improving ssh
Ed Gerck
edgerck at nma.com
Mon Jul 16 23:41:44 EDT 2007
Ivan Krstić wrote:
> On Jul 14, 2007, at 2:43 PM, Ed Gerck wrote:
>> 1. firewall port-knocking to block scanning and attacks
>> 2. firewall logging and IP disabling for repeated attacks (prevent DoS,
>> block dictionary attacks)
>> 3. pre- and post-filtering to prevent SSH from advertising itself and
>> server OS
>> 4. block empty authentication requests
>> 5. block sending host key fingerprint for invalid or no username
>> 6. drop SSH reply (send no response) for invalid or no username
>
> None of these are crypto issues.
Perhaps not the way they are solved today (see above), and that IS
the problem. For example, the lack of good crypto solutions to protocol
bootstrap contributes significantly to security holes 1-7.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list