On Thu, 2 Oct 2008, John Summerfield wrote:
To breach my system, the cracker needs a distributed attack or to be lucky.
I've seen several distributed attacks - there is one ongoing on my machine
at the moment:
Sep 30 17:59:00 brambing sshd[]: error: PAM: Authentication failure for illegal
user aaa from abu66.internetdsl.tpnet.pl
Sep 30 18:00:58 brambing sshd[]: error: PAM: Authentication failure for illegal
user aaa from 200.53.121.213
Sep 30 18:01:35 brambing sshd[]: error: PAM: Authentication failure for illegal
user aaa from 80.48.204.226
Sep 30 18:02:05 brambing sshd[]: error: PAM: Authentication failure for illegal
user aaa from customer-200-79-25-39.uninet.net.mx
Sep 30 18:11:54 brambing sshd[]: error: PAM: Authentication failure for illegal
user aaa from 201.28.119.60
Sep 30 18:14:45 brambing sshd[]: error: PAM: Authentication failure for illegal
user aaa from 189.36.160.62
Sep 30 18:15:27 brambing sshd[]: error: PAM: Authentication failure for illegal
user aab from port668.ds1-oebr.adsl.cybercity.dk
Sep 30 18:21:17 brambing sshd[]: error: PAM: Authentication failure for illegal
user aaj from mail.cooperativalehmann.com.ar
... ... ...
Oct 2 01:57:18 brambing sshd[]: error: PAM: Authentication failure for illegal
user bnn from 218.28.143.246
Oct 2 02:29:27 brambing sshd[]: error: PAM: Authentication failure for illegal
user bno from 58.223.242.246
Oct 2 03:03:15 brambing sshd[]: error: PAM: Authentication failure for illegal
user bnp from 211.94.209.19
Oct 2 03:36:16 brambing sshd[]: error: PAM: Authentication failure for illegal
user bnq from 211.94.209.19
Oct 2 04:08:00 brambing sshd[]: error: PAM: Authentication failure for illegal
user bnr from 203.98.175.182
Oct 2 05:17:00 brambing sshd[]: error: PAM: Authentication failure for illegal
user bnt from 189.43.21.244
Oct 2 05:51:30 brambing sshd[]: error: PAM: Authentication failure for illegal
user bnu from 189.43.21.244
Oct 2 07:35:19 brambing sshd[]: error: PAM: Authentication failure for illegal
user bnx from 58.223.242.246
Oct 2 08:11:01 brambing sshd[]: error: PAM: Authentication failure for illegal
user bny from 80.118.132.88
What might be useful, but I don't have enough public IP addresses that I've
bothered with it, is to have network-wide monitoring where an intrusion
attempt at one site results in the cracker's being blocked at all firewalls.
We have a script which adds blocks to our site firewall whenever a remote
machine makes too many connections in too short a time.
This catches scripts scanning a range of ip addresses but isn't so good
at the scripts which make a slow trickle of connections over a long period.
You should not assume that a possessor of your laptop is a user, but you
could require the user to authenticate via the VPN before trusting the
laptop. Of course, you do not want the user to use a stored password (so
http/https is out) or for ~/.bash_history to contain useful clues.
ssh-agent means that although the ssh keys aren't stored on disk
they *are* held in memory much of the time. Given that many laptops
are suspended and rarely rebooted, do you have a way of ensuring
that the machine regularly reconfirms the user's identity ?
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
[EMAIL PROTECTED] http://www.dpmms.cam.ac.uk/~werdna
