Re: bruteforce ssh - SSH

This is a discussion on Re: bruteforce ssh - SSH ; Ricardo (Wed, 26 Oct 2005 10:59:30 +0200): > How can I block IP adresses that trying to a Bruteforce atack on my server? > It is possible? Use another authentication scheme than passwords. I recommend public key authentication. This doesn't ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: bruteforce ssh

  1. Re: bruteforce ssh

    Ricardo (Wed, 26 Oct 2005 10:59:30 +0200):
    > How can I block IP adresses that trying to a Bruteforce atack on my server?
    > It is possible?


    Use another authentication scheme than passwords. I recommend public
    key authentication. This doesn't only make bruteforce attacks
    impossible, but also man in the middle attacks.

    Regards.


    -----
    Public key "Ertugrul Soeylemez " (id: CE402012)
    Fingerprint: 0F12 0912 DFC8 2FC5 E2B8 A23E 6BAC 998E CE40 2012

    HKP: hkp://subkeys.pgp.net/
    LDAP: ldap://keyserver.pgp.com/
    HTTP: http://www.keyserver.de/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDYbKka6yZjs5AIBIRApcpAJ958zGy1POkWph8KIuBzW IN1gTAIACfdmKY
    NfntE4mYTZk1wIL8pk9WoQc=
    =SAyr
    -----END PGP SIGNATURE-----


  2. Re: bruteforce ssh

    >>>>> "ES" == Ertugrul Soeylemez writes:

    ES> Use another authentication scheme than passwords. I recommend
    ES> public key authentication. This doesn't only make bruteforce
    ES> attacks impossible

    Well, impractical.

    ES> but also man in the middle attacks.

    It's worth noting that the SSH transport protocol already provides the
    client MITM resistance -- and since the transport protocol normally
    encapsulates the authentication protocol, this protection applies
    regardless of the user authentication method employed (providing the
    requirements of the particular key exchange are met, e.g. the hostkey is
    properly verified). The publickey userauth method simply adds another
    instance of MITM protection, this time for the server.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: bruteforce ssh

    "Richard E. Silverman" (28 Oct 2005 02:23:25 -0400):
    > ES> Use another authentication scheme than passwords. I recommend
    > ES> public key authentication. This doesn't only make bruteforce
    > ES> attacks impossible
    >
    > Well, impractical.


    Let's call it 'practically impossible'. =P

    > ES> but also man in the middle attacks.
    >
    > It's worth noting that the SSH transport protocol already provides the
    > client MITM resistance -- and since the transport protocol normally
    > encapsulates the authentication protocol, this protection applies
    > regardless of the user authentication method employed (providing the
    > requirements of the particular key exchange are met, e.g. the hostkey is
    > properly verified). The publickey userauth method simply adds another
    > instance of MITM protection, this time for the server.


    Both ends are vulnerable until the first client connection has been
    made. Also as you stated, MITM-resistance is only on the client side.
    Someone can still hijack the channel from server to client, and that's
    bad. Even if Mallory couldn't manipulate anything, he's still able to
    sniff silently.


    -----
    Public key "Ertugrul Soeylemez " (id: CE402012)
    Fingerprint: 0F12 0912 DFC8 2FC5 E2B8 A23E 6BAC 998E CE40 2012

    HKP: hkp://subkeys.pgp.net/
    LDAP: ldap://keyserver.pgp.com/
    HTTP: http://www.keyserver.de/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDYeBaa6yZjs5AIBIRArERAJ4r6+BpxiLQ3Vt6PEKqQD EbiA8LVgCfbyrb
    YuIM7TdPSQuP0mZk15X+26Q=
    =0MFn
    -----END PGP SIGNATURE-----


+ Reply to Thread