On Tue, 2006-01-03 at 13:44 +0000, James Wilkinson wrote: > Jeff Vian wrote: > > http://www.csc.liv.ac.uk/~greg/sshdfilter/ > > > > I use it on several servers and it works really well to detect and block > > attacks. > > With it an attempt to login with an unknown account gets instantly > > blocked, and with a known account (root or some other user) they only > > get 6 attempts before it is blocked. > That sounds worthwhile for a computer that only has SSH open to the > network. > However, do be aware that this can confirm to attackers that an account > is "valid", which could be useful knowledge in other attacks. Agreed! That, in an of itself, is a security hole! It can reveal, to unauthenticated connections, what are valid accounts and what are not. I've published security advisories on just those sorts of "information disclosure" vulnerabilities. It's considered axiomatic that security systems should NEVER disclose that level of information, even to the point of not giving a different error (message or code) for invalid password vs invalid account. Even timing (responding too quickly if the account doesn't exist compared to wrong password) is considered a SERIOUS no-no. I would have to consider that sshdfilter a security vulnerability, not a security tool. Where this something in common distribution, it would probably end up being a featured subject on BugTraq or FullDisclosure. :-/ > Hope this helps, > James. > -- > E-mail address: james | Say it with flowers, send a triffid. > @westexe.demon.co.uk | Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
