Jonas Smedegaard <[email protected]> writes: > Hi Sandy, > > Quoting Sandy Harris (2015-07-22 20:55:42) >> Is this an issue for the Box? I presume there'll be a fix & debian >> will include it so we should be covered, but it seems worth noting. >> >> http://www.itworld.com/article/2951494/bug-exposes-openssh-servers-to-bruteforce-password-guessing-attacks.html > > Please file a bugreport against openssh-server.
Don't bother - there's a fix for this already that will be in the next release. Also, I'd hope that we'd be putting fail2ban (or similar) on the freedombox, if password authentication is allowed at all, in which case that would catch this too. One can protect against this specific attack by setting: KbdInteractiveAuthentication no if that is unset in the config, it defaults to whatever ChallengeResponseAuthentication is set to, so setting that to 'no' will generally do the trick too. However, that's not so useful if one actually wants to allow password authentication. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
signature.asc
Description: PGP signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
