[CentOS] Failed attempts

Tue Nov 28 17:04:14 UTC 2017
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Tue, November 28, 2017 9:21 am, Lamar Owen wrote:
> On 11/27/2017 02:02 PM, m.roth at 5-cent.us wrote:
>> Pete Biggs wrote:
>>>    - don't run ssh on 22, use a different port.
>> I consider that pointless security-through-obscurity.
> Security through obscurity it may be, but it isn't pointless. Tarpits
are in a similar class; they don't help with security in the absolute
sense, but they slow the attacker down, and that might be enough to
prevent the attack from continuing.  (that is, put a tarpit on port 22
and run the real ssh elsewhere!)  Any and all stumblingblocks you can
put in the attacker's way, whether they're 'real' security or not, are
worth at least looking at and evaluating their usefulness.  Port
knocking is an extreme form of security through obscurity, in reality,
and falls into this class of tools. Likewise fail2ban; all it really
does is slow down the attacker.
> No, obscurity-increasing tools will not stop the determined attacker,
but, it is very true that these sorts of measures can and do increase
the signal-to-noise ratio in your logs; what does get logged will likely
be much more useful and indicative of a more determined attacker. 
Anything that substantially increases the log's signal to noise is
useful and not pointless, in my opinion. Anything that slows down the
attack is even more useful.
> I actually have training as a locksmith, with a specialty in
> masterkeying systems like rotating-constant and some obscure variations
of RCM (this is one of the two masterkey systems explored in the
infamous (in locksmith circles) paper "Cryptology and Physical Security:
Rights Amplification in Master-Keyed Mechanical Locks" by Matt Blaze [1]
> In physical security all security is, in reality, through obscurity [3]
(page 2, first paragraph): things like keeping the drill points secret
(example: in a pin-tumbler lock, if you can drill the shear line, you
are in; but what if you have extra pins and hidden shear lines?),
keeping secret what materials are used for the hardplate and their
interactions with commonly-available drill-bit materials [4], having a
strategically placed and hidden tear gas vial [5], etc (all of this
information is publicly available; I'm not spilling any real locksmith
secrets here).
> The real key to effective physical security is not keeping the attacker
out in an absolute, 'can't possibly break in' sense, but buying time for
response to the attack; as the attack continues to eat time, the
attacker will have increasing incentive to leave the premises.
> Now, if you want a real eye-opener about physical security, grab a copy
of "OPEN IN THIRTY SECONDS" from Amazon [6].  That and the key
> reference, Marc Weber Tobias' LSS (Locks, Safes, and Security [7]) are
fascinating (if expensive) reading and great resources for the syadmin
who wants to dig into what is really meant by a security mindset.
> [1]: http://www.crypto.com/papers/mk.pdf
> [2]: http://www.crypto.com/masterkey.html
> [3]: http://www.crypto.com/papers/safelocks.pdf
> [4]:
> https://reassembler.wordpress.com/2008/02/04/drilling-into-a-modern-safe/
[5]: http://www.lockpicking101.com/viewtopic.php?f=8&t=16891
> [6]:
> https://www.amazon.com/OPEN-THIRTY-SECONDS-Cracking-America/dp/0975947923
> https://www.amazon.com/Locks-Safes-Security-International-Reference/dp/0398070792

Thanks, Lamar! that is very instructive.

Physical security [of the machine] was first point in the security list,
which we often fail to mention.

I like the [physical] lock intro you gave. I was always unimpressed with
persistence of attempts to make more secure (less pickable) cylinder cased
locks (precision, multi-level, pins at a weird locations/angles). Whereas
there exists "disk based design" (should I say Abloy?), which with my
knowledge of mechanics I can not figure the way to pick. So I consider
them un-pickable. Why aren't they widely used [in US]? Because there may
be the reason for powers there be to have locks everywhere pickable. On
the other hand, I do not have Abloy locks, as they do keep records that
link my particular lock to key that opens it. So, there is viable vector
of attack ;-)


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247