Re: a GOOD idea to harden OpenSSH!
On Tue, Apr 19, 2011 at 11:56:51AM +0200, Peter N. M. Hansteen wrote: Alexander Schrijver alexander.schrij...@gmail.com writes: I think it's a bad idea to disable ssh login while someone is bruteforcing your account. (...) industrial-scale password guessing (...) If you allow password logins at all, there are worse ideas than running john (or similar) to flush out the bad ones occasionally. If you're going to check password quality, use security/passwdqc (by the same author as John the Ripper, based on the same code) - it will actually prevent people from setting bad passwords, and using it to check plaintext passwords is much more efficient than running john. (Of course, it doesn't work on passwords already set, so *one* john runs makes sense.) Joachim -- PotD: devel/p5-YAML - YAML ain't a markup language http://www.joachimschipper.nl/
Re: a GOOD idea to harden OpenSSH!
On Mon, Apr 18, 2011 at 07:54:13PM -0400, swilly wrote: On Wed, Mar 30, 2011 at 03:22, Alexander Schrijver alexander.schrij...@gmail.com wrote: It's a great way to keep someone out of their own system. Huh? Wouldn't securely backing up the RSA keys prevent this? If you are mindful enough to use keys in the first place and don't back up such critical data, wouldn't you deserve to be locked out until someone can cart over an IP KVM? -William That was meant as an addition to why it is a bad idea for that feature. I think it's a bad idea to disable ssh login while someone is bruteforcing your account. Your right that there are other ways to still login.
Re: a GOOD idea to harden OpenSSH!
Your right that there are other ways to still login. I meant you're.
Re: a GOOD idea to harden OpenSSH!
Alexander Schrijver alexander.schrij...@gmail.com writes: I think it's a bad idea to disable ssh login while someone is bruteforcing your account. We've seen quite a bit of what appears to be industrial-scale password guessing (google 'hail mary cloud' or a few more obvious keywords), so on any internet-facing system the probability that someone is trying to bruteforce their way in via some account or other right now is not negligible. If you allow password logins at all, there are worse ideas than running john (or similar) to flush out the bad ones occasionally. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: a GOOD idea to harden OpenSSH!
On Tue, Apr 19, 2011 at 4:54 PM, Edho P Arief edhopr...@gmail.com wrote: On Tue, Apr 19, 2011 at 4:33 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: I think it's a bad idea to disable ssh login while someone is bruteforcing your account. it may be just me but I'm having problem in understanding this statement. Oh, I get it now. No wonder - I completely misread you since you put your reply right after disable password login, use ssh key
Re: a GOOD idea to harden OpenSSH!
On Tue, Apr 19, 2011 at 4:33 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: I think it's a bad idea to disable ssh login while someone is bruteforcing your account. it may be just me but I'm having problem in understanding this statement.
Re: a GOOD idea to harden OpenSSH!
On Tue, 19 Apr 2011 16:54:45 +0700 Edho P Arief wrote: On Tue, Apr 19, 2011 at 4:33 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: I think it's a bad idea to disable ssh login while someone is bruteforcing your account. it may be just me but I'm having problem in understanding this statement. They won't brute force your pubkey auth. Disable password auth and don't lock yourself out by securing password auth. Choose a good password for short periods before you've setup the pubkey. An interesting question is, what's more secure (ignoring physical), local console or ssh (environment etc.).
Re: a GOOD idea to harden OpenSSH!
On Tue, Apr 19, 2011 at 11:56 AM, Peter N. M. Hansteen pe...@bsdly.net wrote: Alexander Schrijver alexander.schrij...@gmail.com writes: I think it's a bad idea to disable ssh login while someone is bruteforcing your account. We've seen quite a bit of what appears to be industrial-scale password guessing (google 'hail mary cloud' or a few more obvious keywords), so on any internet-facing system the probability that someone is trying to bruteforce their way in via some account or other right now is not negligible. If you allow password logins at all, there are worse ideas than running john (or similar) to flush out the bad ones occasionally. This adds some interesting ideas regarding security of passwords. Please read FAQ part too as it explains a lot of questions which may come after reading that post. http://www.baekdal.com/tips/password-security-usability -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: a GOOD idea to harden OpenSSH!
Peter == Peter N M Hansteen pe...@bsdly.net writes: Peter We've seen quite a bit of what appears to be industrial-scale password Peter guessing (google 'hail mary cloud' or a few more obvious keywords), so Peter on any internet-facing system the probability that someone is trying Peter to bruteforce their way in via some account or other right now is not Peter negligible. And about 1/1000th the traffic if you move your sshd from 22 to something far less standard, based on my experience. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion
Re: a GOOD idea to harden OpenSSH!
On Wed, Mar 30, 2011 at 03:22, Alexander Schrijver alexander.schrij...@gmail.com wrote: It's a great way to keep someone out of their own system. Huh? Wouldn't securely backing up the RSA keys prevent this? If you are mindful enough to use keys in the first place and don't back up such critical data, wouldn't you deserve to be locked out until someone can cart over an IP KVM? -William
a GOOD idea to harden OpenSSH!
I'm writing here, because the ssh dev list says: Mail Delivery Status Notification (Delay) [Status: Error, Address: openssh-unix-...@mindrot.org, ResponseCode 451, Temporary failure, please try again later.] So: What is you're opinion about the next idea? Please write down ++/-- thoughts: it's against brute-force attacks on sshd: if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare. the couple of seconds is defined in the sshd config, e.g.: 2 seconds the method musn't show that the user have to wait 2 seconds to write his passphare. important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second! effect: in this way, if a brute force robot comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok. BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the type you're password appear on client side. if this idea would spread, then the attackers would adapt, and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective. so can this be a feature in sshd? :O What do you think? Thank you!
Re: a GOOD idea to harden OpenSSH!
Isn't limiting the number of retries obtaining the same result? I mean, limiting the number of retries to 5 and having to wait for 10 seconds after five failed attempts will have the same outcome without the hassle, IMO. On Tue, 29 Mar 2011 22:58:53 -0700 nagygabor88 nagygabo...@zoho.com wrote: What is you're opinion about the next idea? Please write down ++/-- thoughts: -- Mihai Militaru mihai.milit...@xmpp.ro
Re: a GOOD idea to harden OpenSSH!
IMHO it is absolutelly useless, objections are: 1. You can limit connections using firewall. 2. You already have the feature by name limiting the number of retries 3. If you really want PROTECTION - you should turn off password authentication completelly and use RSA key with passphrase. On Wed, 30 Mar 2011 09:54:06 +0300 Mihai Militaru mihai.milit...@xmpp.ro wrote: Isn't limiting the number of retries obtaining the same result? I mean, limiting the number of retries to 5 and having to wait for 10 seconds after five failed attempts will have the same outcome without the hassle, IMO. On Tue, 29 Mar 2011 22:58:53 -0700 nagygabor88 nagygabo...@zoho.com wrote: What is you're opinion about the next idea? Please write down ++/-- thoughts: -- With best regards, Gregory Edigarov
Re: a GOOD idea to harden OpenSSH!
Don't reinvent wheel http://home.nuug.no/~peter/pf/en/bruteforce.html On Wed, Mar 30, 2011 at 7:58 AM, nagygabor88 nagygabo...@zoho.com wrote: I'm writing here, because the ssh dev list says: Mail Delivery Status Notification (Delay) [Status: Error, Address: openssh-unix-...@mindrot.org, ResponseCode 451, Temporary failure, please try again later.] So: What is you're opinion about the next idea? Please write down ++/-- thoughts: it's against brute-force attacks on sshd: if a user wants to connect to an ssh server then he have to wait a couple of seconds, then he can write his passphare. the couple of seconds is defined in the sshd config, e.g.: 2 seconds the method musn't show that the user have to wait 2 seconds to write his passphare. important: the user could type in his password before the 2 seconds, but the sshd will only process the chars that has been typed after 2 second! effect: in this way, if a brute force robot comes, and tries to log in with a generated password it will likely input that in a matter of miliseconds, ok. BUT: the sshd will only give back that, that the password is bad. - because it only processes the password that has been typed 2 seconds after the type you're password appear on client side. if this idea would spread, then the attackers would adapt, and wait e.g.: 5 seconds before their robot gives the generated password to sshd. - BUT: this will take them too much resources, and the brute-force will be far less effective. so can this be a feature in sshd? :O What do you think? Thank you!
Re: a GOOD idea to harden OpenSSH!
On Wed, Mar 30, 2011 at 10:06:14AM +0300, Gregory Edigarov wrote: IMHO it is absolutelly useless, objections are: 1. You can limit connections using firewall. 2. You already have the feature by name limiting the number of retries 3. If you really want PROTECTION - you should turn off password authentication completelly and use RSA key with passphrase. On Wed, 30 Mar 2011 09:54:06 +0300 Mihai Militaru mihai.milit...@xmpp.ro wrote: It's a great way to keep someone out of their own system.
Re: a GOOD idea to harden OpenSSH!
On Wed, Mar 30, 2011 at 03:00:18PM +0700, Edho P Arief wrote: On Wed, Mar 30, 2011 at 2:22 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: It's a great way to keep someone out of their own system. Unless you enable root login... How does that help?
Re: a GOOD idea to harden OpenSSH!
On 30 March 2011 20:22, Alexander Schrijver alexander.schrij...@gmail.com wrote: On Wed, Mar 30, 2011 at 10:06:14AM +0300, Gregory Edigarov wrote: IMHO it is absolutelly useless, objections are: 1. You can limit connections using firewall. 2. You already have the feature by name limiting the number of retries 3. If you really want PROTECTION - you should turn off password authentication completelly and use RSA key with passphrase. On Wed, 30 Mar 2011 09:54:06 +0300 Mihai Militaru mihai.milit...@xmpp.ro wrote: It's a great way to keep someone out of their own system. It still amazes me the people are using tunneled plain-text passwords on internet facing systems. Learn how to use ssh-keygen and .ssh/authorized keys - I would hazard that a better security measure would be to turn off tunneled clear text logins by default.
Re: a GOOD idea to harden OpenSSH!
On Wed, Mar 30, 2011 at 3:11 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: On Wed, Mar 30, 2011 at 03:00:18PM +0700, Edho P Arief wrote: On Wed, Mar 30, 2011 at 2:22 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: It's a great way to keep someone out of their own system. Unless you enable root login... How does that help? How would someone locked out of their own system when disabling password login? (I guessed home partition didn't get mounted before which is why I mentioned enabling root login)
Re: a GOOD idea to harden OpenSSH!
On Wed, 30 Mar 2011 09:22:44 +0200, Alexander Schrijver alexander.schrij...@gmail.com wrote: On Wed, Mar 30, 2011 at 10:06:14AM +0300, Gregory Edigarov wrote: IMHO it is absolutelly useless, objections are: 1. You can limit connections using firewall. 2. You already have the feature by name limiting the number of retries 3. If you really want PROTECTION - you should turn off password authentication completelly and use RSA key with passphrase. On Wed, 30 Mar 2011 09:54:06 +0300 Mihai Militaru mihai.milit...@xmpp.ro wrote: It's a great way to keep someone out of their own system. Obviously, if you do limit the number of connections using pf(4) (or some other firewall), you should maintain a whitelist of good IP's who are always allowed to connect. I myself protect my servers tcp/22 with pf(4) and I do maintain a whiltelist. It contains the IP of my default gateway and one more IP from a trusted network. That way, I can't lock me out. Besides, if you have remote servers, you should have out of band management (speaks: serial console!). If you don't, well then, Amateur I say! Cheers, Marian
Re: a GOOD idea to harden OpenSSH!
On Wed, Mar 30, 2011 at 2:22 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: It's a great way to keep someone out of their own system. Unless you enable root login...