[CentOS] Is there an openssh security problem?

Fri Jul 10 14:33:33 UTC 2009
Peter Kjellstrom <cap at nsc.liu.se>

On Friday 10 July 2009, Rob Kampen wrote:
> Coert Waagmeester wrote:
...
> > it only allows one NEW connection to ssh per minute.
> >
> > That is also a good protection right?
...
> Not really protection - rather a deterrent - it just makes it slower for
> the script kiddies that try brute force attacks

Basically it's not so much about protection in the end as it is about keeping 
your secure-log readable. Or maybe also a sense of being secure...

It's always good to limit your exposure but you really have to weigh cost 
against the win. Two examples:

Limit from which hosts you can login to a server:
 Configuration cost: trivial setup (one iptables line)
 Additional cost: between no impact and some impact depending on your habits
 Positive effect: 99.9+% of all scans and login attempts are now gone
 Verdict: Clear win as long as the set of servers are easily identifiable

Elaborate knocking/blocking setup:
 Configuration cost: significant (include keeping it up-to-date)
 Additional cost: setup of clients for knocking, use of -p XXX for new port
 Positive effect: "standard scans" will probably miss but not air tight
 Verdict: Harder to judge, I think it's often not worth it

Other things worth looking into are, for example, access.conf (pam_access.so) 
and ensuring that non-trivial passwords are used.

my €0.02,
 Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20090710/d363c490/attachment-0005.sig>