From: Nix on
On Mon, 16 Jan 2006, alexd stated:
> then it's probably not outside the bounds of probability that one could
> mount an scp or sftp connection, with a similar bit of userspace code.

Like, say, the sshfs FUSE module? :)

> course, you can always tunnel NFS inside SSH:
>
> http://www.math.ualberta.ca/imaging/snfs/

See also SFS, <http://fs.net/>, for a secure variant of NFS with a
unified global filesystem (with a remarkably unpleasant naming
convention for directories).

--
`Logic and human nature don't seem to mix very well,
unfortunately.' --- Velvet Wood
From: Martin Gregorie on
alexd wrote:
> Martin Gregorie wrote:
>
>> alexd wrote:
> [Port knocking] is Security By Obscurity, verson 2.1 ;-)
>
Yes, it is, rather, isn't it? Quite ingenious, though. Probably unusable
with an ADSL router unless you've got one that's fancy enough to send
its access log to a server, though.

> Probably overkill in most cases.
>
Sure, but I can see uses for it all the same: could be useful for the
traveling consultant needing to call home.

--
martin@ | Martin Gregorie
gregorie. |
org | Zappa fan & glider pilot
From: Martin Gregorie on
usenet(a)isbd.co.uk wrote:
> Martin Gregorie <martin(a)see.sig.for.address> wrote:
>> Chris Croughton wrote:
>>> Yes, I use ssh over the Internet and I don't use that file, because the
>>> whole point is that I need to be able to get into my machine from places
>>> where I don't know the IP address (in some cases, via vachines using
>>> dialup connections where the IP address isn't even the same each time I
>>> connect). As far as I can see by its nature it only allows connection
>>> from individual hosts, not even a range, and so is useless to me.
>>>
>> I quite see your reasoning, and why it would not work for you. Did you
>> try wild carding it? The manpages mention this facility, but don't
>> explain how a given public key could apply to, say, all the hosts
>> implied by *.smith.org or by 111.222.333.* - I see some confusion there!
>>
>> However, I want to solve the reverse problem and create an exceedingly
>> narrow window where only one or two known hosts would be allowed in for
>> remote sysadmin and this technique looks as if it matches my requirement.
>>
> Surely even a fairly simple firewall can be set up to allow only
> certain hosts to access your system using specific ports.
>
Only with a permanently forwarded port and a white list on the server.
I'm just mildly paranoid about spoofing and the use of ssh_known_hosts
should prevent that.

--
martin@ | Martin Gregorie
gregorie. |
org | Zappa fan & glider pilot
From: Martin Gregorie on
Toby Inkster wrote:
> Martin Gregorie wrote:
>
>> There are TWO known_hosts files.
>> ~/.ssh/known_hosts
>> This works like you describe and automatically collects the keys for the
>> hosts you connect to with your ssh client.
>> /etc/ssh/known_hosts
>> This is optional and used by sshd. If it is present it restricts the
>> hosts that sshd will accept connections from.
>
> Not sure which version of SSH you're using, but my "man sshd" lists only
> these two known_hosts files:
>
> /etc/ssh/ssh_known_hosts
> $HOME/.ssh/known_hosts
>
> The former acting the same as the latter, but read-only, and for all users
> on the system rather than just one. To restrict which hosts may log in, my
> "man sshd" recommends:
>
> /etc/hosts.allow
> /etc/hosts.deny
>
Interesting. Mine says pretty much the opposite, but it does rather lump
hosts.allow|deny in with hosts.equiv as well as saying that sshd will
use the public key in ssh_known_hosts to permit access. What it doesn't
say explicitly is that a key non-match will forbid access, but I can't
see why sshd should even glance at the public key if it doesn't reject
non-matches.

--
martin@ | Martin Gregorie
gregorie. |
org | Zappa fan & glider pilot
From: John Phillips on
On 2006-01-16, Nix <nix-razor-pit(a)esperi.org.uk> wrote:
> On 15 Jan 2006, John Phillips whispered secretively:
>> On 2006-01-15, Nix <nix-razor-pit(a)esperi.org.uk> wrote:
>>> The vast majority of attacks on SSH are attacks on bad passwords; I've
>>> had some twit trying for most of today and yesterday, four or five
>>> requests a second...
>>
>> I saw a lot of that until I throttled back the allowable connection
>> rate with iptables.
>
> What a good idea. I'll have to do that here.
>
>> Probably not much extra security, if any, but they
>> generally go away now after a very small number of attempts.
>
> It'll stop them hogging my line (a whole 1.5Kb/s of bandwidth, ooh, I'm
> dying; but there's nothing stopping them trying faster, especially once
> 2.6.16 comes out, with a patch that should double the speed of my
> firewall
> (<http://user-mode-linux.sourceforge.net/work/current/2.6/2.6.15-rc6/patches/softints>)...)

Well I did put the limit in place originally as a general SYN flood
protection rule in the firewall, but it does keep the crackers away as
a side-effect.

--
John Phillips
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5 6 7 8 9 10 11 12
Prev: Network connection
Next: Xauthority lock timeout?