[186643] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Dec 26 18:12:18 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAEmG1=qXi4Qq=Othy-dVD_94hy5HHee2R=b1=pPO9kVy0oLYFg@mail.gmail.com>
Date: Sat, 26 Dec 2015 15:11:13 -0800
To: Matthew Petach <mpetach@netflight.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Dec 26, 2015, at 12:50 , Matthew Petach <mpetach@netflight.com> =
wrote:
>=20
> On Sat, Dec 26, 2015 at 12:34 PM, Owen DeLong <owen@delong.com =
<mailto:owen@delong.com>> wrote:
>>> On Dec 26, 2015, at 08:14 , Joe Abley <jabley@hopcount.ca> wrote:
>>> On Dec 26, 2015, at 10:09, Stephen Satchell <list@satchell.net> =
wrote
>>>> My gauge is volume of obnoxious traffic. When I get lots of SSH =
probes from a /32, I block the /32.
> [...]
>>> With respect to ssh scans in particular -- disable all forms of
>>> password authentication and insist upon public key authentication
>>> instead. If the password scan log lines still upset you, stop =
logging
>>> them.
>>=20
>> This isn=E2=80=99t a bad idea, per se, but it=E2=80=99s not always =
possible for the guy running the server
>> to dictate usage to the people using the accounts.
>>=20
>> Also, note that the only difference between a good long passphrase =
and a private key is,
>> uh, wait, um, come to think of it, really not much.
>>=20
>> The primary difference is that nobody expects to have to remember a =
private key so we don=E2=80=99t
>> get fussed when they contain lots of entropy. Users aren=E2=80=99t =
good at choosing good long secure
>> passphrases and the automated mechanisms that attempt to enforce =
strong passwords just
>> serve to increase user confusion and actually reduce the entropy in =
passwords overall.
>=20
>=20
> No, the difference is that a passphrase works
> in conjunction with the private key, which is
> the "something you have" vs the "something
> you know" in two-factor authentication.
No=E2=80=A6 You are missing the point. Guessing a private key is roughly =
equivalent to guessing a really long
pass phrase. There is no way that the server side can enforce password =
protection of the private key
on the client side, so if you are assuming that public-key =
authentication is two-factor, then you are
failing miserably.
> With password authentication, there's only a
> single solution space for the attacker to
> sift through; with private key authentication,
> unless you're sloppy about securing your
> private key, there's two massive solution spaces
> for the attacker to sift through to find the unique
> point of intersection.
The point here is that securing the private key is a user task and not =
under the control of the administrator.
As such, you have to assume sloppy.
> Massively different solution space volumes
> to deal with. Equating the two only has meaning
> in cosmological contexts.
Or contexts where the user is sloppy about securing their private key, =
e.g. the real world.
Owen
