ssh security
Jeff Vian
jvian10 at charter.net
Wed Jan 4 00:47:03 UTC 2006
On Tue, 2006-01-03 at 11:26 -0500, Michael H. Warfield wrote:
> On Tue, 2006-01-03 at 13:44 +0000, James Wilkinson wrote:
> > Jeff Vian wrote:
> > > http://www.csc.liv.ac.uk/~greg/sshdfilter/
> > >
> > > I use it on several servers and it works really well to detect and block
> > > attacks.
> > > With it an attempt to login with an unknown account gets instantly
> > > blocked, and with a known account (root or some other user) they only
> > > get 6 attempts before it is blocked.
>
> > That sounds worthwhile for a computer that only has SSH open to the
> > network.
>
> > However, do be aware that this can confirm to attackers that an account
> > is "valid", which could be useful knowledge in other attacks.
>
> Agreed! That, in an of itself, is a security hole! It can reveal, to
> unauthenticated connections, what are valid accounts and what are not.
> I've published security advisories on just those sorts of "information
> disclosure" vulnerabilities. It's considered axiomatic that security
> systems should NEVER disclose that level of information, even to the
> point of not giving a different error (message or code) for invalid
> password vs invalid account. Even timing (responding too quickly if the
> account doesn't exist compared to wrong password) is considered a
> SERIOUS no-no. I would have to consider that sshdfilter a security
> vulnerability, not a security tool. Where this something in common
> distribution, it would probably end up being a featured subject on
> BugTraq or FullDisclosure. :-/
>
If this system had many user accounts I would worry about that.
However, the only valid accounts that are ever hit are the standard
system accounts (and over 99.9% are root, which does not get ssh access
anyway)
Besides, a script kiddie (or even a determined attacker) will give up
quickly if the passwords are strong and they only get 6 tries in every 3
days (or longer)
I acknowledge the flaws, but it is better than leaving ssh open for
repeated attempts by the script kiddies.
> > Hope this helps,
>
> > James.
> > --
> > E-mail address: james | Say it with flowers, send a triffid.
> > @westexe.demon.co.uk |
>
> Mike
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
More information about the fedora-list
mailing list