Way OT: SSH worries

Michael H. Warfield mhw at WITTSEND.COM
Mon Aug 16 22:04:16 IST 2004


On Mon, Aug 16, 2004 at 03:26:06PM -0500, Alex Neuman wrote:
> Reminds me of those "less filling vs. tastes great" deals. Why not both?
> I'm seriously considering:

> 1. Only having one account authorized to log in using SSH,

        Marginal.  Definitely prohibit root, though.

> 2. On an obscure port

        Worthless....  Being scanned for because the script kiddies
routinely do this for backdoors.  Nothing that is one chance in 65,536
qualifies as "obscure".

> 3. Using keys only (no passwords)

        AGREED!  Also, if you are RRREEEAAALLLYYY paranoid and a BOFH,
S/Key / OPIE.  A pain but worth it under the right circumstances.

> 4. From a specific number of locations with the same exact requirements.

        5) Restrict ssh to IPv6.

        Each IPv4 address has an entire IPv6 network assigned to it (6to4).
IPv6 is unscanable and (in the case of 6to4 - which is 6over4 with
autorouting IPv4 transport addresses) may be restricted on both the IPv4
and IPv6 layer.

        Why have ssh on IPv4 at all when you can armour it behind
a network with 65536 subnets of 16 billion billion host addresses each
and reach it from anywhere IPv4 is available (and from some places where
IPv4 isn't available or has failed - been there done that) and you
have to know that exact address or you get nothing!

        I even have servers that change their ssh access address every
15 minutes.  They update DNS through keyed DNS updates (TSIG) and the
deprecated addresses expired after two hours (TTL in DNS of only 1 hour)
if they are no longer in use.  To scan a single IPv6 subnet requires
(literally - I'm not joking) 16 billion billion probes and trivial EUI
addresses (::1) can be blocked by ip6tables for ICMP so it can't be
"error probed" either.

        You need protocol 41 (ipv6) [6over4 - IPv6 over IPv4] routable
or set up your own tunnels but I've found this to be trivial to do and
impossible to prevent.  First thing I do, where ever I go, even driving
down the road with 3G cellular, is to fire up my IPv 6 connectivity and
it just doesn't go down...  Even when the technotards running some of
these service providers thing their cute by resetting persistent connections
(Spring and PPP through their 3G cellular service) it doesn't even phase
any of the IPv6 traffic (since they're stone cold dumb as a rock when
it comes to IPv6).

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
> Of Dan Hollis
> Sent: Monday, August 16, 2004 2:42 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Way OT: SSH worries
> 
> On Mon, 16 Aug 2004, Kevin Spicer wrote:
> > Or even better (if only a few people have an ssh account) enforce key
> > based authentication only, (carry your key on a usb keydrive or
> > similar...).

> wont save you from the next 0day root exploit though.

> moving to obscure ports and/or firewalling the hell out of ssh would be a
> better answer.

        Moving to IPv6 is even better.

        Obscure ports only improves the situation by * 65,536.  Moving
to IPv6 improves the situation by * 65,536 * 4 billion * 4 billion.
Much better odds.

> -Dan

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

    [ Part 2, Application/PGP-SIGNATURE  316bytes. ]
    [ Unable to print this part. ]




More information about the MailScanner mailing list