[TAG] Re: ssh intruders

Benjamin A. Okopnik ben at linuxgazette.net
Tue Sep 6 20:27:19 MSD 2005 

On Tue, Sep 06, 2005 at 09:26:27AM +0530, Kapil Hari Paranjape wrote:
> Hello,
> 
> On Mon, 05 Sep 2005, Benjamin A. Okopnik wrote:
> > On Sun, Sep 04, 2005 at 11:41:22PM -0700, Mike Orr wrote:
> > > Benjamin A. Okopnik wrote:
> > > 
> > > >>Or you could just tarpit them. 
> > > 
> > I think Thomas or Chris (Gianakopoulos) would be the best people to ask
> > - my knowledge of network programming is minimal to non-existent. My
> > best guess would be that it can only be done in the kernel, because (I
> > *think*) the socket would be established _after_ the initial handshake,
> > etc. are completed - and TCP-based tarpitting occurs at the handshake
> > stage.
> > 
> 
> While this tarpit *is* at a lower level than an established TCP socket,
> it does not necessarily mean kernel-level programming. Have a look at
> "iptables" which has features that allow you to introduce additional
> rules (including delays) controlling the establishment of a TCP
> connection.

Isn't "iptables", "netfilter", and all that other stuff involved with
what's going on at the kernel level? I always find it amusing to see
what happens when I run "iptables" as a non-root user:

``
ben at Fenrir:~$ iptables -L
FATAL: Module ip_tables not found.
iptables v1.3.3: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
''

In either case, I didn't mean that you have to write kernel code - just
that _something_ has to mediate the process by which the kernel creates
sockets, etc. "iptables" will do just fine. :)

> Your other option is to lock-up the initial Diffie-Hellman key exchange
> part of the SSH protocol. For example, you can do this by reducing the
> entropy available to SSH by locking up /dev/random or extracting a huge
> string of random data. You can later feed this string back.

That's a very interesting entry point, Kapil - I hadn't thought about
that one. However, I'd hesitate to use it because other programs that
may need that randomness pool would block (or use a lower-quality
source, depending.)

Ancient Russian proverb:
"Do not use a sledgehammer to remove a fly from your friend's forehead.
Unless there's no more vodka and no money to buy any."
:)


* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://linuxgazette.net *

More information about the TAG mailing list