Archive for March, 2008

Disable SSH Password Authentication with OS X 10.5 Leopard

Saturday, March 15th, 2008

I have a Mac running OS X 10.5 Leopard on my home network that I have made accessible from the Internet so I can remotely access it using SSH (Secure Shell) when I am away.

However, there are many popular SSH password brute force cracking tools (such as Hydra). Below is an excerpt from /var/log/secure.log on the Internet-accessible Mac showing an obvious brute force attack:

06:15:20 sshd[54623]: Invalid user jeff from 88.46.222.228
06:15:22 sshd[54625]: Invalid user irc from 88.46.222.228
06:15:24 sshd[54629]: Invalid user list from 88.46.222.228
06:15:25 sshd[54631]: Invalid user eleve from 88.46.222.228
06:15:27 sshd[54633]: Invalid user proxy from 88.46.222.228
06:17:28 sshd[54700]: Invalid user admin from 59.173.2.71
06:17:32 sshd[54702]: Invalid user admin from 59.173.2.71
06:17:36 sshd[54704]: Invalid user admin from 59.173.2.71
06:17:39 sshd[54706]: Invalid user administrator from 59.173.2.71
06:17:43 sshd[54708]: Invalid user administrator from 59.173.2.71
06:17:46 sshd[54710]: Invalid user administrator from 59.173.2.71
06:17:49 sshd[54712]: Invalid user tads from 59.173.2.71
06:17:52 sshd[54714]: Invalid user manet from 59.173.2.71
06:17:55 sshd[54716]: Invalid user creative from 59.173.2.71
06:18:00 sshd[54718]: Invalid user manet from 59.173.2.71

What I am not showing you are hundreds of similar attempts. Further, each username login attempt repeats as many as 20 times in a row, indicating that multiple passwords are being tried.

To entirely sidestep the threat of brute force password attacks, I have disabled password logins and only allow public-key authentication. Here is how you can set this up in OS X 10.5 Leopard:

  1. Edit /etc/sshd_config and change the following options, removing the ‘#’ comment sign:

    PasswordAuthentication no
    ChallengeResponseAuthentication no

  2. Turn off Remote Login in the Sharing preference pane in System Preferences and turn it on again to restart sshd so the changes will take effect.

Now, when someone attempts to SSH to my Mac without the correct private key, she/he will see this message:

ssh1.png

Finally, to avoid more log entries of ssh brute force password attempts, I’ve changed the default port for SSH. To my mind, this also reduces the risk of an SSH zero-day exploit.

Posted in security | 6 Comments »

What’s in a .name?

Saturday, March 1st, 2008

Dot name

I’ve been looking for a new email address that is portable, permanent, and memorable. Typical email addresses are usually tied to a single provider like Gmail, Comcast, or the organization you work for. If you leave the provider you have to get a new email address. For example, when I finish my Ph.D. at Georgia State I will need a new email address for my professional communication.

Another typical email address problem is that available addresses are often not very memorable (e.g. mrmj412@gmail.com), and may not correspond to your real name or may be too long.

One alternative is to purchase a domain name and use it with Gmail. However, unless you are fortunate, your last name is likely already taken for most top-level domains.

I’ve found a solution that solves the above problems?a third-level .name domain. While the top-level .com domain is for businesses and .org is for organizations, .name is for individuals.

Most .name addresses are only available at the third (subdomain) level because many second-level domains are reserved by the registrar and shared among many people. For example, someone could have the address john@vance.name, but not own the vance.name domain. Another person could have the email address isaac@vance.name.

However, you do control the subdomain which in my case is anthony.vance.name. This domain works like any other?currently it points to my server at http://anthony.vance.name.

A nice service provider for .name domain name registration is FreeYourID.com, which offers email and domain name forwarding for $11 a year. The .name domain is a nice solution?having a memorable and portable email address is definitely worth the money to me.

Posted in email | No Comments »