attack

David Hoffman dhoffman2004 at gmail.com
Mon May 9 16:23:31 UTC 2005 

On 5/9/05, bruce <bedouglas at earthlink.net> wrote:
> it appears that most of the attacks are automated scripts..
> 
> so, given that ssh is open, what would be the downside of building in a kind
> of basic challenge response/question system... much like what you have with
> yahoo groups/other sites...
> 
> since you can't distort some word, given the terminal nature of ssh, would
> it be possible to insert/force the user to answer some random question,
> prior to being able to attempt to log into the system??
> 

On the same token, you could use S/Key to create OTPs... one time
passwords. Each time you try to login, you would be presented with a
number or code, and since only you know how to translate that number
into the correct one time password, you are the only one who will get
in. Next time you try, you get a different number and a different
password is required. Similarly, every time a hacker attempts to
connect, they would need a different password.

Another method, which I use whenever I can, is to authenticate with
keys. Unless someone gets a hold of my private key file, AND my
passphrase to decrypt it, they are not going to be able to log into
the system.

Some people mention moving the SSH port from 22 to some other number,
for example 2022. But that presents other problems. What happens if
you are in a corporate environment and network security left port 22
open for outbound SSH, but did not leave 2022 open? You don't connect.
But this is not a great solution for another reason, anyone who port
scans your machine and finds port 2022 (or whatever other port you
used), can easily try to connect to it and determine that it is your
SSH daemon that is accepting the connections. Then they only have to
point their tool at your new port number and they keep trying to hack
you.

-- 

David
Registered Linux User 383030 (since everyone else was doing it 8-)
-----------------------------------------------------------------------
There are only 10 kinds of people in this world,
those who understand binary, and those who don't.

More information about the fedora-list mailing list