8 years ago
6
Bug in widely used OpenSSH opens servers to password cracking
A recently disclosed bug in OpenSSH software used to remotely access Internet-facing computers and servers allows attackers to make thousands of password guesses in a short period of time, a defect that could open systems to password cracking, a security researcher has warned.
Continue Reading
http://arstechnica.com
Join the Discussion
Back at the company I used to work at, all systems run SSH on an alternate port (we run it on 2022). That resolved the majority (80+%) of SSH hacking attempts right out of the gate. The majority of scripts rely on SSH being on the default port at all times.
Don't really resolve this issue all that much, just an interesting bit of info I picked up being the security guy for a web hosting company.
It is interesting :)
I teach networking and ethical hacking, so stories and anecdotes like yours are always appreciated!
I too set up machines with an alternative port + keys instead of passwords. As you said it isn't a solution, but a bandaid.
What I've also done in the past with some services was to firewall off the port, have a web interface where you logged in on. The login would record your IP in a separate log file, and a script would scrape that log adding the firewall rule to allow that IP address with a TTL. You then set it so that it keeps any existing connections upon firewall reset and after say 5 minutes the port is closed down to all IP's again.
This seems like as good a time as any to remind people they really should be using ssh keys, where possible, instead of passwords. About the only situation I wouldn't use one is if I didn't know what computer I would be connecting from ahead of time, which is a situation that doesn't come up often.
Even at that, with the keys in authorizedkeys instead of authorizedhosts you're still covered, and you could carry your private key (password protected, of course) on a USB drive.
Yeah, the case for not using keys is pretty small. I was thinking if, for some reason, you need the ability to be dropped, naked, in the middle of a city and get access to your server immediately, passwords are the way to go. Otherwise, I'm not sure the use case for them other than "management is hard".