sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: alexd on 16 Jan 2006 03:00 Martin Gregorie wrote: > alexd wrote: > > Thanks for the quick overview. > >> SSH is great when you want a quick connection that just works without too >> much messing about. You can get shell access, copy a few files with scp, >> etc etc. > > > The ssh-based network filing system sounds useful too, though > I haven't seen it yet. Well you have, it's call sftp. To be honest, if one can mount a Gmail account: http://richard.jones.name/google-hacks/gmail-filesystem/gmail-filesystem.html then it's probably not outside the bounds of probability that one could mount an scp or sftp connection, with a similar bit of userspace code. Of course, you can always tunnel NFS inside SSH: http://www.math.ualberta.ca/imaging/snfs/ -- <http://ale.cx/> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz) 07:55:36 up 12:10, 2 users, load average: 0.39, 0.34, 0.29 This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
From: usenet on 16 Jan 2006 04:15 Chris Croughton <chris(a)keristor.net> wrote: > On Sun, 15 Jan 2006 10:03:43 +0000, Martin Gregorie > <martin(a)see.sig.for.address> wrote: > > > Both files are described in the ssh and sshd manpages. Sheesh. I think > > I'm giving out more information than I'm receiving. Doesn't anybody else > > use ssh over the Internet and if not, why not and what do you use instead? > > Yes, I use ssh over the Internet and I don't use that file, because the > whole point is that I need to be able to get into my machine from places > where I don't know the IP address (in some cases, via vachines using > dialup connections where the IP address isn't even the same each time I > connect). As far as I can see by its nature it only allows connection > from individual hosts, not even a range, and so is useless to me. > What I do is to use a remote ssh account I have as a 'staging post'. My home machine *only* allows a few known hosts to connect using ssh. One of these allowed hosts is a machine where I have an ssh login account, that machine allows ssh access from anywhere. Given that their security etc. is probably better than mine (it's part of their job) this seems a reasonable compromise to me. -- Chris Green
From: usenet on 16 Jan 2006 04:16 Martin Gregorie <martin(a)see.sig.for.address> wrote: > Chris Croughton wrote: > > > > Yes, I use ssh over the Internet and I don't use that file, because the > > whole point is that I need to be able to get into my machine from places > > where I don't know the IP address (in some cases, via vachines using > > dialup connections where the IP address isn't even the same each time I > > connect). As far as I can see by its nature it only allows connection > > from individual hosts, not even a range, and so is useless to me. > > > I quite see your reasoning, and why it would not work for you. Did you > try wild carding it? The manpages mention this facility, but don't > explain how a given public key could apply to, say, all the hosts > implied by *.smith.org or by 111.222.333.* - I see some confusion there! > > However, I want to solve the reverse problem and create an exceedingly > narrow window where only one or two known hosts would be allowed in for > remote sysadmin and this technique looks as if it matches my requirement. > Surely even a fairly simple firewall can be set up to allow only certain hosts to access your system using specific ports. -- Chris Green
From: Nix on 16 Jan 2006 05:16 On Sun, 15 Jan 2006, Tony van der Hoff wrote: > Nix <nix-razor-pit(a)esperi.org.uk> wrote in message > <87mzhxgync.fsf(a)amaterasu.srvr.nix> > >> I'd say turn PasswordAuthentication off, too. Stick with key-based >> authentication only. >> > Depends on yhour requirements. Sometimes you can't set keys - I certainly > wouldn't want to accidentally leave one on a Customer's box. Make a temporary key and revoke it when you're done. > Key-based > authentication PLUS passwords (provided they're strong ones) works fine. i.e., passphrased keys? Yes, that's fine, but that's not password- authentication, it's still wholly public key-based :) >> Jan 15 15:23:17 esperi info: sshd[11806]: Invalid user molly from > 208.187.226.110 >> Jan 15 15:23:19 esperi info: sshd[11808]: Invalid user molly from > 208.187.226.110 > [snip] > > No, he's not made it into my blocklist - yet. I was assuming that the IP was from some machine in a botnet, but perhaps not. I guess if it was botnetted I'd probably see requests from all over the shop. > Indeed; they first have to guess a username; then they have to guess a valid > password :( It's a wonder they achieve anything, and can only be evidence of > a preponderance of poorly-administered sites out there... Oh boy yes. `cisco/cisco'... although random English names is a bit of a sign of desperation, they also tried things like `root', `administrator', even `postgres', which gave me a second's pause because I have a user of that name, and they tried it about a second after I'd sshed to `postgres' on one of my machines... > Which is why I employ a blocklist script; I enjoy seeing this: > > Jan 15 12:09:52 tony-lx sshd[18346]: Failed password for invalid user brd > from 207.36.86.64 port 49575 ssh2 > Jan 15 12:10:00 tony-lx sshd[18365]: Failed password for invalid user ap > from 207.36.86.64 port 49762 ssh2 > Jan 15 12:10:01 tony-lx sshd: refused connect from > 207-36-86-64.ptr.primarydns.com (207.36.86.64) > > Zap! Ah, but if you let them keep battering on a wall they can't get through, while they're wasting their time with you that's one less potentially-vulnerable site they can attack. It's a tarpit. -- `Logic and human nature don't seem to mix very well, unfortunately.' --- Velvet Wood
From: Nix on 16 Jan 2006 05:19
On 15 Jan 2006, John Phillips whispered secretively: > On 2006-01-15, Nix <nix-razor-pit(a)esperi.org.uk> wrote: >> The vast majority of attacks on SSH are attacks on bad passwords; I've >> had some twit trying for most of today and yesterday, four or five >> requests a second... > > I saw a lot of that until I throttled back the allowable connection > rate with iptables. What a good idea. I'll have to do that here. > Probably not much extra security, if any, but they > generally go away now after a very small number of attempts. It'll stop them hogging my line (a whole 1.5Kb/s of bandwidth, ooh, I'm dying; but there's nothing stopping them trying faster, especially once 2.6.16 comes out, with a patch that should double the speed of my firewall (<http://user-mode-linux.sourceforge.net/work/current/2.6/2.6.15-rc6/patches/softints>)...) -- `Logic and human nature don't seem to mix very well, unfortunately.' --- Velvet Wood |