I love IP Tables....
Les
hlhowell at pacbell.net
Sun May 27 16:50:06 UTC 2007
On Sun, 2007-05-27 at 08:59 -0700, Wolfgang S. Rupprecht wrote:
> Tom Rivers <tom at impact-crater.com> writes:
> > On Sat, 2007-05-26 at 13:16 -0700, Wolfgang S. Rupprecht wrote:
> >> Such programs help you save the CPU time of sshd answering the
> >> connection from a single abusive host, but would do little against a
> >> distributed botnet attack. Luckily botnets aren't really used against
> >> sshd yet, but it they were you'd potentially be seeing distributed
> >> guessing attacks from 10,000 different hosts. If they all took turns
> >> to guess a single password in round-robin fashion, the filters would
> >> never trip.
> >
> > You're right. What do you recommend to protect against this sort of
> > attack?
>
> There are two things to defend against, 1) attackers actually guessing
> a working password 2) the system resources wasted answering the
> attacks.
>
> For the first one is easily taken care of by having the computer pick
> a random number as a password for you. Remembering and typing
> gibberish passwords is hard, so it is best to have the computer's
> machinery do the drudge work. This is what ssh's RSA (and DSA)
> mechanism does. It chooses a 1kbit long password for you and
> effectively stores it for you so you never have to type it. It then
> encrypts that 1kbit password with a "human" password you chose. This
> password can be a really *bad* password (pets name, mother's maiden
> name etc.) without any ill effects. The human-password is never used
> by ssh for anything but decoding it's 1k-bit password on the local
> machine when ssh starts up. The 1k-bit password is the one ssh uses
> "on the wire". The fact that the attacker now has to guess the 1kbit
> password is what makes the whole thing so safe. Doing an exhaustive
> search on that takes many, many times the life of the universe.
>
> (I didn't want to post this link in the last message, I've posted it
> twice already and was afraid someone would think I was spamming the
> same link repeatedly. SSH RSA setup:
> http://www.wsrcc.com/wolfgang/sshd-config.html )
>
> As for the defense against the DDOS resource exhaustion of a
> theoretical botnet sshd attack. I'm not sure you can do much but try
> to change your IP address. Ultimately legislation will probably be
> needed to fine the fools running virus-riddled computers that are
> supplying the computer workforce for the botnets.
>
Hi, Wolfgang,
I am sur e you didn't mean to insult the folks who use our efforts,
the users, but instead the designers of the bots themselves should be
the ones in deep trouble. Even those who study and work dilligently at
defense get hacked sometimes via the combination of total effort
expended against them, and the fact that the hackers only need to "get
it right once" as has been said by Rumsfeld in connection with
terrorists. I believe that it is possible to have good security and
still get hit. I mean, we have had banks for thousands of years, and
they still get robbed. Do we blame the bankers?
Regards,
Les H
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070527/2813e86e/attachment-0001.htm>
More information about the fedora-list
mailing list