[CentOS] Is there an openssh security problem?
Peter Kjellstrom
cap at nsc.liu.se
Fri Jul 10 14:33:33 UTC 2009
On Friday 10 July 2009, Rob Kampen wrote:
> Coert Waagmeester wrote:
...
> > it only allows one NEW connection to ssh per minute.
> >
> > That is also a good protection right?
...
> Not really protection - rather a deterrent - it just makes it slower for
> the script kiddies that try brute force attacks
Basically it's not so much about protection in the end as it is about keeping
your secure-log readable. Or maybe also a sense of being secure...
It's always good to limit your exposure but you really have to weigh cost
against the win. Two examples:
Limit from which hosts you can login to a server:
Configuration cost: trivial setup (one iptables line)
Additional cost: between no impact and some impact depending on your habits
Positive effect: 99.9+% of all scans and login attempts are now gone
Verdict: Clear win as long as the set of servers are easily identifiable
Elaborate knocking/blocking setup:
Configuration cost: significant (include keeping it up-to-date)
Additional cost: setup of clients for knocking, use of -p XXX for new port
Positive effect: "standard scans" will probably miss but not air tight
Verdict: Harder to judge, I think it's often not worth it
Other things worth looking into are, for example, access.conf (pam_access.so)
and ensuring that non-trivial passwords are used.
my €0.02,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20090710/d363c490/attachment.sig>
More information about the CentOS
mailing list