[ubuntu-hardened] hiding ssh version
Jeff Schroeder
jeffschroed at gmail.com
Mon Apr 6 12:32:26 BST 2009
If you rate limit the number of incoming connections / second to sshd
using iptables all brute force attacks become unpractical.
Sent from my iPhone
On Apr 5, 2009, at 1:04 PM, TJ Easter <tjeaster at gmail.com> wrote:
> FWIW, I make use of all banner hiding capabilities on public services
> (i.e., the ServerTokens parameter in Apache's configuration) as I do
> consider it defense-in-depth. However, with SSH potentially using the
> version banner to negotiate features and functionality, I'd recommend
> against using the patch. I use iptables(8) to lock down access to my
> SSH daemon -- in addition to libwrap -- so the only people who are
> ever even able to see the banner are likely to be hosts that I "trust"
> anyway.
>
>
> Regards,
> TJ Easter
>
> On Sun, Apr 5, 2009 at 9:44 AM, Kees Cook <kees at ubuntu.com> wrote:
>> Hi Dan,
>>
>> On Sat, Mar 28, 2009 at 03:09:36PM -0600, Dan Howerton wrote:
>>> Is it not possible to get a package in the repos that incorporates
>>> this
>>> patch and other hardening measures such as denyhosts? Possibly an
>>> ssh-hardened package? It doesn't have to be something that is
>>> pushed out
>>> with the distro by default but something that people can install
>>> if they
>>> choose to.
>>
>> I don't think it makes sense to have a forked ssh package in the
>> primary
>> archive. However, there's nothing to stop someone from building
>> openssh
>> with the patch and hosting it in their PPA.
>>
>> -Kees
>>
>> --
>> Kees Cook
>> Ubuntu Security Team
>>
>> --
>> ubuntu-hardened mailing list
>> ubuntu-hardened at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>>
>
>
>
> --
> "Being a humanist means trying to behave decently without expectation
> of rewards or punishment after you are dead." -- Kurt Vonnegut, 1922
> - 2007
> http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x5EB6E92FE2340DEF
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
More information about the ubuntu-hardened
mailing list