Re: SSH authentication, was Re: Blocking SSH scans?

["Andrew Smith" <rhml k1k2 com>]

> On Mon, 28 Jan 2002, Rodolfo J. Paiz wrote:
> 
>> At 1/28/2002 11:56 AM -0800, you wrote:
>> >I still think Bob's suggestion holds merit.  Do you really need
>> >access to the host from the full 32 bit range of IP addresses?  My
>> >expererience so far has been that the access list is quite finite and
>> >can be defined by ranges of IP addresses. It is, at least, something
>> >to evaluate objectively and see if you can narrow the range of IPs
>> >that can connect to it.
>> 
>> The suggestion does indeed have merit. However, the issue is not so
>> much  that it cannot be narrowed, but rather that it's unpredictable.
>> (This may  be different for Chris than for me, and it was originally
>> his question.)
>> 
>> Ferinstance, I'm in Brazil today but will be in El Salvador next week.
>> I  could greatly improve the security of sshd even by simply using the
>> .sv in  hosts.allow, but the key is that I need to open it up before I
>> leave Brazil  or I'll be locked out when I change IP ranges without
>> knowing in advance  which ISP I'll be using. Too much chance of ending
>> up locked out of the box.
>> 
>> Still, upon lengthier rumination I do suppose I could create a short
>> list  of, say, 10 countries to which I regularly travel and still have
>> greatly  reduced the range of IP addresses which could attack me.
>> Hmm... not ideal,  but better.
> 
> Seeing some really good ideas here.  The other one I'm interested in,
> but  don't have the data flow worked out is...   Supposing a person
> setup the  java based client, mindterm, to be available from a web site
> you managed.   Would the session be from your local workstation or from
> the web server as  the source of ssh packets.
> 
> 
> In one of the other messages, it was suggested to manage you ssh
> keypair  and in short carry your private key with you and use it to
> access whatever  host you want.  Very feasible on a physical level.  My
> business partner  gave each of us in the business a USB hard drive. 
> 128Mb and supported by  Linux.  I'm trying this now to see how well it
> works moving between  systems.

Just wondering ...
does everyone so far making all these suggestions think that SSH is
not secure enough?
Do you think any solution that involves telling the computer to enable
SSH is more secure than actually just using SSH?
(Obviously carrying a copy of the key on a portable HDD is considered
secure if you don't leave it lying around or lose it :-)

But really, back to the original question ...
No you cannot stop SSH port scans - you can stop port scans from
getting a reply by not allowing SSH to talk to anything but a
restricted set of IP addresses - but does it really matter?
If someone knows that you run SSH - then good for them.
You could get really paranoid (like me :-) and tcpdump all traffic
that comes and goes on your local network from/to the internet

(about 30Meg a day with a packet size of 200 bytes = about 3 years
on my 30Gig HDD that is only used for this - still have every
truncated packet from the first day my current router was up and
running = 27-Dec-2000 - maybe I should track down all the hack
attempts and ... not worth the trouble)

If you are concerned about SSH port scans then you should be more
concerned about port scans on ANY other product that is less secure
than SSH (and I think I am correct in saying that many other products
are less secure than SSH)

Regarding mindterm ...
I use it on all of my servers and one of them to allow outside connections
(so I can get in from anywhere on the planet)
I would think that all the network traffic is encrypted since the
client is a java program on your local machine and SSH client<->server
communication is encrypted.
-- 
-Cheers
-Andrew

MS ... if only he hadn't been hang gliding!