Re: Somebody is keep trying to ssh into my systems, how can I stop that?



Joel Shea wrote:

left_coast wrote:
Joel Shea wrote:

The challenge/response nature of public key authentication would
mitigate any attempt at a MITM attack on SSH itself. Although, it
could allow an attacker to circumvent port knocking and give them an
open port.

How? Be specific. All port knocking does is OPEN a port. Since I change
my pass sequence EVERY TIME, anyone can read what I have sent as much as
they want, it is invalid as soon as it it used, so of no use to ANYONE. A
MITM attack would be a concern of the SSH user, not a port knocking user.


I've been mis-quoted here, I _did_ mention that it would depend
entirely on how port knocking was implemented, as some methods are more
sound than others. Since I don't know specifically how 'your'
particular port knocking method is implemented, I'm not in any position
to comment on how secure it is, hence its "obscurity".

Also, what is preventing some malicious user from
intercepting/hijacking your pass sequence _before_ it has reached its
destination, and using it for themselves?

It would ONLY get them an OPEN PORT, The login would STILL need to be
hacked. Simple RSA authentication for SSH and it is a DEAD END. That said,
they would have to they would STILL need to know that I AM port knocking
AND be able to determin what is or is not in the sequence. Not an easy
task. How would they know to stop the first packet? It is only a connection
request, If they stop the packet, they could be disrupting a legitimate
connection... Again, leaving an ssh port open for EVERONE in the world to
try to hack is far worse in my opinion, to be able to intercept anything or
use a MITM attack the person has to be in one of 15 (AT MOST) physical
locations in the world. Most of those locations are in ISP's that have
hardare and policies that is designed to prevent such attacks. To try to
discredit the technology based on such remote chances is not valid. IT
would be a bit like saying RSA is not valid because someone might actually
get the key on the first guess. It is a possibility but not at all
probable. As I have said there is a difference between perfect and GOOD
ENOUGH TO DO THE JOB. Port knocking takes the possibility of brute from
anyone anyware on the internet to only a very small handfull that can get
into a location, have the technology, privacy and TIME to deffeat the
system, a valid security measure.


Just some food for thought.

Yes, but still does not discredit the technology and the possibility you
raise is so remote, can be protected against so easily and not that easy to
implement that it is doubtful anyone ANYWHERE is trying to do it, much leas
in one of the 15 (OR LESS) locations where it is even a possibility they
can try. Other conditions, such as the state of the technology in ISPs, the
privacy in the ISP for someone to setup and leave the technology, the
ability to distinguish a part of the knock sequence from all the other
connections on the network... Make it so improbable that anyone can be
successful as to put it in a category of saying that someone could just
GUESS an RSA key on the first try (possible but prohibitively improbable).


Joel.

--
Still waiting for a rational answer from Bittwister to this:
<nfqlo3-qds.ln1@xxxxxxxxxxxxxxxxxxxx>.
.



Relevant Pages