On December 3, 2008, Steve wrote: > I have, in the past, used DSA only keys - but this was frustrating on > several occasions when I wanted access to my server and didn't have my > SSH keys available to me... I almost always connect using a key pair > rather than a password - but the password option is very useful to allow > me to get hold of my SSH keys in the first place in some environments. > If I found a distributed attack on a valid user name, for example, I'd > consider this a critical change - however inconvenient.
get yourself some portable linux device capable of either USB, ethernet or wifi connection (OpenMoko, Nokia NXXX, etc.) plug your keys there - and voila, you've got yourelf both secure terminal and key storage in one box. I would be highly suspicious initiating SSH connection with my servers from untrusted box (which is any box not built and maintained by me ;) ) as there is a chance of keylogger (no matter how friendly owner of spoken box is - you don't know if he wasn't hacked and you have no time for even casual checking). You can use variation of port-knocking and reverse your strategy based on the pattern: 1. drop first connection from specified IP and record it in "first_try" table 2. drop second connection from specified IP and record it in "second_try" table 3. if IP is in both first_try and second_try - allow it to attempt authentication but only with the keys. (removing it from *_try tables and possibly recording it in whitelist) 4. if IP fails X number of attempts within specified timeframe - remove from whitelist and record in blacklist bit tricky logic, but fairly simple to implement (I use *BSD PF so no ready recipe for iptables here ;) ). bit paranoid, but it covers your initial concern with distributed attack and single-attempts. You can further collect older entries from first_try into blacklist and do whatever you please with them. You can also collect high-frequency attempts into blacklist and have very big blacklist you can sell off on eBay :) P.S. I actually don't do any of the above. It was just a surge of creative paranoia in response to initial request :) -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245
signature.asc
Description: This is a digitally signed message part.
