[plug] ssh access

Daniel Pittman daniel at rimspace.net
Thu Oct 16 07:27:58 WST 2008 

Peter Sutter <sutterp at sopac.com.au> writes:
> On Wednesday 15 October 2008 07:42, Jon L. Miller wrote:
>
>> In a attempt to stop ssh hack attacks (in the log there are 100's of
>> attempts) I've changed the port number of 22 to another port number.  Made
>> the changes in the Firewall to allow this new port number through.
>> However, when I attempt to access this from a remote location it times
>> out.  On some servers it works okay but on others it does not.  Is there a
>> way to see the incoming packets hitting the firewall to "hopefully" see
>> what errors are showing up?  By this I mean I'll be on site on the server.
>
> What is wrong with generating ssh keys for those users/machines that
> need to log on and disable password prompting. No key, no access.

For solving the problem of login attempts?  It doesn't remove the
logging, although you can now ignore brute force password guessing.

> It has the additional advantage that you do not need to remember a
> password.

In the bigger picture?  Just that.  You have now moved password
authentication from your server, which the attacker has no control over
and cannot evade if they try to log in with a password, to somewhere
less secure.

If you don't have a passphrase on the key then you just gave access to
anyone who obtains access to the key.  That, for a large (Windows)
userbase, means more or less anyone hostile.[1][2]

Using a passphrase on it, aside from being vulnerable to keyboard
sniffing, can be attacked through brute force at full CPU[3] speed, no
rate limiting possible, and with no notification to *anyone* that it is
happening.


So, yeah.  SSH keys have their own special brand of fail when it comes
to increasing security, sadly.  You get to pick your poison, I guess.

Regards,
        Daniel

Footnotes: 
[1]  I don't specifically recall any of the "botnet" software strealing
     SSH keys, but given how broad their net is for anything else that
     might be useful I would be shocked if the idea had not crossed
     /someones/ mind.

[2]  I am assuming here that, like most organizations, remote access
     means "remote access on whatever system the end user owns", where
     they administer it themselves.  This matches well above 90 percent
     of companies in my experience.

[3]  GPU, these days, which gives enormuous performance boosts to the
     process of brute force attacks.

More information about the plug mailing list