[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Great IP Auto-Ban script

To: luci-discuss@luci.org
Subject: Re: Great IP Auto-Ban script
From: Danny Sauer <sauer@cloudmaster.com>
Date: Wed, 06 Sep 2006 07:52:26 -0500
In-Reply-To: <OF091CAB6B.61503C5B-ON852571DF.004D707F-852571DF.004F24EC@us.ibm.com>
Organization: Linux Users of Central Illinois
References: <OF091CAB6B.61503C5B-ON852571DF.004D707F-852571DF.004F24EC@us.ibm.com>
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

On Mon, 2006-09-04 at 10:24 -0400, David Desrosiers wrote:
>         If *your* machine requires that ssh and the strength of your
>         password not be trusted, how is it acceptable to trust another
>         machine which trusts both of those things?
> 
> Because I've been directly involved in the configuration of "both of
> those things" ;) Digital forensics and penetration analysis is a
> "professional hobby" of mine.  

If it's good enough, how come you didn't do those things to your home
box, then, instead of going through the other hassle? ;)  Really, I'm
just curious at this point, since you obviously put some thought into
it...

        Port-knocking is also well-tested, and not easy to subject to
        man-in-the-middle attacks as you assert, but if you have a valid
        case study that disproves the technology, I'm sure the project
        would love to hear about it.

Port-knocking is just more security through obscurity.  Pretty obscure,
sure, but a repeatable pattern of half-open connections to odd ports
followed by access to a port of interest would likely stand out to
anyone who's seriously hacking.  Skript kiddies would likely miss it,
though, and they're probably the more common threat.  I'm sure the
project is aware of that, even without a case study.  From the
description of the COK implementation: "One of the main complaints about
port-knocking is that one can implement trivial replay attacks against
any static port-knocking system".  So some of them send encrypted data
in order to enable the knock.  Yeah, and maybe I'll paint all of my
house keys flat black, so they're harder for a burglar to find.  Sigh.
It's still not as good as the challenge-response negotiation that ssh
*already does*.

Banning an IP after suspicious activity would probably work just as
well.  I'm personally partial to the "innocent until proven guilty"
approach in general, as it results in a more usable compromise between
usability and security.  IMHO, of course.

--Danny, presently Unix Security for one of the largest companies in the
country ;)

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

References:
- Re: Great IP Auto-Ban script
  - From: David Desrosiers <daviddes@us.ibm.com>

Prev by Date: Re: Great IP Auto-Ban script
Next by Date: Broadcom Wireless NIC
Prev by thread: Re: Great IP Auto-Ban script
Next by thread: Re: Great IP Auto-Ban script
Index(es):
- Date
- Thread