[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

Michael H. Warfield mhw at WittsEnd.com
Fri Dec 24 11:29:46 EST 2010 

On Fri, 2010-12-24 at 10:52 -0500, Michael H. Warfield wrote:
> On Fri, 2010-12-24 at 08:41 -0500, Jim Kinney wrote:

: snip

> > Ah ha! CAC. I've seen this acronym around. crypto-access-card maybe.  I will
> > start the push for more info on those and some details on usage.

> That's it.

> Also, after reflecting on it over night, since you seem mostly concerned
> with Windows users.  If you/they are really paranoid you might consider
> IronKey.

> https://www.ironkey.com/

> The keys are encrypted and hardware cryptographically locked.  The user
> has to enter a PIN and then the USB side of the key can be accessed just
> like a regular USB key, albeit a rather pricey USB key.  That much
> actually works in Linux.  The entire crypto engine may be accessed over
> a pkcs11 API interface in Windows, so anything that can talk to a
> smart-card can use this key as a crypto engine, but they don't have
> those drivers for Linux last I looked.  With that interface, you can
> generate or store a limited number of private keys for PGP, SSH, or
> X.509 certificates.  The private key, once stored on the IronKey, can
> never be extracted from the IronKey.  It can only be used by the crypto
> engine on the ironkey itself.  So it's a CSD (Crypto Storage Device) and
> hardware crypto engine.  They claim it's tamper proof and will destroy
> the contents if tampered with.  The enterprise version even allows
> remote locking and destruction of the key in case of loss or theft.

> They were eliminated from consideration purely due to the lack of the
> pkcs11 API interface and drivers on Linux and we have an explicit
> requirement for solution parity.  Other than that, they looked pretty
> impressive.  Cost wise, the personal edition is (or was) about on parity
> with a pair of good usb memory key and a good smart card style usb
> crypto key.  In the later case, though, you don't have the hardware
> encryption on the USB key or the crypto locking.

I may have to go back and reexamine these.  For the basic key, at least,
it now looks to be feature complete across Windows, Linux, and Mac OS X.
That would be a really good thing.  The "Personal" key has a few more
Windows only features such as web browsing security that I don't think
that significant (Basic and Personal seem to be the same price).  The
Enterprise version is a horse of a different color and I can't really
tell.  Looks like they also have a newer D200 series that gives you
twice the memory at slightly reduced speeds at the same price.  The
price is right in the ball park for a good crypto key.  $79 USD for a 2G
D200 key and goes up from there to $269 for a 32G key all supporting
2048 bit RSA.  That would be a little pricier but still a viable
alternative to the OpenPGP keys that are being discussed in another
thread on this list and I don't believe those key have any storage on
them other than the crypto key store itself.  I don't know how big the
crypto store on these are though.  Most of the time it's only like 32KB
or 64KB for the key storage itself.  I couldn't find that in the spec.
I may have to buy one just to play with the crypto under Linux.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20101224/f7b35128/attachment.bin

More information about the Ale mailing list