On Fri, Jun 13, 2008 at 11:51:35AM -0400, Jay R. Ashworth wrote: > On Thu, Jun 12, 2008 at 11:09:43PM +0300, Tzafrir Cohen wrote: > > > Additionally, you should install a brute-force-attack blocker: > > > > > > http://www.la-samhna.de/library/brutessh.html > > > > This is effectively another service listening. It is also a method for > > an attacker to lock you out of the system. > > > > See, for instance, http://www.ossec.net/en/attacking-loganalysis.html . > > Sure; all in-band methods suffer from the possibility of becoming DoS > vectors. And yes, the fact that sshd doesn't quote that argument as it > drops it into the syslog, making it easier to see bogusness, is a bad > thing. But those log lines wouldn't fool *me*. > > And if they fool your log analysis system, then it's regexes aren't > written tightly enough.
Aparantly, getting the regex right is a bit trickier than people think. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4321 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6302 So getting this regex right is probably a bit tricky. > > And, back on point, that particular sshblocker doesn't give a damn what > sshd writes in the syslog. > > And, no, it's actually not another service listening. It responds to external output. I can trigger it to run whenever I want. Pretty close to a "service". Consider e.g. a spam filter used by a mail server. It might just as well have such remotely-exploitable security holes, if badly written. And the attacker does not even need direct access to the system running the spam filter. Or Asterisk handling proxied SIP/IAX traffic. -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
