Comments on: Debian SSH Problems http://etbe.coker.com.au/2008/05/18/debian-ssh-problems/ Linux, politics, and other interesting things Thu, 09 Feb 2012 01:09:24 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Security Flaws in Free Software | etbe http://etbe.coker.com.au/2008/05/18/debian-ssh-problems/comment-page-1/#comment-14097 Security Flaws in Free Software | etbe Wed, 21 May 2008 09:01:33 +0000 http://etbe.coker.com.au/?p=583#comment-14097 [...] Comments etbe on Debian SSH Problemspa on Software Development is a Team SportAndre Felipe Machado on Ideas to Copy from Red HatOlaf van [...] [...] Comments etbe on Debian SSH Problemspa on Software Development is a Team SportAndre Felipe Machado on Ideas to Copy from Red HatOlaf van [...]

]]> By: etbe http://etbe.coker.com.au/2008/05/18/debian-ssh-problems/comment-page-1/#comment-14070 etbe Tue, 20 May 2008 08:09:43 +0000 http://etbe.coker.com.au/?p=583#comment-14070 Olaf@11: Yes. But any mechanism that attempts to recognise bad behavior and lock out the perp will occasionally do that. Systems such as port knocking are based around the idea that sshd might somehow fail. If you make that assumption then it's best not to have sshd be part of the solution. Olad@12: Yes. But in many cases this is an acceptable trade-off. Olaf@11: Yes. But any mechanism that attempts to recognise bad behavior and lock out the perp will occasionally do that.

Systems such as port knocking are based around the idea that sshd might somehow fail. If you make that assumption then it’s best not to have sshd be part of the solution.

Olad@12: Yes. But in many cases this is an acceptable trade-off.

]]> By: Olaf van der Spek http://etbe.coker.com.au/2008/05/18/debian-ssh-problems/comment-page-1/#comment-14051 Olaf van der Spek Mon, 19 May 2008 13:12:07 +0000 http://etbe.coker.com.au/?p=583#comment-14051 > The next thing to consider is which IP addresses may connect. If you were to allow all the IP addresses from all the major ISPs in your country to connect to your server then it would still be a small fraction of the IP address space. And get locked out of your own server if for whatever reason you get assigned an address out of this range? > The next thing to consider is which IP addresses may connect. If you were to allow all the IP addresses from all the major ISPs in your country to connect to your server then it would still be a small fraction of the IP address space.

And get locked out of your own server if for whatever reason you get assigned an address out of this range?

]]> By: Olaf van der Spek http://etbe.coker.com.au/2008/05/18/debian-ssh-problems/comment-page-1/#comment-14050 Olaf van der Spek Mon, 19 May 2008 13:09:07 +0000 http://etbe.coker.com.au/?p=583#comment-14050 > So if for example I had port N configured in such a manner and port N+100 used for ssh listening then it’s likely that someone who port-scans my server would be blocked before they even discovered the SSH server. Hmm, wouldn't that allow me to deny *you* access to your own server if I knew your IP address (and are able to spoof it)? All additional security issues are kinda nice, but what's really needed is a good default configuration. Most administrators and users will not apply additional security measures. Port knocking is effectively just a shared secret. Can't the SSH protocol be improved to incorporate something like that? > So if for example I had port N configured in such a manner and port N+100 used for ssh listening then it’s likely that someone who port-scans my server would be blocked before they even discovered the SSH server.

Hmm, wouldn’t that allow me to deny *you* access to your own server if I knew your IP address (and are able to spoof it)?
All additional security issues are kinda nice, but what’s really needed is a good default configuration. Most administrators and users will not apply additional security measures.

Port knocking is effectively just a shared secret. Can’t the SSH protocol be improved to incorporate something like that?

]]> By: Albert Lash http://etbe.coker.com.au/2008/05/18/debian-ssh-problems/comment-page-1/#comment-14048 Albert Lash Mon, 19 May 2008 12:16:59 +0000 http://etbe.coker.com.au/?p=583#comment-14048 I've heard good things about portknock, but for some reason never tried it. I'm curious about how it will work for you. And thanks for mentioning randomsound. I'm running audio-entropyd on one of my machines and have had good experiences with it: http://www.vanheusden.com/aed/ I’ve heard good things about portknock, but for some reason never tried it. I’m curious about how it will work for you.

And thanks for mentioning randomsound. I’m running audio-entropyd on one of my machines and have had good experiences with it:

http://www.vanheusden.com/aed/

]]> By: tindal http://etbe.coker.com.au/2008/05/18/debian-ssh-problems/comment-page-1/#comment-14043 tindal Sun, 18 May 2008 13:31:54 +0000 http://etbe.coker.com.au/?p=583#comment-14043 I've been using portsentry for a year or so, and one problem is that internet is full of viruses scanning the net from hosts with dynamic ip: hosts.deny becomes quite long shortly, but the content becomes useless shortly either. The same apply to iptables rules. I'm using a dynamic ip, too, and bypassed the problem restarting the connection at some hour during the night, if hosts.deny reached a certain number of entry (well, one could do it every night regardless hosts.deny...): after changing ip I can safely wipe hosts.deny and all added iptables rules obviously portsentry cannot block brute force attack to the port 22, so you should move ssh to some other port in order to make it useful in this sense on a static ip, I don't think portsentry could be a valuable solution: one could scan a certain number of ports before being blocked, then change ip and restart scanning, or one could sniff some traffic and see which ports are used regards tindal I’ve been using portsentry for a year or so, and one problem is that internet is full of viruses scanning the net from hosts with dynamic ip: hosts.deny becomes quite long shortly, but the content becomes useless shortly either. The same apply to iptables rules.

I’m using a dynamic ip, too, and bypassed the problem restarting the connection at some hour during the night, if hosts.deny reached a certain number of entry (well, one could do it every night regardless hosts.deny…): after changing ip I can safely wipe hosts.deny and all added iptables rules

obviously portsentry cannot block brute force attack to the port 22, so you should move ssh to some other port in order to make it useful in this sense

on a static ip, I don’t think portsentry could be a valuable solution: one could scan a certain number of ports before being blocked, then change ip and restart scanning, or one could sniff some traffic and see which ports are used

regards
tindal

]]>