[geeks] SSH Scans Increasing
Phil Stracchino
alaric at metrocast.net
Thu Aug 21 08:16:20 CDT 2008
Sheldon T. Hall wrote:
> Phil Stracchino said ...
>
>> I haven't seen it. But then, I got so sick of ssh-dictionary-scanning
>> scriptkiddies filling up my logs day after day, week after week, month
>> after month, and have so few non-local users, that I implemented a
>> whitelist-only pf rule for SSH and FTP connections.
>>
>> Currently I'm pondering the best means to allow users with existing
>> accounts and known SSH keys to remotely authorize new IPs for
>> themselves.
>
> I got tired of the script-kiddies, too. I contemplated moving the SSH
> service to a non-standard port, but this complicated access for one of my
> primary remote-access users, so I couldn't. I whitelisted the secure
> network he'd be calling from, and, for everyone else, I set up a kind of
> ghetto portknocking arrangement. You'd hit a particular high-numbered port,
> which grabbed your IP address but didn't reply, and a script kicked off by
> the connection would put that IP address in the whitelist for the SSH port.
> It was a bit of "security by obscurity" but it worked great.
I was thinking of something along those lines. Connect to a specific
port, send your SSH key fingerprint. If the fingerprint matches your
public key already on the system, your IP is whitelisted.
If I wanted to make it more secure, I'd make it "send your IP encrypted
with your SSH key". If it can be decrypted with your ssh pubkey on
record, and matches the IP you connected from, that IP is whitelisted.
--
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
More information about the geeks
mailing list