User: Password:
Subscribe / Log in / New account

Preventing brute force ssh attacks

Preventing brute force ssh attacks

Posted Oct 25, 2007 6:16 UTC (Thu) by drag (subscriber, #31333)
Parent article: Preventing brute force ssh attacks

I put ssh on port 23 to avoid log spam. I am lazy like that. 

I use ssh keypairs with passphrase (which is actually 3DES encryption of the private key..) so
if I 'misplace' the key then I am not much worse off then if I just used plain passwords. Then
I disable the use of ssh passwords.

On my desktop (er laptop) I use as my base of operations. I realy don't use any other
computer. So it's the only one that I keep my ssh keys on. On my laptop I have zero network
services (well, other then avahi).. so it's secure. Don't even have sshd running.

For file transfer I just use sshfs.. no samba or nfs for my stuff.

So for my personal stuff brute-force is impossible and the chances of obtaining a key is slim
to none for a attacker.  Not also to mention that most of this stuff is firewalled from the
internet via a pc-based router.

for multi-user environment though, especially corporate-land stuff, then passwords are still a
way of life. Oh well.

(Log in to post comments)

Preventing brute force ssh attacks

Posted Oct 25, 2007 11:14 UTC (Thu) by nix (subscriber, #2304) [Link]

To be completely pedantic, a machine with no network services running is not necessarily
completely secure.

Most obviously, attacks can come in from compromised hosts you connect to. This is the most
common attack vector these days thanks to malware on websites.

Secondly, attacks can exploit vulnerabilities in the networking stack which can be tripped
without a connection succeeding. I can think of two: the ping of death, and that nice
information leak a while back where Linux was sending out Ethernet frames padded with random
uninitialized rubbish from kernel memory (which could of course contain private data).

Preventing brute force ssh attacks

Posted Oct 25, 2007 13:00 UTC (Thu) by drag (subscriber, #31333) [Link]

That's why I said "slim to none" chance.. not "mission impossible". :)

For daemons that may need to use ssh for whatever don't forget that you can configure your
keys in such a way that they only allow certain commands to be executed. This still leaves a
lot of holes if the attacker gets the daemon's private keys, but I suppose it can help.

on a side note:
One huge benifit that disabling passwords and using ssh-agent + passkey exclusively that is of
a secondary nature and not obvious is that it reduces the chances of hacked host, that you log
into, from compromising the rest of your networks. Like I said it's completely secondary and
it has to do with human nature.

We've all done something like this:
log into host a
from host a log into host b.
from host b use scp to copy a file to your home desktop.

That's easy to do and fairly standard unixy shell stuff.. When your busy and have lots of
shells open on lots of computers its a pretty natural thing to do. But if 'host a' is rooted
then the attacker now has a decent chance of obtaining your passwords for 'host b' and your
home computer.

So if you have passwords disabled and only keep your private keys on your localhost then that
makes that sort of bad behavior much more difficult and makes 'doing the right thing', were
you do not jump from host to host, much more easier... since your using ssh-agent and such you
effectively have SSO so even if you have passwords aviable then it's much easier not to.

It's a completely side thing and a very so-so thing, but I think it's nice.

Preventing brute force ssh attacks

Posted Oct 25, 2007 16:25 UTC (Thu) by nix (subscriber, #2304) [Link]

Quite so, ssh-agent is lovely and things like keychain make it usable :)

(Of course it won't protect you if the machine on which the agent is running is rooted: they
could keylog you, install a malicious agent, et seq ad nauseam. But it's useful if machines
you connect to from the agent machine are compromised.)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds