[ale] Ale Digest, Vol 35, Issue 83
Matthew
simontek at gmail.com
Fri Dec 24 13:08:14 EST 2010
Hell, start by changing your ssh port, that cuts down everything Heavily.
On Fri, Dec 24, 2010 at 12:00 PM, <ale-request at ale.org> wrote:
> Send Ale mailing list submissions to
> ale at ale.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mail.ale.org/mailman/listinfo/ale
> or, via email, send a message with subject or body 'help' to
> ale-request at ale.org
>
> You can reach the person managing the list at
> ale-owner at ale.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Ale digest..."
>
>
> Today's Topics:
>
> 1. Re: any suggestions on an automated method for blocking
> repeated failed ssh login attempts? (Michael H. Warfield)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 24 Dec 2010 11:29:46 -0500
> From: "Michael H. Warfield" <mhw at WittsEnd.com>
> Subject: Re: [ale] any suggestions on an automated method for blocking
> repeated failed ssh login attempts?
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Cc: mhw at WittsEnd.com, Jim Kinney <jim.kinney at gmail.com>
> Message-ID: <1293208186.4614.137.camel at canyon.wittsend.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Fri, 2010-12-24 at 10:52 -0500, Michael H. Warfield wrote:
> > On Fri, 2010-12-24 at 08:41 -0500, Jim Kinney wrote:
>
> : snip
>
> > > Ah ha! CAC. I've seen this acronym around. crypto-access-card maybe. I
> will
> > > start the push for more info on those and some details on usage.
>
> > That's it.
>
> > Also, after reflecting on it over night, since you seem mostly concerned
> > with Windows users. If you/they are really paranoid you might consider
> > IronKey.
>
> > https://www.ironkey.com/
>
> > The keys are encrypted and hardware cryptographically locked. The user
> > has to enter a PIN and then the USB side of the key can be accessed just
> > like a regular USB key, albeit a rather pricey USB key. That much
> > actually works in Linux. The entire crypto engine may be accessed over
> > a pkcs11 API interface in Windows, so anything that can talk to a
> > smart-card can use this key as a crypto engine, but they don't have
> > those drivers for Linux last I looked. With that interface, you can
> > generate or store a limited number of private keys for PGP, SSH, or
> > X.509 certificates. The private key, once stored on the IronKey, can
> > never be extracted from the IronKey. It can only be used by the crypto
> > engine on the ironkey itself. So it's a CSD (Crypto Storage Device) and
> > hardware crypto engine. They claim it's tamper proof and will destroy
> > the contents if tampered with. The enterprise version even allows
> > remote locking and destruction of the key in case of loss or theft.
>
> > They were eliminated from consideration purely due to the lack of the
> > pkcs11 API interface and drivers on Linux and we have an explicit
> > requirement for solution parity. Other than that, they looked pretty
> > impressive. Cost wise, the personal edition is (or was) about on parity
> > with a pair of good usb memory key and a good smart card style usb
> > crypto key. In the later case, though, you don't have the hardware
> > encryption on the USB key or the crypto locking.
>
> I may have to go back and reexamine these. For the basic key, at least,
> it now looks to be feature complete across Windows, Linux, and Mac OS X.
> That would be a really good thing. The "Personal" key has a few more
> Windows only features such as web browsing security that I don't think
> that significant (Basic and Personal seem to be the same price). The
> Enterprise version is a horse of a different color and I can't really
> tell. Looks like they also have a newer D200 series that gives you
> twice the memory at slightly reduced speeds at the same price. The
> price is right in the ball park for a good crypto key. $79 USD for a 2G
> D200 key and goes up from there to $269 for a 32G key all supporting
> 2048 bit RSA. That would be a little pricier but still a viable
> alternative to the OpenPGP keys that are being discussed in another
> thread on this list and I don't believe those key have any storage on
> them other than the crypto key store itself. I don't know how big the
> crypto store on these are though. Most of the time it's only like 32KB
> or 64KB for the key storage itself. I couldn't find that in the spec.
> I may have to buy one just to play with the crypto under Linux.
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 482 bytes
> Desc: This is a digitally signed message part
> Url :
> http://mail.ale.org/pipermail/ale/attachments/20101224/f7b35128/attachment-0001.bin
>
> ------------------------------
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>
> End of Ale Digest, Vol 35, Issue 83
> ***********************************
>
--
SimonTek
404-585-1308
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101224/676143cd/attachment.html
More information about the Ale
mailing list