improving ssh
Jun-ichiro itojun Hagino
itojun at itojun.org
Mon Jul 16 23:52:53 EDT 2007
i'm an OpenBSD developer, so i have some knowlege but could be biased.
> SSH (OpenSSH) is routinely used in secure access for remote server
> maintenance. However, as I see it, SSH has a number of security issues
> that have not been addressed (as far I know), which create unnecessary
> vulnerabilities.
>
> Some issues could be minimized by turning off password authentication,
> which is not practical in many cases. Other issues can be addressed by
> additional means, for example:
>
> 1. firewall port-knocking to block scanning and attacks
> 2. firewall logging and IP disabling for repeated attacks (prevent DoS,
> block dictionary attacks)
i guess it can be handled in lines of spamd (greylisting) on OpenBSD.
> 3. pre- and post-filtering to prevent SSH from advertising itself and
> server OS
is there any point in this as you can fingerprint OS both actively (nmap)
and passively (p0f)?
> 4. block empty authentication requests
> 5. block sending host key fingerprint for invalid or no username
> 6. drop SSH reply (send no response) for invalid or no username
i can understand your desire, but this is a feature used by some of the
anonymous services such as anonymous CVS. i'd leave it to openssh
developers.
itojun
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list