system, you turn to using One-Time-Passwords's (OTP's). Every sysadmin
is unfortunate enough to have to have a dog-lease (aka mobile phone) so you
get your mobile phones to generate the OTP using jFreeSafe and on the host
side, pam-opie, you will have a nice sweet 64bit changing password to
protect your account. I have mirrored the destructions I wrote up for
internal use at my workplace for those interested.
Please please please, plain text passwords have outlived their lifespan,
especially so for SSH. Of course if you can turn to L3 IP based ACL's to add
an extra layer that is all good too however for many this is not an
option...plus IP based ACL's are evil. Throttling is still good though!
 whether that be workstation or usb token or floppy disk
 http://freesafe.sourceforge.net/ this is the only multi-host J2ME app I
can find so it's the only one I recommend
/ Praise the sea; on shore remain. \
\ -- John Florio /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20080513/f8f36cfd/attachment.bin
More information about the unisog