[Freedombox-discuss] SSH problem
Philip Hands
phil at hands.com
Thu Jul 23 08:20:24 UTC 2015
Jonas Smedegaard <dr at jones.dk> writes:
> Hi Sandy,
>
> Quoting Sandy Harris (2015-07-22 20:55:42)
>> Is this an issue for the Box? I presume there'll be a fix & debian
>> will include it so we should be covered, but it seems worth noting.
>>
>> http://www.itworld.com/article/2951494/bug-exposes-openssh-servers-to-bruteforce-password-guessing-attacks.html
>
> Please file a bugreport against openssh-server.
Don't bother - there's a fix for this already that will be in the next
release.
Also, I'd hope that we'd be putting fail2ban (or similar) on the
freedombox, if password authentication is allowed at all, in which case
that would catch this too.
One can protect against this specific attack by setting:
KbdInteractiveAuthentication no
if that is unset in the config, it defaults to whatever
ChallengeResponseAuthentication is set to, so setting that to 'no' will
generally do the trick too. However, that's not so useful if one
actually wants to allow password authentication.
Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20150723/52f93fdd/attachment.sig>
More information about the Freedombox-discuss
mailing list