User: Password:
Subscribe / Log in / New account

Preventing brute force ssh attacks

Preventing brute force ssh attacks

Posted Oct 25, 2007 13:00 UTC (Thu) by drag (subscriber, #31333)
In reply to: Preventing brute force ssh attacks by nix
Parent article: Preventing brute force ssh attacks

That's why I said "slim to none" chance.. not "mission impossible". :)

For daemons that may need to use ssh for whatever don't forget that you can configure your
keys in such a way that they only allow certain commands to be executed. This still leaves a
lot of holes if the attacker gets the daemon's private keys, but I suppose it can help.

on a side note:
One huge benifit that disabling passwords and using ssh-agent + passkey exclusively that is of
a secondary nature and not obvious is that it reduces the chances of hacked host, that you log
into, from compromising the rest of your networks. Like I said it's completely secondary and
it has to do with human nature.

We've all done something like this:
log into host a
from host a log into host b.
from host b use scp to copy a file to your home desktop.

That's easy to do and fairly standard unixy shell stuff.. When your busy and have lots of
shells open on lots of computers its a pretty natural thing to do. But if 'host a' is rooted
then the attacker now has a decent chance of obtaining your passwords for 'host b' and your
home computer.

So if you have passwords disabled and only keep your private keys on your localhost then that
makes that sort of bad behavior much more difficult and makes 'doing the right thing', were
you do not jump from host to host, much more easier... since your using ssh-agent and such you
effectively have SSO so even if you have passwords aviable then it's much easier not to.

It's a completely side thing and a very so-so thing, but I think it's nice.

(Log in to post comments)

Preventing brute force ssh attacks

Posted Oct 25, 2007 16:25 UTC (Thu) by nix (subscriber, #2304) [Link]

Quite so, ssh-agent is lovely and things like keychain make it usable :)

(Of course it won't protect you if the machine on which the agent is running is rooted: they
could keylog you, install a malicious agent, et seq ad nauseam. But it's useful if machines
you connect to from the agent machine are compromised.)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds