[CentOS] Is there an openssh security problem?

Rob Townley rob.townley at gmail.com
Fri Jul 10 16:06:58 UTC 2009


On Fri, Jul 10, 2009 at 9:33 AM, Peter Kjellstrom<cap at nsc.liu.se> wrote:
> On Friday 10 July 2009, Rob Kampen wrote:
>> Coert Waagmeester wrote:
> ...
>> > it only allows one NEW connection to ssh per minute.
>> >
>> > That is also a good protection right?
> ...
>> Not really protection - rather a deterrent - it just makes it slower for
>> the script kiddies that try brute force attacks
>
> Basically it's not so much about protection in the end as it is about keeping
> your secure-log readable. Or maybe also a sense of being secure...
>
> It's always good to limit your exposure but you really have to weigh cost
> against the win. Two examples:
>
> Limit from which hosts you can login to a server:
>  Configuration cost: trivial setup (one iptables line)
>  Additional cost: between no impact and some impact depending on your habits
>  Positive effect: 99.9+% of all scans and login attempts are now gone
>  Verdict: Clear win as long as the set of servers are easily identifiable
>
> Elaborate knocking/blocking setup:
>  Configuration cost: significant (include keeping it up-to-date)
>  Additional cost: setup of clients for knocking, use of -p XXX for new port
>  Positive effect: "standard scans" will probably miss but not air tight
>  Verdict: Harder to judge, I think it's often not worth it
>
> Other things worth looking into are, for example, access.conf (pam_access.so)
> and ensuring that non-trivial passwords are used.
>
> my €0.02,
>  Peter
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

Virtual Networks are such as tinc-vpn.org or hamachi create an
encrypted network only accessible to members of the virtual network.
So if your server's virtual nic has an address of 5.4.3.2, then the
only other host that may see your server would be your laptop with
address 5.4.3.3.  No other internet hosts would even see 5.4.3.2...
It is like IPSec, but much easier.



More information about the CentOS mailing list