-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Clemens Pfaffinger wrote/schrieb @ 07.07.2009 23:23:
this is standard for me. I always change the port of the openSSH-server.
My (current) solution is:
Portsentry listens on port 22, while openSSH-server has another port.
Every port scan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Maik Holtkamp wrote/schrieb @ 13.07.2009 11:12:
tail -n -20 | sed s/^-A/-D/ | \
s/tail/head/
Sorry.
- --
- - bye maik
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Signature of Maik Holtkamp
Roger Bumgarner wrote:
ALLOW rules and SSH-keys. Using a non-standard port will stop the
majority of automated attackers, but a dedicated attack will find
you're SSH server: it only takes 20-30mins to portscan 1-65535.
Not necessarily:
http://jengelh.medozas.de/documents/Chaostables.pdf
I've
On Mon, 13 Jul 2009, Maik Holtkamp wrote:
I decided to follow this and on the weekend iptables blocked about 70
IPs. I am afraid that after some time the box will be DOSed by the
crowded INPUT chain.
The only _real_ fix for that is to use IPSET (patch for netfilter) to deal
with IPv4, and
Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
Ensuring that you use AES enctypes for all keys (disable DES and
ideally also 3DES)
How?
In /etc/krb5kdc/kdc.conf, set the
Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
However, if you also have AFS, which I recall that you do, you can't
turn it off at that level. You have to leave DES as a supported
Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
btw is it possible to use any kind of one time password mechanism with
mit kdc?
Not without applying custom patches that are rather a hack. You can,
however, do PKINIT, which lets you use
Peter Jordan usernetw...@gmx.info writes:
Let the option
master_key_type = des3-hmac-sha1
as it is?
Yes. The master key isn't used on the network and changing it is very
difficult in lenny.
No change in /etc/krb5.conf required?
Correct. Clients will negotiate the strongest
Peter Jordan usernetw...@gmx.info writes:
Russ Allbery, Fri Jul 10 2009 00:55:42 GMT+0200 (CEST):
However, if you also have AFS, which I recall that you do, you can't
turn it off at that level. You have to leave DES as a supported
enctype since the AFS service key at present still has to be
Peter Jordan usernetw...@gmx.info writes:
Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
Not without applying custom patches that are rather a hack. You can,
however, do PKINIT, which lets you use smart cards that can do X.509
authentication (some of which are quite inexpensive
In 87ws6gppyi@windlord.stanford.edu, Russ Allbery wrote:
Peter Jordan usernetw...@gmx.info writes:
Russ Allbery, Fri Jul 10 2009 00:56:57 GMT+0200 (CEST):
Not without applying custom patches that are rather a hack. You can,
however, do PKINIT, which lets you use smart cards that can do
Boyd Stephen Smith Jr. b...@iguanasuicide.net writes:
Russ Allbery wrote:
But yes, you don't want to get Kerberos tickets on an insecure system.
I thought tickets only lasted for a small period of time, and could be
expired early if need be so that you could use them on insecure
machines.
On Fri, Jul 10, 2009 at 07:31:33AM -0700, Russ Allbery wrote:
Peter Jordan usernetw...@gmx.info writes:
We use NFSv4.
I think the current version may have that same problem.
Urgs, yes.
Bastian
--
There is an order of things in this universe.
-- Apollo, Who Mourns for
Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
Let the option
master_key_type = des3-hmac-sha1
as it is?
Yes. The master key isn't used on the network and changing it is very
difficult in lenny.
But for new installations a change
Peter Jordan usernetw...@gmx.info writes:
Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
Yes. The master key isn't used on the network and changing it is
very difficult in lenny.
But for new installations a change is not a bad idea?
Yeah, for new installations it's generally best
Russ Allbery, Fri Jul 10 2009 19:24:52 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):
But for new installations a change is not a bad idea?
Yeah, for new installations it's generally best to start the master key
at the
Peter Jordan usernetw...@gmx.info writes:
hmmm, although i have set supported enctypes
supported_enctypes = aes256-cts:normal
and restarted kdc nothing seens to have changed.
After calling kinit klist -5e show me:
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc
Sebastian Posner, Wed Jul 08 2009 23:18:43 GMT+0200 (CEST):
Jim Popovitch wrote:
Is there a way to force keys AND passwd verification?
Normally you'd want to DISABLE PasswordAuthentication and
ChallengeResponseAuthentication - unless you have a special and
well-maintained setup like
Justus, Tue Jul 07 2009 22:36:31 GMT+0200 (CEST):
Is there Information on what Versions are affected by this exploit?
I read something of Version 3.2 and 4.3 in one of the blog entrys
(http://secer.org/hacktools/0day-openssh-remote-exploit.html), maybe
someone else could clarify this?
Would
Bernd Eckenfels schrieb:
In article f971bab40907080937v33884e78nce8291d34140f...@mail.gmail.com you
wrote:
Besides I dont think you can force both, its only one stage in ssh protocol.
But your login shell could ask for the password via Terminal. Maybe with pam..
I think, you can, when
Peter Jordan usernetw...@gmx.info writes:
Noah Meyerhans, Wed Jul 08 2009 23:13:30 GMT+0200 (CEST):
(Plus we've got Kerberos and don't usually mess around with keys or
passwords).
Do you use kerberos/nfsv4 and ssh keys? If yes, how you handle the
problem, that the authorized_keys file is
Russ Allbery, Thu Jul 09 2009 17:04:06 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
Noah Meyerhans, Wed Jul 08 2009 23:13:30 GMT+0200 (CEST):
Do you use kerberos/nfsv4 and ssh keys? If yes, how you handle the
problem, that the authorized_keys file is not accessable without a
On Thu, Jul 09, 2009 at 06:02:37PM +0200, Peter Jordan wrote:
If you have Kerberos, why would you use ssh keys? GSS-API is so much
nicer if you already have a Kerberos environment.
And how to login passwordless from outside the kerberos network?
There's no such thing as outside the
The ISC has another diary entry on the exploit, voicing doubts about
it [1]. The original diary entry [2] doesn't have any more updates on
it, which is kind of a shame as that was where I was originally
tracking the story. Anyway, there it is and I'm sure we'll hear more
about it.
[1]
Noah Meyerhans, Thu Jul 09 2009 18:04:54 GMT+0200 (CEST):
On Thu, Jul 09, 2009 at 06:02:37PM +0200, Peter Jordan wrote:
And how to login passwordless from outside the kerberos network?
There's no such thing as outside the kerberos network.
noah
I want to login passwordless to my ssh
Peter Jordan usernetw...@gmx.info writes:
It is not my decission to isolate kerberos.
Is it safe to open kerberos for the world?
It's not clear that anyone on this list can answer that question since it
depends on what safe and kerberos mean in the context of your
organization. The meaning
Russ Allbery, Thu Jul 09 2009 20:45:57 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
I want to login passwordless to my ssh server from the internet. vpn
is not avaiable and kerberos is not acccessable from outside the
lan. How?
Fix the last problem. Otherwise, yes, you
pod, Thu Jul 09 2009 21:38:31 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
It is not my decission to isolate kerberos.
Is it safe to open kerberos for the world?
It's not clear that anyone on this list can answer that question since it
depends on what safe and kerberos mean
pod p...@herald.ox.ac.uk writes:
For example there seems to be a school of thought amongst certain
deployers of Active Directory (a component of which is a kerberos KDC)
that it should not be exposed more widely than strictly necessary.
There are however plenty of deployments of Heimdal and
Peter Jordan usernetw...@gmx.info writes:
It would be a stand alone MIT KDC (with krb-rsh) on debian lenny.
safe in the sense of you better attack the services which depends on
kerberos than kerberos itself
That's what we've done at Stanford for many, many years, and I'm
comfortable doing
Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
Ensuring that you use AES enctypes for all keys (disable DES and ideally
also 3DES)
How?
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
Peter Jordan usernetw...@gmx.info writes:
It would be a stand alone MIT KDC (with krb-rsh) on debian lenny.
safe in the sense of you better attack the services which depends on
kerberos than kerberos itself
That's what we've done at
Peter Jordan usernetw...@gmx.info writes:
Russ Allbery, Thu Jul 09 2009 21:51:50 GMT+0200 (CEST):
Ensuring that you use AES enctypes for all keys (disable DES and
ideally also 3DES)
How?
In /etc/krb5kdc/kdc.conf, set the supported_enctypes configuration
option for your realm to:
Peter Jordan usernetw...@gmx.info writes:
btw is it possible to use any kind of one time password mechanism with
mit kdc?
Not without applying custom patches that are rather a hack. You can,
however, do PKINIT, which lets you use smart cards that can do X.509
authentication (some of which are
On Tue, Jul 7, 2009 at 6:20 PM, Jeroen van Drongelen
jer...@naturewebdesign.eu wrote:
It's helpfull indeed but withe a portscan they can easly find the other
port of openssh.If have shutdown the openssh service untill i know wich
version is attackable by this exploit or when they have a
On Mi, 08 Jul 2009, Leandro Minatel wrote:
Right you are!, but, don't forget that there are more than 65500 ports to
??? Are you talking about trying the exploit on every single port? Then
they would really be stupid. Calling nmap makes that much faster.
No the code must be fixed if there is a
On Wed, Jul 8, 2009 at 11:38 AM, Norbert Preining prein...@logic.at wrote:
On Mi, 08 Jul 2009, Leandro Minatel wrote:
Right you are!, but, don't forget that there are more than 65500 ports to
??? Are you talking about trying the exploit on every single port? Then
they would really be
just update it!
2009/7/8 Leandro Minatel leandromina...@gmail.com
On Wed, Jul 8, 2009 at 11:38 AM, Norbert Preining prein...@logic.atwrote:
On Mi, 08 Jul 2009, Leandro Minatel wrote:
Right you are!, but, don't forget that there are more than 65500 ports
to
??? Are you talking about
ALLOW rules and SSH-keys. Using a non-standard port will stop the
majority of automated attackers, but a dedicated attack will find
you're SSH server: it only takes 20-30mins to portscan 1-65535.
-rb
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of
On Wed, Jul 8, 2009 at 09:33, Roger Bumgarnerroger.bumgar...@gmail.com wrote:
ALLOW rules and SSH-keys.
Is there a way to force keys AND passwd verification?
-Jim P.
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On Wed, Jul 08, 2009 at 09:37:55AM -0700, Jim Popovitch wrote:
On Wed, Jul 8, 2009 at 09:33, Roger Bumgarnerroger.bumgar...@gmail.com
wrote:
ALLOW rules and SSH-keys.
Is there a way to force keys AND passwd verification?
That's actually a really good question. I would be interested in
As far as I know, it does keys first then falls back to passwords. I'd
imagine PAM could help, but I'm not knowledgeable enough in regards to
that. I know you're only limited by your imagination when it comes to
PAM authentication. SSH-keys can (and should!) be password-protected
already.
-rb
On
Jim Popovitch wrote:
ALLOW rules and SSH-keys.
Is there a way to force keys AND passwd verification?
Normally you'd want to DISABLE PasswordAuthentication and
ChallengeResponseAuthentication - unless you have a special and well-maintained
setup like e.g. One-Time-Pads or such - because
On Wed, Jul 08, 2009 at 02:03:57PM -0700, Roger Bumgarner wrote:
As far as I know, it does keys first then falls back to passwords. I'd
imagine PAM could help, but I'm not knowledgeable enough in regards to
that. I know you're only limited by your imagination when it comes to
PAM
Michael Stone wrote:
[A way to enforce non-empty passwd on ssh-keys]
You can't, which is why it is useful to have both passwords and keys
simultaneously--you can enforce a policy on a password.
To cite Noah Meyerhans from his recent mail - my users would shoot me if I ever
tried such a
In article f971bab40907080937v33884e78nce8291d34140f...@mail.gmail.com you
wrote:
Is there a way to force keys AND passwd verification?
You know that if its a protocol exploit (which is quite likely) that will
not help you much. tcpwrapper itself or ipfilter acts quite early in the
protocol
Noah Meyerhans, Wed Jul 08 2009 23:13:30 GMT+0200 (CEST):
(Plus we've got Kerberos and don't usually mess around with keys or
passwords).
Do you use kerberos/nfsv4 and ssh keys? If yes, how you handle the
problem, that the authorized_keys file is not accessable without a krb
ticket?
PJ
--
As usual, you may want to either raise shields (i.e. disable/restrict access
to the ssh service), or pay extra attention to what is happening on your SSH
inbound gateways...
http://lwn.net/Articles/340360/
http://isc.sans.org/diary.html?storyid=6742
Hi all,
This is a serious security threat if it is not some sort of a duck (as
we call it in our country). I have firewalled some servers already.
Do you think tcpwrapping ssh service is enough, or should i use iptables
instead?
Thanks in advance,
Regards
--
Ramūnas Čereškevičius
Tel.:
Hi,
thanks for this information!
I just hope that this is a hoax.
What would you suggest for securing a server running openSSH?
How can I notice such an attack in my log files?
Cheers
Kontaktinformationen
clem...@csrv.at
www.cdev.at
2009/7/7 Henrique
Is there Information on what Versions are affected by this exploit?
I read something of Version 3.2 and 4.3 in one of the blog entrys
(http://secer.org/hacktools/0day-openssh-remote-exploit.html), maybe
someone else could clarify this?
Would you recommend stopping ssh completely and switching to
Hi,
a good practice, at least for me, is put openssh to listen in a different
port than the default. I know, it's not the perfect solution.
Regards.
As i have read on this page :
http://secer.org/hacktools/0day-openssh-remote-exploit.htmlhttp://secer.org/hacktools/0day-openssh-remote-exploit.htmlit
say's that the attack is againt OpenSSH version 4.3.
So the best thing that you can do is update OpenSSH to a newer version.
But again it are
It's helpfull indeed but withe a portscan they can easly find the other port
of openssh.If have shutdown the openssh service untill i know wich version
is attackable by this exploit or when they have a solution for it.
Regards,
Jeroen
2009/7/7 Leandro Minatel leandromina...@gmail.com
Hi,
a
Hi,
this is standard for me. I always change the port of the openSSH-server.
My (current) solution is:
Portsentry listens on port 22, while openSSH-server has another port.
Every port scan attempt will result in a ban via iptables and every
connection to port 22 will also result in a ban via
55 matches
Mail list logo
