SSH vulnerability

Didar Hossain didar.hossain at gmail.com
Wed May 20 08:59:56 UTC 2009


On Tue, May 19, 2009 at 10:29 PM, Keiran Smith <affix at fedoraproject.org> wrote:
> Hey Mike,
>
> That is a very interesting find to me personally. System and Software
> Security is something I have great interest in. I am a security advisor in a
> datacenter in the UK. However the article
> http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt says this is a
> very severe attack although the possibility of a sucessful attack is Very
> low. But you can never be too careful about these things.
> Software vendors may be getting more technicologically advanced but so are
> exploit coders. For example PHP addslashes() was added to stop SQL Injection
> exploits by adding a slash to every  quotation. Attackers realised PHP didnt
> parse HEX code but mySQL Server did. This makes me wonder if The posibility
> of an attack using this vulnerability is fairly high rather than low.
>
> On Tue, May 19, 2009 at 5:49 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
>>
>> If y'all see an ssh session dropping constantly (like, 11356 times :) let
>> me know.
>>
>> http://www.openssh.com/txt/cbc.adv
>>
>>        -Mike
>>
>> _______________________________________________
>> Fedora-infrastructure-list mailing list
>> Fedora-infrastructure-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>
>
>
> --
> Keiran Smith
> - Fedora Ambassador / BugZapper - <affix at fedoraproject.org>
> - Free Software Foundation Associate - <keiran.smith at member.fsf.org>
> - http://keiran-smith.net
> - Call me on +44 (0) 131 208 4347
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>

I use iptables "recent" module as well the "limit" modules to handle
the sustained brute-force attempts on a box that I manage.

Maybe, it could help in delaying this attack - although, I don't
understand the technical details of the exploit other than the "an
attacker would expect around 11356 connection-killing attempts before
they are likely to succeed" part.

Didar




More information about the infrastructure mailing list