LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Preventing brute force ssh attacks

Preventing brute force ssh attacks

Posted Oct 25, 2007 18:16 UTC (Thu) by madscientist (subscriber, #16861)
In reply to: Preventing brute force ssh attacks by nix
Parent article: Preventing brute force ssh attacks 

Oh right, we do allow 443 as well.  And our IT department just installed a proxy here too.
WHAT A PAIN!  I've been filing case after case getting them to re-open access to sites I need.
And, there's some bizarre feature that I don't completely understand, where all HTTPS traffic
is forwarded through the proxy and so it comes with the wrong (or anyway additional)
encryption, so signatures don't match and all sorts of other messy things.  Of course the
thing is only tightly integrated with Internet Explorer, so if you use any other browser, even
on Windows, you have to enter your password info, which then times out again (how anyone can
imagine that promoting the use of IE is a security _enhancement_ utterly escapes me but...)

I've arrived at work in the morning and had 100's of dialogs I have to get rid of from my RSS
feeds, my weather applets, etc. when my password times out after I've left for the day.

It's hard for me to believe the benefits really outweigh the costs here, but I guess I only
see the costs and not the benefits.

(Log in to post comments)

Preventing brute force ssh attacks

Posted Oct 25, 2007 21:22 UTC (Thu) by utoddl (subscriber, #1232) [Link] 

This is why I like working for a university. Firewall? Sure, you can install your own if you
want one. And we do have _some_ things walled off, but by and large most hosts are highly
exposed to the internet.

It drives vendors nuts, 'cause many of their products assume there's a draconian firewall
between them an the world, so they claim they don't need to deal with security issues. They
often know nothing about SSL, kerberos, keys,... they just trust the firewall which, to their
amazement, isn't there!

One of the best was a demo by an ERP vendor. They were showing off their stuff, how cool and
secure it was. Then somebody in the back of the room with a wireless Mac laptop took over the
presenter's session. He gave it back, but not before making his (and breaking the presenter's)
point about the system's security.

Preventing brute force ssh attacks

Posted Oct 25, 2007 21:52 UTC (Thu) by nix (subscriber, #2304) [Link] 

Our lot blocked Google (`Proxy Avoidance'), *.oracle.com, and *.redhat.com 
(`Software Download') for a month. We're an Oracle-on-RHEL shop, so this 
was pretty disruptive, but apparently only the filter authors could remove 
the blocks, and the auditors wouldn't allow them to disable the filtering.

It's all utterly insane.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds