Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Weird stuff going on at online.net - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Weird stuff going on at online.net

2»

Comments

  • WSSWSS Member

    @pinc said:

    @WSS said:
    dns amplification?

    [..] I think something is missing in this story.

    As do I.

    @xyz said:

    joepie91 said: There's zero reason to keep using passwords with SSH today.

    One reason: it's a pain to put the private key onto every system you wish to log in from, not to mention that having the key on disk can be a weakness itself. Okay, you can password protect the key, but then that's even more effort.

    Are you fucking serious? This should be your first task before you even configure the damn hostname to your liking, unless you've got an ancient version of OpenSSH that needs immediate replacement.

    Thanked by 2lion svmo
  • lionlion Member

    @WSS said:
    Are you fucking serious? This should be your first task

    ssh-copy-i ... ok lets stick to the password this is too much

  • WSSWSS Member

    @lion said:

    @WSS said:
    Are you fucking serious? This should be your first task

    ssh-copy-i ... ok lets stick to the password this is too much

    I use telnet and automate with expect - it automatically types me into the server when I type 't server'.. my wife helped setup the script.

  • svmosvmo Member

    Logwatch , fail2ban , geoblocking - firewalling. - No point in your ssh being globally avavaiable ...
    ... and then you watch it like a hawk.

    .... but of course much easier to setup key based login ...

  • WSSWSS Member

    ...and sshguard doesn't require installing Python for a single purpose.

    Thanked by 1svmo
  • Shot2Shot2 Member

    @pinc said:

    @Shot2 said:
    misconfigured firewall resulting in OP's server going atrociously talkative.

    +1. Would be interesting to know how exactly did OP 'close all ports'. So this is hardly about breaking 20 chars SSH pass.

    "Let's block all those nasty ports and protocols, 67, 68, 546, 547, icmp, whatevah. Now I feel safe.
    OK, now let's request some address/range with DHCP.
    Oh my, why dis no work???
    Holy cow, why u kick me out for flooding???"

  • WSSWSS Member

    @Shot2 for what it's worth, I endorse everyone in your sig- but I have yet to hear back from Stan..

  • joepie91joepie91 Member, Patron Provider

    xyz said:

    One reason: it's a pain to put the private key onto every system you wish to log in from

    You should only ever log in from your own systems. If that's "a pain", how many systems do you have exactly?

    xyz said: not to mention that having the key on disk can be a weakness itself.

    No, it wouldn't be? If somebody can access the system to grab the key from it, they can also just keylog your password. The only exception here is on eg. a laptop that gets nabbed from you while it's turned off, in which case...

    xyz said: Okay, you can password protect the key, but then that's even more effort.

    How is that 'even more effort'? Setting a password on your key is a one-time operation (you're even asked at the moment you generate the keypair!), and for logging in you still only need a single password, namely that which the key is encrypted with, and which still doesn't get sent to the server.

    This is a nonsensical argument.

    xyz said: Unless you get a hard over how theoretically secure your system is, using a strong password is perfectly fine. I don't need military grade protection which can protect me against a state-level adversary, I just need enough protection against my adversaries.

    This, too, is complete nonsense. Shared-key attacks can be carried out by literally any script kiddie, and this routinely happens. Only one server needs to be compromised (through any means that gives root access, not just SSH), and now whoever compromised it can also access everything else you have.

    Using passwords for SSH is insecure, full stop. There are no ifs, there are no buts, and this is absolutely nothing to do with "military grade protection" or "state-level adversaries".

    @angstrom said:

    @xyz said:

    joepie91 said: There's zero reason to keep using passwords with SSH today.

    One reason: it's a pain to put the private key onto every system you wish to log in from, not to mention that having the key on disk can be a weakness itself. Okay, you can password protect the key, but then that's even more effort.

    Unless you get a hard over how theoretically secure your system is, using a strong password is perfectly fine. I don't need military grade protection which can protect me against a state-level adversary, I just need enough protection against my adversaries. If someone really did want to get in, I'm sure they could just break into my home and steal all my stuff, or coerce me to give it up via other means, anyway - it'd likely be much simpler than trying to do some complicated SSH attack to scrape the password.

    Not to mention that based on the info that we have about the OP's server, it's far-far from clear that his password was cracked. Without more info, it's not at all clear what happened exactly.

    I'm not saying this is the cause. I'm just saying that this is a security issue that needs to be addressed.

    Thanked by 1vimalware
  • xyzxyz Member

    joepie91 said: You should only ever log in from your own systems. If that's "a pain", how many systems do you have exactly?

    Lost count.

    joepie91 said: No, it wouldn't be? If somebody can access the system to grab the key from it, they can also just keylog your password.

    There's quite a difference between someone grabbing something off disk and installing a keylogger. One is completely passive, the other leaves traces. For example, simply copying a file out of an OpenVZ container, or someone recovering data off a discarded disk are examples of being able to get the private key without installing keyloggers.
    (besides, this assumes that a keylogger can capture the password)

    joepie91 said: Setting a password on your key is a one-time operation

    No, you have to enter it every single time you log in, in addition to supplying flags etc to pull the key across (I don't use the same key for every server - I have my reasons for this).

    joepie91 said: Shared-key attacks can be carried out by literally any script kiddie, and this routinely happens

    I'm not aware of what you mean by such attacks. Would you be able to clarify?

    joepie91 said: Only one server needs to be compromised (through any means that gives root access, not just SSH), and now whoever compromised it can also access everything else you have

    How so? Are you assuming the same password is used everywhere?

    joepie91 said: Using passwords for SSH is insecure, full stop

    [citation needed]

  • corefluxcoreflux Member

    @oijpghjighoji said:
    Same. I have plenty of servers with 20 chars random generated passwords. And never got a problem. I would be amazed by anybody that could bruteforce this.

    Just because you don't get a problem that doesn't mean it's secure,...
    Better safe than sorry,...

Sign In or Register to comment.