[ILUG] SSH dictionary attacks.

Colm MacCarthaigh colm at stdlib.net
Wed Aug 23 14:36:30 IST 2006 

On Wed, Aug 23, 2006 at 02:20:55PM +0100, Aine Douglas wrote:
> I'm curious now.... the dictionary attacks I've witnessed this morning
> all came from Korea. My ISP is the same Irish ISP that the server I
> connected to is hosted on. Exactly how would the world of dictionary
> attackers, esp those in Korea packet sniff my port knocking?

That's a very twisted form of reasoning. I didn't say that they would.
The point is that measures should take account of a range of different
threats.  ssh is supposed to help protect you against packet sniffing,
port-knocking lacks any additional layer.

Personally I consider the additional complexity it introduces and the
problems that causes when debugging genuine problems make port-knocking
a net harm. It's just not worth it when much simpler methods which are
equally - or more - effective are so trivial to implement.

> >Portnocking requires port-reachability to a series of ports, which you
> >may or may not get through some site firewall, but wouldn't it just be
> >easier to run ssh on a port other than 22?
> 
> In the absence of being able to packetsniff, my Korean friends would
> determine that one with a portscan.

If you are the victim of a genuinely targetted attack, good luck if you
think port-knocking will make a jot of difference. They could just
compromise a neighbour on the same subnet and sniff your traffic that
way, or do something else.

How do you think they found out you were running ssh in the first place?

I guess the day could come when they start scanning every port too and
doing some protocol inspection on it, but it hasn't yet.

> >Less overhead, less complex, same result.
> 
> Less secure ;-)

It's slightly more secure. Either way, the real security comes from
either using well-chosen passphrases which are not so prone to attack or
in not using passphrases at all and using a key exchange. 

None of this is about improving security. It's about getting rid of
nuisance log entries.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net

More information about the ILUG mailing list