[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

Jim Kinney jim.kinney at gmail.com
Tue Dec 28 11:59:38 EST 2010


On Tue, Dec 28, 2010 at 11:03 AM, Michael H. Warfield <mhw at wittsend.com>wrote:

>
>
> Another example of a SmartCard like device that is present in many of
> our laptops is the TPM (Trusted Processing Module) chip.  Under Linux,
> this is managed by the Trousers package and utilities and includes a
> PKCS11 interface.  You can store RSA keys for various things in the TPM
> module using Trousers along with the Mozilla NSS subsystem.  Some people
> don't like enabling the TPM module out of objection to it's original
> stated purposes of enabling hardware DRM and system tracking but nobody
> has deployed any TPM based hardware DRM to date and why waste a
> perfectly good RSA crypto engine already present in your system?
>
>
One of my co-workers went to a tpm workshop and gave us a presentation on
what he learned. TPM capabilities, while they are defeatable, are a huge
step forward in trusting the actual hardware/software combo the system is
running on. It is possible to craft a configuration that will ONLY work with
all of the designed pieces intact and no extras inserted. This means a
known-good kernel, bios, cpu, ram, hard drive, empty optical drive, etc are
all required before the hard drive is unlocked. If anything is different,
after a certain number of attempts the drive unlock key is burned as well as
the bios. Thus the laptop is useless without a cleanroom to pull apart the
hard drive. Make it a SSD and it gets much harder to extract info from the
drive with a burned out unlock key.

We played a thought game that involved a custom linux bios and concluded we
could possible bypass the bios lock if we know what the reported checksum on
bios config was supposed to be.
-- 
-- 
James P. Kinney III
I would rather stumble along in freedom than walk effortlessly in chains.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101228/fa66a057/attachment.html 


More information about the Ale mailing list