On Tue, 2006-01-03 at 13:44 +0000, James Wilkinson wrote:
Jeff Vian wrote:
http://www.csc.liv.ac.uk/~greg/sshdfilter/
I use it on several servers and it works really well to detect and block attacks. With it an attempt to login with an unknown account gets instantly blocked, and with a known account (root or some other user) they only get 6 attempts before it is blocked.
That sounds worthwhile for a computer that only has SSH open to the network.
However, do be aware that this can confirm to attackers that an account is "valid", which could be useful knowledge in other attacks.
Agreed! That, in an of itself, is a security hole! It can reveal, to unauthenticated connections, what are valid accounts and what are not. I've published security advisories on just those sorts of "information disclosure" vulnerabilities. It's considered axiomatic that security systems should NEVER disclose that level of information, even to the point of not giving a different error (message or code) for invalid password vs invalid account. Even timing (responding too quickly if the account doesn't exist compared to wrong password) is considered a SERIOUS no-no. I would have to consider that sshdfilter a security vulnerability, not a security tool. Where this something in common distribution, it would probably end up being a featured subject on BugTraq or FullDisclosure. :-/
Hope this helps,
James.
E-mail address: james | Say it with flowers, send a triffid. @westexe.demon.co.uk |
Mike