Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #36478 > unrolled thread

Is It Time To Replace SSH ???

Back to article view | Back to comp.os.linux.misc

Contents

  Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-15 01:52 -0500
    Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-15 08:39 +0000
      Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-15 10:09 +0000
        Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-15 18:33 -0500
          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:19 +0000
            Re: Is It Time To Replace SSH ??? Roger Blake <rogblake@iname.invalid> - 2022-12-19 00:12 +0000
              Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 11:05 +0000
        Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-16 18:21 +0000
          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-17 07:03 +0000
          Re: Is It Time To Replace SSH ??? Pancho <Pancho.Jones@proton.me> - 2022-12-19 15:46 +0000
            Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 16:30 +0000
              Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 09:27 +0000
            Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 09:10 +0000
              Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 09:26 +0000
      Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-16 00:11 -0500
        Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-16 09:11 +0100
        Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:22 +0000
        Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-16 18:26 +0000
    Re: Is It Time To Replace SSH ??? Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2022-12-15 14:55 +0000
      Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-16 00:16 -0500
        Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:26 +0000
          Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-17 20:49 -0500
        Re: Is It Time To Replace SSH ??? Popping Mad <rainbow@colition.gov> - 2022-12-26 19:45 -0500
          Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-27 23:32 -0500
    Re: Is It Time To Replace SSH ??? Marco Moock <mo01@posteo.de> - 2022-12-15 18:03 +0100
      Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-15 18:36 -0500
        Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-16 00:28 -0500
          Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-16 01:33 -0500
            Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-17 02:08 -0500
              Re: Is It Time To Replace SSH ??? Rich <rich@example.invalid> - 2022-12-17 14:21 +0000
                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-28 01:23 -0500
                  Re: Is It Time To Replace SSH ??? not@telling.you.invalid (Computer Nerd Kev) - 2022-12-29 07:37 +1000
                    Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-29 00:02 -0500
                      Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-29 01:33 -0500
                        Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-29 21:06 -0500
                          Re: Is It Time To Replace SSH ??? Robert Riches <spamtrap42@jacob21819.net> - 2022-12-30 04:16 +0000
                            Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-30 14:33 +0000
                              Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-31 00:23 -0500
                            Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-31 00:12 -0500
                          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-30 14:31 +0000
                            Re: Is It Time To Replace SSH ??? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2022-12-30 19:09 +0000
                              Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-30 20:38 +0000
                                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-31 00:32 -0500
                              Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-31 01:00 -0500
                                Re: Is It Time To Replace SSH ??? Charlie Gibbs <cgibbs@kltpzyxm.invalid> - 2022-12-31 20:14 +0000
                                  Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2023-01-01 00:17 -0500
          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:21 +0000
        Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:20 +0000
          Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-16 10:30 +0100
            Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-16 09:38 +0000
              Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-16 18:29 +0000
                Re: Is It Time To Replace SSH ??? Marc Haber <mh+usenetspam1118@zugschl.us> - 2022-12-16 21:44 +0100
                  Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-17 07:05 +0000
                  Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-17 02:31 -0500
                    Re: Is It Time To Replace SSH ??? Robert Heller <heller@deepsoft.com> - 2022-12-17 12:59 +0000
                      Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-19 00:22 -0500
                        Re: Is It Time To Replace SSH ??? Computer Nerd Kev <not@telling.you.invalid> - 2022-12-19 17:50 +1000
                        Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-19 10:13 +0000
                    Re: Is It Time To Replace SSH ??? Rich <rich@example.invalid> - 2022-12-17 14:25 +0000
                      Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-18 00:51 +0100
                        Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-18 11:16 +0000
                          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-18 12:02 +0000
                            Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-18 20:57 -0500
                              Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-19 10:05 +0000
                                Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-19 12:24 +0100
                                  Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 09:08 +0000
                                Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 11:24 +0000
                                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-20 22:57 -0500
                                  Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-21 09:35 +0000
                                    Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-24 21:29 -0500
                                      Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-28 09:06 +0000
                              Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 11:18 +0000
                        Re: Is It Time To Replace SSH ??? Marc Haber <mh+usenetspam1118@zugschl.us> - 2022-12-18 14:21 +0100
                          Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-18 21:08 -0500
                            Re: Is It Time To Replace SSH ??? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-19 00:30 -0500
                              Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-19 11:26 +0000
                                Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-19 22:17 -0500
                              Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-19 21:40 -0500
                            Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-19 12:27 +0100
                              Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-19 21:46 -0500
                  Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-17 08:58 +0000
                    Re: Is It Time To Replace SSH ??? Ted Heise <theise@panix.com> - 2022-12-20 14:24 +0000
                      Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2022-12-20 16:14 +0000
                        Re: Is It Time To Replace SSH ??? Ted Heise <theise@panix.com> - 2022-12-20 20:58 +0000
            Re: Is It Time To Replace SSH ??? not@telling.you.invalid (Computer Nerd Kev) - 2022-12-17 07:58 +1000
            Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-16 21:24 -0500
              Re: Is It Time To Replace SSH ??? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-17 02:03 -0500
                Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-17 03:47 -0500
                  Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-17 12:43 +0100
                    Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-17 20:13 -0500
                      Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-18 23:35 +0100
                        Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-18 18:47 -0500
                          Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-19 00:59 +0100
                            Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-29 00:32 -0500
                  Re: Is It Time To Replace SSH ??? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-17 10:30 -0500
                    Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-17 20:20 -0500
                    Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-23 22:36 -0500
                      Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2022-12-23 23:26 -0500
                        Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 01:14 -0500
                          Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-26 20:01 +0000
                            Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 16:59 -0500
                      Re: Is It Time To Replace SSH ??? Computer Nerd Kev <not@telling.you.invalid> - 2022-12-24 14:37 +1000
                        Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 01:44 -0500
                          Re: Is It Time To Replace SSH ??? not@telling.you.invalid (Computer Nerd Kev) - 2022-12-27 08:33 +1000
                            Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 17:58 -0500
                        Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 01:51 -0500
                      Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2022-12-24 13:49 +0000
                        Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-26 01:29 -0500
                Re: Is It Time To Replace SSH ??? "Carlos E. R." <robin_listas@es.invalid> - 2022-12-17 12:41 +0100
    Re: Is It Time To Replace SSH ??? Popping Mad <rainbow@colition.gov> - 2022-12-26 19:41 -0500
      Re: Is It Time To Replace SSH ??? "26C.Z969" <26C.Z969@noaada.net> - 2022-12-27 00:20 -0500
        Re: Is It Time To Replace SSH ??? Popping Mad <rainbow@colition.gov> - 2023-01-10 19:52 -0500
          Re: Is It Time To Replace SSH ??? gazelle@shell.xmission.com (Kenny McCormack) - 2023-01-13 21:21 +0000
            Re: Is It Time To Replace SSH ??? Rich <rich@example.invalid> - 2023-01-13 23:03 +0000
              Re: Is It Time To Replace SSH ??? Andreas Kohlbach <ank@spamfence.net> - 2023-01-13 21:48 -0500
              Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2023-01-14 03:39 +0000
              Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2023-01-14 10:40 +0000
              Re: Is It Time To Replace SSH ??? Pancho <Pancho.Jones@proton.me> - 2023-01-14 11:14 +0000
                Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2023-01-14 11:39 +0000
                  Re: Is It Time To Replace SSH ??? Pancho <Pancho.Jones@proton.me> - 2023-01-14 14:04 +0000
                    Re: Is It Time To Replace SSH ??? Richard Kettlewell <invalid@invalid.invalid> - 2023-01-14 14:28 +0000
                    Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2023-01-14 15:26 +0000
            Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2023-01-14 03:38 +0000
              Re: Is It Time To Replace SSH ??? "26C.Z968" <26C.Z968@noaada.net> - 2023-01-14 01:47 -0500
                Re: Is It Time To Replace SSH ??? Dan Espen <dan1espen@gmail.com> - 2023-01-14 11:24 -0500
                  Re: Is It Time To Replace SSH ??? The Natural Philosopher <tnp@invalid.invalid> - 2023-01-14 16:57 +0000

Page 4 of 7 — ← Prev page 1 2 3 [4] 5 6 7  Next page →

#36536

"Carlos E. R." <robin_listas@es.invalid> writes:
> On 17/12/2022 15.25, Rich wrote:
>> Please detail what your proposed 'smarter' ssh would do given this
>> situation.
>> And, while you are at it, please explain why this should be an
>> activity
>> that ssh concerns itself with (thereby adding significant complexity)
>> as opposed to this being a network monitoring layer, separate from ssh,
>> that monitors and remediates things on behalf of ssh and any other
>> services.
>
> Monitoring logs is a kludge.

If you want SSH to block attackers directly that would be a fairly
simple change to an SSH server. Designing a new secure remote login
protocol just for that would be a bizarre choice.

Personally I think the current architecture is a good example of
decoupling.

I can see a better argument for using PAM to trigger the blocking
(perhaps already possible with pam_exec). That would (in principle)
allow for uniform reporting from SSH, mosh, RDP, etc. Again, though, it
wouldn’t justify the OP’s requirement for a completely new protocol,
which still seems to lack any coherent motivation.

-- 
http://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]

#36537

On 18/12/2022 11:16, Richard Kettlewell wrote:
> "Carlos E. R." <robin_listas@es.invalid> writes:
>> On 17/12/2022 15.25, Rich wrote:
>>> Please detail what your proposed 'smarter' ssh would do given this
>>> situation.
>>> And, while you are at it, please explain why this should be an
>>> activity
>>> that ssh concerns itself with (thereby adding significant complexity)
>>> as opposed to this being a network monitoring layer, separate from ssh,
>>> that monitors and remediates things on behalf of ssh and any other
>>> services.
>>
>> Monitoring logs is a kludge.
> 
> If you want SSH to block attackers directly that would be a fairly
> simple change to an SSH server. Designing a new secure remote login
> protocol just for that would be a bizarre choice.
> 
> Personally I think the current architecture is a good example of
> decoupling.
> 
> I can see a better argument for using PAM to trigger the blocking
> (perhaps already possible with pam_exec). That would (in principle)
> allow for uniform reporting from SSH, mosh, RDP, etc. Again, though, it
> wouldn’t justify the OP’s requirement for a completely new protocol,
> which still seems to lack any coherent motivation.
> 
He just likes 'new shiny thing, make everything better'
Creeping featurism as a substitute for genuine progress.

-- 
"Corbyn talks about equality, justice, opportunity, health care, peace, 
community, compassion, investment, security, housing...."
"What kind of person is not interested in those things?"

"Jeremy Corbyn?"

[toc] | [prev] | [next] | [standalone]

#36550

On 12/18/22 7:02 AM, The Natural Philosopher wrote:
> On 18/12/2022 11:16, Richard Kettlewell wrote:
>> "Carlos E. R." <robin_listas@es.invalid> writes:
>>> On 17/12/2022 15.25, Rich wrote:
>>>> Please detail what your proposed 'smarter' ssh would do given this
>>>> situation.
>>>> And, while you are at it, please explain why this should be an
>>>> activity
>>>> that ssh concerns itself with (thereby adding significant complexity)
>>>> as opposed to this being a network monitoring layer, separate from ssh,
>>>> that monitors and remediates things on behalf of ssh and any other
>>>> services.
>>>
>>> Monitoring logs is a kludge.
>>
>> If you want SSH to block attackers directly that would be a fairly
>> simple change to an SSH server. Designing a new secure remote login
>> protocol just for that would be a bizarre choice.
>>
>> Personally I think the current architecture is a good example of
>> decoupling.
>>
>> I can see a better argument for using PAM to trigger the blocking
>> (perhaps already possible with pam_exec). That would (in principle)
>> allow for uniform reporting from SSH, mosh, RDP, etc. Again, though, it
>> wouldn’t justify the OP’s requirement for a completely new protocol,
>> which still seems to lack any coherent motivation.
>>
> He just likes 'new shiny thing, make everything better'
> Creeping featurism as a substitute for genuine progress.


   Ain't gonna be any "genuine progress" using todays
   SSH.

   All I did here was ASK A QUESTION ... "Is SSH good
   enough anymore ?".

   And I still don't think so.

   World's changed. Change with it or be eaten.

   There are MUCH better programmers out there than
   myself with a LOT more nuanced experience dealing
   with net security problems. Time for some of them
   to cast an eye on this. Sure, I can break out the
   'C' compiler and write an internet service BUT
   there are so many facets to writing a "better SSH"
   that'll cope with all the challenges ... I just
   ain't the guy. This will take a little "AI" and
   that's not my strong suite.

   Even the stupidist, brute force, distributed attack
   amounts to "denial of service". All yer password
   and port-knocking trix won't help much there. Not
   entirely sure if that can be dealt with ON *YOUR* BOX,
   but maybe. I'm hoping distributed attacks show a
   *pattern* that 'AI' can recognize and filter ... and
   pass "likely-abused IP addresses" to an online DB in
   the same fashion as e-mail blacklists. That's IQ
   which grows.

[toc] | [prev] | [next] | [standalone]

#36558

"26C.Z969" <26C.Z969@noaada.net> writes:
> On 12/18/22 7:02 AM, The Natural Philosopher wrote:
>> He just likes 'new shiny thing, make everything better'
>> Creeping featurism as a substitute for genuine progress.
>
>   Ain't gonna be any "genuine progress" using todays
>   SSH.
>
>   All I did here was ASK A QUESTION ... "Is SSH good
>   enough anymore ?".

Well, no, you said it needed to be replaced with something else, but
then completely failed to explain what that something else would do any
differently. At most you’ve made some vague statements about using AI
but nowhere explained why feeding information about failed logins into a
statistical model would need a new secure remote login protocol. You
could do it perfectly well with the log tailing strategy that fail2ban
and its workalikes use.

-- 
http://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]

#36562

On 19/12/2022 11.05, Richard Kettlewell wrote:
> "26C.Z969" <26C.Z969@noaada.net> writes:
>> On 12/18/22 7:02 AM, The Natural Philosopher wrote:
>>> He just likes 'new shiny thing, make everything better'
>>> Creeping featurism as a substitute for genuine progress.
>>
>>    Ain't gonna be any "genuine progress" using todays
>>    SSH.
>>
>>    All I did here was ASK A QUESTION ... "Is SSH good
>>    enough anymore ?".
> 
> Well, no, you said it needed to be replaced with something else, but
> then completely failed to explain what that something else would do any
> differently. At most you’ve made some vague statements about using AI
> but nowhere explained why feeding information about failed logins into a
> statistical model would need a new secure remote login protocol. You
> could do it perfectly well with the log tailing strategy that fail2ban
> and its workalikes use.

Log scanning is a kludge. There should be a better way, maybe the ssh 
daemon having an API to get/push that information to another daemon.

-- 
Cheers,
        Carlos E.R.

[toc] | [prev] | [next] | [standalone]

#36575

"Carlos E. R." <robin_listas@es.invalid> writes:
> Log scanning is a kludge.  There should be a better way, maybe the ssh
> daemon having an API to get/push that information to another daemon.

The question of how login failure information gets from SSH to somewhere
else is the least interesting part of the whole question. Try focusing
on something that actually matters.

-- 
http://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]

#36563

On 19/12/2022 10:05, Richard Kettlewell wrote:
> "26C.Z969" <26C.Z969@noaada.net> writes:
>> On 12/18/22 7:02 AM, The Natural Philosopher wrote:
>>> He just likes 'new shiny thing, make everything better'
>>> Creeping featurism as a substitute for genuine progress.
>>
>>    Ain't gonna be any "genuine progress" using todays
>>    SSH.
>>
>>    All I did here was ASK A QUESTION ... "Is SSH good
>>    enough anymore ?".
> 
> Well, no, you said it needed to be replaced with something else, but
> then completely failed to explain what that something else would do any
> differently. At most you’ve made some vague statements about using AI
> but nowhere explained why feeding information about failed logins into a
> statistical model would need a new secure remote login protocol. You
> could do it perfectly well with the log tailing strategy that fail2ban
> and its workalikes use.
> 
Another way of saying in your inimitable conciseness, what I said.
1/. Its more than good enough, especially with wrappers
2/. Its hard to see how any hypothetical vulnerabilities would be fixed 
by a rewrite.

In short the whole suggestion reeks of *creeping featurism*, the weed of 
desire to change something that works perfectly well , simply because it 
hasn't been made shiny enough, complicated enough, or sufficiently 
bug-filled, and you want to be noticed as a programmer.

You are Lennart Poettering, and I claim my $50m


-- 
To ban Christmas, simply give turkeys the vote.

[toc] | [prev] | [next] | [standalone]

#36583

On 12/19/22 5:05 AM, Richard Kettlewell wrote:
> "26C.Z969" <26C.Z969@noaada.net> writes:
>> On 12/18/22 7:02 AM, The Natural Philosopher wrote:
>>> He just likes 'new shiny thing, make everything better'
>>> Creeping featurism as a substitute for genuine progress.
>>
>>    Ain't gonna be any "genuine progress" using todays
>>    SSH.
>>
>>    All I did here was ASK A QUESTION ... "Is SSH good
>>    enough anymore ?".
> 
> Well, no, you said it needed to be replaced with something else,

   I suggested that as the "cleanest" option - not like
   I'm in a position to DEMAND anything. And no, I'm
   not the guy to spend the next five years writing a
   replacement .......

> but
> then completely failed to explain what that something else would do any
> differently. At most you’ve made some vague statements about using AI
> but nowhere explained why feeding information about failed logins into a
> statistical model would need a new secure remote login protocol. You
> could do it perfectly well with the log tailing strategy that fail2ban
> and its workalikes use.

   I explained what I saw as weaknesses quite well, IMHO.

   And the standard answer was "Hook more external utilities
   to it", which equals A MESS.

   How about something you DON'T have to hook lots of
   external utilities into ?

   The other angle was in *detecting* attacks and doing
   smart things if those are found. HUMANS can spot them
   pretty damned easily just by looking at a log file
   or two - but not PCs. "AI" pattern-detection seems
   to be the modern answer.

[toc] | [prev] | [next] | [standalone]

#36584

"26C.Z969" <26C.Z969@noaada.net> writes:
> On 12/19/22 5:05 AM, Richard Kettlewell wrote:
>> "26C.Z969" <26C.Z969@noaada.net> writes:
>>> On 12/18/22 7:02 AM, The Natural Philosopher wrote:
>>>> He just likes 'new shiny thing, make everything better'
>>>> Creeping featurism as a substitute for genuine progress.
>>>
>>>    Ain't gonna be any "genuine progress" using todays
>>>    SSH.
>>>
>>>    All I did here was ASK A QUESTION ... "Is SSH good
>>>    enough anymore ?".
>> Well, no, you said it needed to be replaced with something else,
>
> I suggested that as the "cleanest" option - not like I'm in a position
> to DEMAND anything. And no, I'm not the guy to spend the next five
> years writing a replacement .......

It’s a ridiculous option, given your apparent requirements. Nothing
about the SSH protocol stops you treating scans/probes in any way you
like. Replacing it would be a large amount of pointless work unrelated
to your goals, and sacrifice the interoperability we currently have with
SSH.

>> but then completely failed to explain what that something else would
>> do any differently. At most you’ve made some vague statements about
>> using AI but nowhere explained why feeding information about failed
>> logins into a statistical model would need a new secure remote login
>> protocol. You could do it perfectly well with the log tailing
>> strategy that fail2ban and its workalikes use.
>
> I explained what I saw as weaknesses quite well, IMHO.

The quality of your explanation is measured by how well the audience
understand it, not your opinion.

> And the standard answer was "Hook more external utilities
> to it", which equals A MESS.
>
> How about something you DON'T have to hook lots of
> external utilities into ?

You (or someone) can write an SSH server with any feature set you like,
if time and effort are available, and people do. Some start from OpenSSH
and other start from scratch. But that’s not replacing SSH as you asked
for, that’s just a new server; you’ve said nothing that explains why SSH
is the problem you care about rather than any particular server
implementation. (If there’s really something you don’t like about the
SSH protocol then an RFC reference would make it clearer.)

But since the scanning we’re talking about happens with many other
protocols (e.g. HTTP, IMAP, SMTP) it’d be a bizarre choice to build your
scanner management tools into the server implementation; it prevents
re-use of the work in related contexts. As we’ve already discussed, a
common thing to do is share address reputation information (with DNSBLs
etc) and to do that, you’re definitely going to have external
interfaces, whether you like them or not.

The tight integration you’re asking for also makes it harder for the
different concerns to evolve independently. ECDHC key exchange and
statistical models of attacker behavior are rather different domains and
there’s no inherent reason the people who are good at each should have
to be brought into the same project, work to the same timelines, etc.

> The other angle was in *detecting* attacks and doing smart things if
> those are found. HUMANS can spot them pretty damned easily just by
> looking at a log file or two - but not PCs. "AI" pattern-detection
> seems to be the modern answer.

If you want to do that then nothing about SSH or its implementations is
stopping you. Maybe the lack of an AI model that does what you want is
stopping you or maybe just your own arbitrary constraint about not using
a component model is stopping you, but replacing SSH won’t get you any
closer to your goal.

-- 
https://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]

#36594

Nevermind, I will just write my own.

[toc] | [prev] | [next] | [standalone]

#36617

"26C.Z969" <26C.Z969@noaada.net> writes:
> Nevermind, I will just write my own.

Perhaps you can explain how it will differ from SSH. To make it a
concrete question: how will the key exchange process differ?

-- 
https://www.greenend.org.uk/rjk/

[toc] | [prev] | [next] | [standalone]

#36561

On 19/12/2022 01:57, 26C.Z969 wrote:
> On 12/18/22 7:02 AM, The Natural Philosopher wrote:
>> On 18/12/2022 11:16, Richard Kettlewell wrote:
>>> "Carlos E. R." <robin_listas@es.invalid> writes:
>>>> On 17/12/2022 15.25, Rich wrote:
>>>>> Please detail what your proposed 'smarter' ssh would do given this
>>>>> situation.
>>>>> And, while you are at it, please explain why this should be an
>>>>> activity
>>>>> that ssh concerns itself with (thereby adding significant complexity)
>>>>> as opposed to this being a network monitoring layer, separate from 
>>>>> ssh,
>>>>> that monitors and remediates things on behalf of ssh and any other
>>>>> services.
>>>>
>>>> Monitoring logs is a kludge.
>>>
>>> If you want SSH to block attackers directly that would be a fairly
>>> simple change to an SSH server. Designing a new secure remote login
>>> protocol just for that would be a bizarre choice.
>>>
>>> Personally I think the current architecture is a good example of
>>> decoupling.
>>>
>>> I can see a better argument for using PAM to trigger the blocking
>>> (perhaps already possible with pam_exec). That would (in principle)
>>> allow for uniform reporting from SSH, mosh, RDP, etc. Again, though, it
>>> wouldn’t justify the OP’s requirement for a completely new protocol,
>>> which still seems to lack any coherent motivation.
>>>
>> He just likes 'new shiny thing, make everything better'
>> Creeping featurism as a substitute for genuine progress.
> 
> 
>    Ain't gonna be any "genuine progress" using todays
>    SSH.
> 
No profress is needed

>    All I did here was ASK A QUESTION ... "Is SSH good
>    enough anymore ?".
> 
Yes, its well good enough, especially when wrapped with port knockers or 
fail2ban or a VPN

>    And I still don't think so.

You are entitled to your lone opinion
> 
>    World's changed. Change with it or be eaten.
> 
World hasn't changed. Just a fresh crop of bright eyed bushy tailed know 
it all ignoramuses who think they are the first people to think of anything.

>    There are MUCH better programmers out there than
>    myself 

Gosh. No kidding

>   with a LOT more nuanced experience dealing
>    with net security problems. Time for some of them
>    to cast an eye on this. Sure, I can break out the
>    'C' compiler and write an internet service BUT
>    there are so many facets to writing a "better SSH"
>    that'll cope with all the challenges ... I just
>    ain't the guy. This will take a little "AI" and
>    that's not my strong suite.
> 
>    Even the stupidist, brute force, distributed attack
>    amounts to "denial of service". All yer password
>    and port-knocking trix won't help much there. Not
>    entirely sure if that can be dealt with ON *YOUR* BOX,
>    but maybe. I'm hoping distributed attacks show a
>    *pattern* that 'AI' can recognize and filter ... and
>    pass "likely-abused IP addresses" to an online DB in
>    the same fashion as e-mail blacklists. That's IQ
>    which grows.

Silly boy. All traffic is a potential denial of service. Move a firewall 
off your linux to your boundary router and it still takes up bandwidth 
*to* the router.
Unless you move your filter to your ISP, any personal, or small business 
link can be flooded by a DDOS attack whether  you have blocked the 
source IP or not. Or have anything listening to its port destination. 
Rewritng ssh wont make any difference to any of that

Older wiser people are concerned with doing risk cost benefit analysis 
and have more important things to do than wheel reinvention.

The reality , stripped of your rhetoric,  is that ssh is configurable 
enough to only work for specific users at specific targets equipped with 
the right cryptokey.

The overhead to run it against attacks that are logged is much smaller 
than other issues, and does not result in any serious DOS.

Changing it would not improve the situation for a mass DDOS attack 
anyway, which would not be targetted at ssh anyway.

-- 
"And if the blind lead the blind, both shall fall into the ditch".

Gospel of St. Mathew 15:14

[toc] | [prev] | [next] | [standalone]

#36539

"Carlos E. R." <robin_listas@es.invalid> wrote:
>Monitoring logs is a kludge.

Right, ssh and services should have hooks for that. Sadly, for ssh,
this is regularly bludgeoned down by upstream if requested.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | 
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

[toc] | [prev] | [next] | [standalone]

#36551

On 12/18/22 8:21 AM, Marc Haber wrote:
> "Carlos E. R." <robin_listas@es.invalid> wrote:
>> Monitoring logs is a kludge.
> 
> Right, ssh and services should have hooks for that. Sadly, for ssh,
> this is regularly bludgeoned down by upstream if requested.

   Ah, so you DO see a little of what I'm talking about ...

   And "hooks" are a kludge in and of themselves ... how
   about building what those hooks do INTO the SSH app
   in the first place, integrated ?

   I get the impression that distributed attacks kinda
   re-use a lot of the same IP addresses. They likely
   drift over a span of weeks or months but to be most
   effective they've gotta be relatively "unused" and
   "poorly monitored" addresses. This is where a little
   "AI" could be useful, SPOT the patterns, BLACKLIST
   those "likely evil" IPs in a dynamic fashion.

[toc] | [prev] | [next] | [standalone]

#36556

On Sun, 18 Dec 2022 21:08:12 -0500, 26C.Z969 <26C.Z969@noaada.net> wrote:
<snip>
>    I get the impression that distributed attacks kinda
>    re-use a lot of the same IP addresses. They likely
>    drift over a span of weeks or months but to be most
>    effective they've gotta be relatively "unused" and
>    "poorly monitored" addresses. This is where a little
>    "AI" could be useful, SPOT the patterns, BLACKLIST
>    those "likely evil" IPs in a dynamic fashion.

Most of the systems used for ddos attacks are windows systems infected with
malware that allows the ddos operator to use them to launch the attacks. Some
are now linux systems, but most are windows. Each of the infected systems sends
only enough traffic not to make it obvious to the system's owner that their
system is infected, but there are so many infected systems the volume of
traffic can be massive.

Regards, Dave Hodgins

[toc] | [prev] | [next] | [standalone]

#36564

On 19/12/2022 05:30, David W. Hodgins wrote:
> On Sun, 18 Dec 2022 21:08:12 -0500, 26C.Z969 <26C.Z969@noaada.net> wrote:
> <snip>
>>    I get the impression that distributed attacks kinda
>>    re-use a lot of the same IP addresses. They likely
>>    drift over a span of weeks or months but to be most
>>    effective they've gotta be relatively "unused" and
>>    "poorly monitored" addresses. This is where a little
>>    "AI" could be useful, SPOT the patterns, BLACKLIST
>>    those "likely evil" IPs in a dynamic fashion.
> 
> Most of the systems used for ddos attacks are windows systems infected with
> malware that allows the ddos operator to use them to launch the attacks. 
> Some
> are now linux systems, but most are windows. Each of the infected 
> systems sends
> only enough traffic not to make it obvious to the system's owner that their
> system is infected, but there are so many infected systems the volume of
> traffic can be massive.
> 
> Regards, Dave Hodgins

And it doesn't need an sshd on the far end to be effective, In fact not 
responding to it wont change the denial.

-- 
Climate is what you expect but weather is what you get.
Mark Twain

[toc] | [prev] | [next] | [standalone]

#36574

On 12/19/22 6:26 AM, The Natural Philosopher wrote:
> On 19/12/2022 05:30, David W. Hodgins wrote:
>> On Sun, 18 Dec 2022 21:08:12 -0500, 26C.Z969 <26C.Z969@noaada.net> wrote:
>> <snip>
>>>    I get the impression that distributed attacks kinda
>>>    re-use a lot of the same IP addresses. They likely
>>>    drift over a span of weeks or months but to be most
>>>    effective they've gotta be relatively "unused" and
>>>    "poorly monitored" addresses. This is where a little
>>>    "AI" could be useful, SPOT the patterns, BLACKLIST
>>>    those "likely evil" IPs in a dynamic fashion.
>>
>> Most of the systems used for ddos attacks are windows systems infected 
>> with
>> malware that allows the ddos operator to use them to launch the 
>> attacks. Some
>> are now linux systems, but most are windows. Each of the infected 
>> systems sends
>> only enough traffic not to make it obvious to the system's owner that 
>> their
>> system is infected, but there are so many infected systems the volume of
>> traffic can be massive.
>>
>> Regards, Dave Hodgins
> 
> And it doesn't need an sshd on the far end to be effective, In fact not 
> responding to it wont change the denial.

   D.O.S. attacks CAN be a big, almost impossible,
   problem. You really can't deal with those at the
   afflicted end of the equation - the SOURCES need
   to be detected and blocked almost at the first node
   they use so they can't SEND anything.

   On the lucky side, while such attacks happen, they're
   not generally a problem of the "smaller users" - but
   giant corporate/govt instead ... things perps will
   feel it's WORTH burning their distributed resources
   doing. DOS is almost always "political" or "revenge",
   occasionally an attempt to swing markets/customer-bases.

   Alas DOS is only a small part of my overall concern
   here. We've got creaky old "simple" SSH. Sure, you
   can hook in a lot of other protective mechanisms
   but that's kludgy and amounts to the same degree
   of "bloat".

   A lot of us have written services that do pretty
   much the same things - and it doesn't take THAT
   much coding these days with all the wunnerful libraries.
   Thing is the security equation has changed considerably
   in the past decade or so, with distributed attack
   methods now the norm. Even the script kiddies can
   tap into bot-nets and command their own 'army'.
   There's only so much we can do at OUR end, but
   that doesn't mean we shouldn't do it.

   Got 10,000+ probes from ONE UK address recorded in
   my firewall log last night. They probed everything,
   TCP/UDP. I can block that address (well, a little
   range of them) with a few keystrokes. But when they
   come from 10,000 different IPs, 10,000 different
   directions .....

[toc] | [prev] | [next] | [standalone]

#36572

On 12/19/22 12:30 AM, David W. Hodgins wrote:
> On Sun, 18 Dec 2022 21:08:12 -0500, 26C.Z969 <26C.Z969@noaada.net> wrote:
> <snip>
>>    I get the impression that distributed attacks kinda
>>    re-use a lot of the same IP addresses. They likely
>>    drift over a span of weeks or months but to be most
>>    effective they've gotta be relatively "unused" and
>>    "poorly monitored" addresses. This is where a little
>>    "AI" could be useful, SPOT the patterns, BLACKLIST
>>    those "likely evil" IPs in a dynamic fashion.
> 
> Most of the systems used for ddos attacks are windows systems infected with
> malware that allows the ddos operator to use them to launch the attacks. 
> Some
> are now linux systems, but most are windows. Each of the infected 
> systems sends
> only enough traffic not to make it obvious to the system's owner that their
> system is infected, but there are so many infected systems the volume of
> traffic can be massive.

   You are largely correct, but I've looked at these
   attacks before, tried to track-down the sources.
   Rather a lot of the addresses used are not "legit",
   and "active" - but come from the unused pool and/or
   from nations and 2nd/3rd-world corps that have been
   allocated addresses but hardly use any of them
   (especially Pacific islands).

   With Linux/Unix you can pretend to be any IP you want,
   any MAC address you want. Do-able in Winders too of
   course, but not quite so transparently. Winders still
   makes the better bots IMHO, so many utterly oblivious
   potential hosts. The phone OS's may be largely based
   on Linux/Unix but 99.999% of the users are the same
   oblivious ones who also own Winders PCs.

   So yes, they may (lightly) use thousands of Winders
   PCs, but I think they try to preserve the anonymity
   of those PCs just a bit too - so they can be a
   continuing resource instead of simply, easily, blocked.

[toc] | [prev] | [next] | [standalone]

#36565

On 19/12/2022 03.08, 26C.Z969 wrote:
> On 12/18/22 8:21 AM, Marc Haber wrote:
>> "Carlos E. R." <robin_listas@es.invalid> wrote:
>>> Monitoring logs is a kludge.
>>
>> Right, ssh and services should have hooks for that. Sadly, for ssh,
>> this is regularly bludgeoned down by upstream if requested.
> 
>    Ah, so you DO see a little of what I'm talking about ...
> 
>    And "hooks" are a kludge in and of themselves ... how
>    about building what those hooks do INTO the SSH app
>    in the first place, integrated ?

Because that adds bloat, and makes sshd more difficult to analyze and 
maintain. More failure points.

Keep to the unix principle of small programs tht do some task well.

-- 
Cheers,
        Carlos E.R.

[toc] | [prev] | [next] | [standalone]

#36573

On 12/19/22 6:27 AM, Carlos E. R. wrote:
> On 19/12/2022 03.08, 26C.Z969 wrote:
>> On 12/18/22 8:21 AM, Marc Haber wrote:
>>> "Carlos E. R." <robin_listas@es.invalid> wrote:
>>>> Monitoring logs is a kludge.
>>>
>>> Right, ssh and services should have hooks for that. Sadly, for ssh,
>>> this is regularly bludgeoned down by upstream if requested.
>>
>>    Ah, so you DO see a little of what I'm talking about ...
>>
>>    And "hooks" are a kludge in and of themselves ... how
>>    about building what those hooks do INTO the SSH app
>>    in the first place, integrated ?
> 
> Because that adds bloat, and makes sshd more difficult to analyze and 
> maintain. More failure points.

   Doesn't matter where "bloat" comes from - ONE app or
   half a dozen others you hook to. Same rolly-polly,
   just not so neat.

> Keep to the unix principle of small programs tht do some task well.

   But what's "well" - today ?

   Good ole' SSH was "well" a decade+ ago, but things
   have changed radically on the security front since.

[toc] | [prev] | [next] | [standalone]

Page 4 of 7 — ← Prev page 1 2 3 [4] 5 6 7  Next page →

Back to top | Article view | comp.os.linux.misc

csiph-web