[CentOS] Is there an openssh security problem?

Sun Jul 12 06:03:48 UTC 2009
James Matthews <nytrokiss at gmail.com>

I think if you use double authentication (both keys and a password) and put
your SSH server on a different port then you are doing the best you can. You
hope to prevent a 0-day but you cannot fully protect yourself...


James

On Fri, Jul 10, 2009 at 7:06 PM, Rob Townley <rob.townley at gmail.com> wrote:

> On Fri, Jul 10, 2009 at 9:33 AM, Peter Kjellstrom<cap at nsc.liu.se> wrote:
> > On Friday 10 July 2009, Rob Kampen wrote:
> >> Coert Waagmeester wrote:
> > ...
> >> > it only allows one NEW connection to ssh per minute.
> >> >
> >> > That is also a good protection right?
> > ...
> >> Not really protection - rather a deterrent - it just makes it slower for
> >> the script kiddies that try brute force attacks
> >
> > Basically it's not so much about protection in the end as it is about
> keeping
> > your secure-log readable. Or maybe also a sense of being secure...
> >
> > It's always good to limit your exposure but you really have to weigh cost
> > against the win. Two examples:
> >
> > Limit from which hosts you can login to a server:
> >  Configuration cost: trivial setup (one iptables line)
> >  Additional cost: between no impact and some impact depending on your
> habits
> >  Positive effect: 99.9+% of all scans and login attempts are now gone
> >  Verdict: Clear win as long as the set of servers are easily identifiable
> >
> > Elaborate knocking/blocking setup:
> >  Configuration cost: significant (include keeping it up-to-date)
> >  Additional cost: setup of clients for knocking, use of -p XXX for new
> port
> >  Positive effect: "standard scans" will probably miss but not air tight
> >  Verdict: Harder to judge, I think it's often not worth it
> >
> > Other things worth looking into are, for example, access.conf
> (pam_access.so)
> > and ensuring that non-trivial passwords are used.
> >
> > my €0.02,
> >  Peter
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> >
>
> Virtual Networks are such as tinc-vpn.org or hamachi create an
> encrypted network only accessible to members of the virtual network.
> So if your server's virtual nic has an address of 5.4.3.2, then the
> only other host that may see your server would be your laptop with
> address 5.4.3.3.  No other internet hosts would even see 5.4.3.2...
> It is like IPSec, but much easier.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
http://www.goldwatches.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090712/a0878286/attachment-0005.html>