On Tue, 2006-01-03 at 11:26 -0500, Michael H. Warfield wrote:
On Tue, 2006-01-03 at 13:44 +0000, James Wilkinson wrote:
Jeff Vian wrote:
http://www.csc.liv.ac.uk/~greg/sshdfilter/
I use it on several servers and it works really well to detect and block attacks. With it an attempt to login with an unknown account gets instantly blocked, and with a known account (root or some other user) they only get 6 attempts before it is blocked.
That sounds worthwhile for a computer that only has SSH open to the network.
However, do be aware that this can confirm to attackers that an account is "valid", which could be useful knowledge in other attacks.
Agreed! That, in an of itself, is a security hole! It can reveal, to unauthenticated connections, what are valid accounts and what are not. I've published security advisories on just those sorts of "information disclosure" vulnerabilities. It's considered axiomatic that security systems should NEVER disclose that level of information, even to the point of not giving a different error (message or code) for invalid password vs invalid account. Even timing (responding too quickly if the account doesn't exist compared to wrong password) is considered a SERIOUS no-no. I would have to consider that sshdfilter a security vulnerability, not a security tool. Where this something in common distribution, it would probably end up being a featured subject on BugTraq or FullDisclosure. :-/
If this system had many user accounts I would worry about that. However, the only valid accounts that are ever hit are the standard system accounts (and over 99.9% are root, which does not get ssh access anyway)
Besides, a script kiddie (or even a determined attacker) will give up quickly if the passwords are strong and they only get 6 tries in every 3 days (or longer)
I acknowledge the flaws, but it is better than leaving ssh open for repeated attempts by the script kiddies.
Hope this helps,
James.
E-mail address: james | Say it with flowers, send a triffid. @westexe.demon.co.uk |
Mike
fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list