[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] targetted SSH bruteforce attacks

To: Paul Schmehl <pschmehl_lists@xxxxxxxxx>
Subject: Re: [Full-disclosure] targetted SSH bruteforce attacks
From: Xin LI <delphij@xxxxxxxxx>
Date: Thu, 17 Jun 2010 17:10:48 -0700

On Thu, Jun 17, 2010 at 1:21 PM, Paul Schmehl <pschmehl_lists@xxxxxxxxx> wrote:
> --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delphij@xxxxxxxxx>
> wrote:
>
>> On FreeBSD you can probably just use the following pf.conf line to
>> block most of such attacks:
>>
>> block in quick proto tcp from any os "Linux" to any port ssh
>>
>> (Note that with this you may lose the ability to login from any Linux
>> based box including from an Android phone, etc)
>>
>> Of course it's wise to disable password authentication and just use
>> public key authentication.
>
> Why?  Ssh is encrypted, so you're not exposing a password when you login.
>  How does public key authentication make you more secure (in a practical
> sense)?

Well, I usually avoid the term "more secure" since it really depends
on the real usage and scenario.

The benefits of using public key authentication are:
 - A typical 2048 bit key pair offered much more entropy than password
average people can comfortably remember, making it practically
impossible to brute force crack.
 - It does not transfer any credential information that can be used if
being cracked.  i.e. the authentication process is some kind of
zero-knowledge proof, say, "I have the key but you won't see it"
rather than "I have the password and here it is" (*).  Password
authentications are usually just plain text over an encrypted channel.

Downsides are mostly at the human side, e.g.:
 - Survey says that many people won't encrypt their private key and
protect it properly, nor treat forward agents in a secure manner;
 - It's not quite convenient if one don't have immediate access to
their private key, i.e. a system administrator traveling without his
laptop but arguably, this case should never happen since using
passwords on untrusted system is much more dangerous.


(*) This can of course be improved, though but I am not aware of any
alternative that does not impose more restrictions.

Cheers,
-- 
Xin LI <delphij@xxxxxxxxxxx> http://www.delphij.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] [SECURITY] [DSA 2062-1] New sudo packages fix environment sanitization bypass vulnerability
  - From: Giuseppe Iuculano
- [Full-disclosure] targetted SSH bruteforce attacks
  - From: Gary Baribault
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Xin LI
- Re: [Full-disclosure] targetted SSH bruteforce attacks
  - From: Paul Schmehl

Prev by Date: Re: [Full-disclosure] targetted SSH bruteforce attacks
Next by Date: Re: [Full-disclosure] Introducing TGP...
Previous by thread: Re: [Full-disclosure] targetted SSH bruteforce attacks
Next by thread: Re: [Full-disclosure] targetted SSH bruteforce attacks
Index(es):
- Date
- Thread