Re: Blocking attacks from spoofed IP addresses

Moe Trin wrote:

On Thu, 01 Oct 2009, in the Usenet newsgroup comp.os.linux.networking,
in article <aog8c5t75j6fnr4ksb5v81ick5cqi0j4ul@xxxxxxx>, Grant wrote:

Marty <net@xxxxxxxxxxxxxxxxxxx> wrote:

Allen Kistler wrote:

I suggest using only public key authentication. Disable password
authentication. Some of the ssh attacks are distributed. It's
harder to guess an asymmetric key than any password you can dream up,
no matter how cool you think it is.

But then still remains the question: has there ever been a real world
example of a reasonably strong password that has been guessed just by a
few login attempts? Even with botnets they do not have more than a few
hundred chances to test a password on a ssh server that limits logins or
blocks after some failed ones. So disabling weak passwords is the key
here.
So IMHO public key authentication does not necessarily reduce risks. It
might be simpler as far is administration and monitoring is concerned. If
used in an improper way it may even reduce security. Keys without
password protection give sysadmins of remote networks access to your
system, USB sticks get lost or stolen etc.

Sometimes I do a 'whois' on what looks like related IPs and ban entire
CIDR blocks at the firewall (a linux box with bridged modem). Just
checked, only 38 banned blocks collected over the last couple years, so
it's not a big ask for iptables to do that.

Two thoughts - what are you "offering" to the world, and what are you
trying to defend against. Most residential situations should not be
offering much (if anything) in the line of services, and this may be a
little as SSH based access (meaning no web or ftp or similar server for
example). Who are you offering these services to? The _concepts_ of
"mostly open" verses "mostly closed" as discussed in the manual page for
tcp_wrappers (man 5 hosts_access) apply. You speak of 38 banned blocks,
which would be the "mostly open" situation, while I accept connections
from 3 blocks (blocking all else by default) which would be the "mostly
closed" situation. On those occasions when my authorized users may be
traveling (and thus away from those three acceptable blocks), I usually
set up a port-knocking scheme, where one must first make a connection
attempt to some non-standard (but closed) port, with the firewall
recognizing the attempt and opening access to my systems from that
address only for a limited (one minute) period. This isn't "security by
obscurity" because once you are allowed to _connect_ you still have to
use the "normal" authentication mechanism to actually get "in". Oh,
and the port-knocking may run into those same 'blocked by the corporate
firewall' rules that made it impractical to move your server to an
obscure port.

Nice, but is this really worth the effort? Maintaining such lists is
probably more work than it is worth the effort. I once asked around for a
list of scientific and educational networks. Such a list does not exist,
and I'm far to lazy to collect the addresses myself.
Finally: if one is scared about login unwanted attempts on a ssh server
he or she has a problem with password policy. Around here access is
restricted to a single machine in order to facilitate administration,
users are forced to reasonably strong passwords, and iptables as well as
sshd block after several failed login attempts. IMHO this is sufficient
in almost any but the most paranoid environments.

Günther
.

Relevant Pages

  • Re: SSH login automation, get stuck at the last step.
    ... The ssh server that I am copying the public key to is not a typical ... The user "root" to login this box can not access the ... puts stderr "EXP username requested and sent " ...
    (comp.lang.tcl)
  • Need al little AAA authentication help....
    ... I am trying to get my switch to authenticate against the local database ... upon login with ssh. ... SSH, the local database, and AAA are all setup: ... aaa authentication enable default enable ...
    (comp.dcom.sys.cisco)
  • Re: sshd handing all authentication to shell
    ... >I would like to use SSH for transport only into an embedded device. ... >login/password authentication but since it is using SSH for transport, ... You don't state what SSH server you're planning to use, ... I believe that in principle a client should be able to request ...
    (comp.security.ssh)
  • Re: Need al little AAA authentication help....
    ... upon login with ssh. ... aaa authentication enable default enable ... would refer to the local database or locally configured username ...
    (comp.dcom.sys.cisco)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... if you allow root login without ... Where did I say ANYTHING about not using authentication. ... If you dissallow direct root login, ... The ssh account is only used for remote login. ...
    (alt.os.linux)