ssh security

Michael H. Warfield mhw at WittsEnd.com
Tue Jan 3 16:26:46 UTC 2006 

On Tue, 2006-01-03 at 13:44 +0000, James Wilkinson wrote:
> Jeff Vian wrote:
> > http://www.csc.liv.ac.uk/~greg/sshdfilter/
> > 
> > I use it on several servers and it works really well to detect and block
> > attacks.
> > With it an attempt to login with an unknown account gets instantly
> > blocked, and with a known account (root or some other user) they only
> > get 6 attempts before it is blocked.

> That sounds worthwhile for a computer that only has SSH open to the
> network.

> However, do be aware that this can confirm to attackers that an account
> is "valid", which could be useful knowledge in other attacks.

	Agreed!  That, in an of itself, is a security hole!  It can reveal, to
unauthenticated connections, what are valid accounts and what are not.
I've published security advisories on just those sorts of "information
disclosure" vulnerabilities.  It's considered axiomatic that security
systems should NEVER disclose that level of information, even to the
point of not giving a different error (message or code) for invalid
password vs invalid account.  Even timing (responding too quickly if the
account doesn't exist compared to wrong password) is considered a
SERIOUS no-no.  I would have to consider that sshdfilter a security
vulnerability, not a security tool.  Where this something in common
distribution, it would probably end up being a featured subject on
BugTraq or FullDisclosure.  :-/

> Hope this helps,

> James.
> -- 
> E-mail address: james | Say it with flowers, send a triffid.
> @westexe.demon.co.uk  | 

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060103/c45f12cf/attachment-0001.sig>

More information about the fedora-list mailing list