Suggestion to make remote recovery easier

Wed May 7 00:36:38 UTC 2008

On Tue, May 6, 2008 at 8:20 PM, Scott Kitterman <ubuntu at kitterman.com> wrote:
> On Tue, 06 May 2008 23:56:18 +0100 Andrew Sayers
>  <andrew-ubuntu-devel at pileofstuff.org> wrote:
>  >At this point, I'm trying to walk the line between unrealistic "wouldn't
>  >it be great if..." type ideas and overly-strict reliance on solving the
>  >specific problem I have in my head, so I'd like to go back to first
>  >principles for a moment.  Please tell me if any of these are false:
>  >
>  >1) It's common for new Linux users to have a technical friend that deals
>  >with their problems.  This is a healthy relationship that we should look
>  >for ways to support
>  >2) People generally don't formalise that sort of thing until it's too late
>  >3) All Linux users can be behind arbitrarily complex sets of
>  >firewalls/NAT, including multiple layers of NAT or firewalls, not all of
>  >which are under either user's control
>  >4) We can expect experts to do some considerable work (e.g. installing
>  >packages and configuring routers), but non-technical users need simple
>  >instructions from the default installation
>  >5) There's some interest in making small changes to the default install
>  >to cater to the above issues
>  >6) Since the people in most need of help are more likely to stick to LTS
>  >releases, we can afford to add this sort of feature gradually, and see
>  >what public reaction is like
>
>  7) Most end users have an extremely niave view of security.  They want
>  "security", but understand very little about how changes to their systems
>  affect the security of their systems.  Changes made cannot make systems
>  less secure.
>
>  I'd invite you to look at the rate of ssh dictionary attacks on internet
>  exposed boxes and consider if any password based ssh solution is
>  appropriate.
>

There has been quite a bit of research on this topic at Clarkson University.

see:
http://monitor.sclab.clarkson.edu/thesis.doc

and

http://monitor.sclab.clarkson.edu/appendicies.doc

Abstract:
In its Top-20 Security Risks report for 2007, the SANS Institute
called brute-force password guessing attacks against SSH, FTP and
Telnet servers the most common form of attack to compromise servers
facing the Internet.Another recent study also suggests that Linux
systems may play an important role in the command and control systems
for botnets. Defending against brute-force SSH attacks may therefore
prove to be a key factor in the effort to disrupt these networks. We
report on a study of brute-force SSH attacks observed on three very
different networks: an Internet-connected small business network, a
residential system with a DSL Internet connection, and a university
campus network. The similarities observed in the methods used to
attack these disparate systems are quite striking. The evidence
suggests that many brute-force attacks are based on pre-compiled lists
of usernames and passwords, which are widely shared. We were able to
confirm the existence of one such pre-compiled list after it was
discovered in a SSH attack toolkit captured in a related honeypot
project.  Analysis of the passwords used in actual malicious SSH
traffic suggests that the common understanding of what constitutes a
strong password may no longer be sufficient to protect systems from
compromise. Study data are also used to evaluate the effectiveness of
a variety of techniques designed to defend against these attacks.

Cheers,
Todd