ssh security

Jeff Vian jvian10 at charter.net
Wed Jan 4 00:47:03 UTC 2006 

On Tue, 2006-01-03 at 11:26 -0500, Michael H. Warfield wrote:
> On Tue, 2006-01-03 at 13:44 +0000, James Wilkinson wrote:
> > Jeff Vian wrote:
> > > http://www.csc.liv.ac.uk/~greg/sshdfilter/
> > > 
> > > I use it on several servers and it works really well to detect and block
> > > attacks.
> > > With it an attempt to login with an unknown account gets instantly
> > > blocked, and with a known account (root or some other user) they only
> > > get 6 attempts before it is blocked.
> 
> > That sounds worthwhile for a computer that only has SSH open to the
> > network.
> 
> > However, do be aware that this can confirm to attackers that an account
> > is "valid", which could be useful knowledge in other attacks.
> 
> 	Agreed!  That, in an of itself, is a security hole!  It can reveal, to
> unauthenticated connections, what are valid accounts and what are not.
> I've published security advisories on just those sorts of "information
> disclosure" vulnerabilities.  It's considered axiomatic that security
> systems should NEVER disclose that level of information, even to the
> point of not giving a different error (message or code) for invalid
> password vs invalid account.  Even timing (responding too quickly if the
> account doesn't exist compared to wrong password) is considered a
> SERIOUS no-no.  I would have to consider that sshdfilter a security
> vulnerability, not a security tool.  Where this something in common
> distribution, it would probably end up being a featured subject on
> BugTraq or FullDisclosure.  :-/
> 
If this system had many user accounts I would worry about that.
However, the only valid accounts that are ever hit are the standard
system accounts (and over 99.9% are root, which does not get ssh access
anyway)

Besides, a script kiddie (or even a determined attacker) will give up
quickly if the passwords are strong and they only get 6 tries in every 3
days (or longer)

I acknowledge the flaws, but it is better than leaving ssh open for
repeated attempts by the script kiddies.




> > Hope this helps,
> 
> > James.
> > -- 
> > E-mail address: james | Say it with flowers, send a triffid.
> > @westexe.demon.co.uk  | 
> 
> 	Mike
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

More information about the fedora-list mailing list