On Tue, 2006-01-03 at 11:26 -0500, Michael H. Warfield wrote: > On Tue, 2006-01-03 at 13:44 +0000, James Wilkinson wrote: > > Jeff Vian wrote: > > > http://www.csc.liv.ac.uk/~greg/sshdfilter/ > > > > > > I use it on several servers and it works really well to detect and block > > > attacks. > > > With it an attempt to login with an unknown account gets instantly > > > blocked, and with a known account (root or some other user) they only > > > get 6 attempts before it is blocked. > > > That sounds worthwhile for a computer that only has SSH open to the > > network. > > > However, do be aware that this can confirm to attackers that an account > > is "valid", which could be useful knowledge in other attacks. > > Agreed! That, in an of itself, is a security hole! It can reveal, to > unauthenticated connections, what are valid accounts and what are not. > I've published security advisories on just those sorts of "information > disclosure" vulnerabilities. It's considered axiomatic that security > systems should NEVER disclose that level of information, even to the > point of not giving a different error (message or code) for invalid > password vs invalid account. Even timing (responding too quickly if the > account doesn't exist compared to wrong password) is considered a > SERIOUS no-no. I would have to consider that sshdfilter a security > vulnerability, not a security tool. Where this something in common > distribution, it would probably end up being a featured subject on > BugTraq or FullDisclosure. :-/ > If this system had many user accounts I would worry about that. However, the only valid accounts that are ever hit are the standard system accounts (and over 99.9% are root, which does not get ssh access anyway) Besides, a script kiddie (or even a determined attacker) will give up quickly if the passwords are strong and they only get 6 tries in every 3 days (or longer) I acknowledge the flaws, but it is better than leaving ssh open for repeated attempts by the script kiddies. > > Hope this helps, > > > James. > > -- > > E-mail address: james | Say it with flowers, send a triffid. > > @westexe.demon.co.uk | > > Mike > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
