| |||||||||||||
|
| |||||||||||||
Brute-Force SSH Server Attacks Surge (InformationWeek)Brute-Force SSH Server Attacks Surge (InformationWeek)Posted May 14, 2008 16:36 UTC (Wed) by pcampe (subscriber, #28223)In reply to: Brute-Force SSH Server Attacks Surge (InformationWeek) by kssingvo Parent article: Brute-Force SSH Server Attacks Surge (InformationWeek) See http://lwn.net/Articles/222201/, and accept only certificates for SSH.
(Log in to post comments)
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 1:05 UTC (Thu) by csamuel (✭ supporter ✭, #2624) [Link] Except that, according to the Metasploit project, on Debian/Ubuntu boxes with broken OpenSSL: When creating a new OpenSSH key, there are only 32,767 possible outcomes for a given architecture, key size, and key type. The reason is that the only "random" data being used by the PRNG is the ID of the process. [...] Links to the pregenerated key sets for 1024-bit DSA and 2048-bit RSA keys (x86) are provided in the downloads section below. ...and if you've used such a system with a good DSA key then you can consider that compromised too.
Brute-Force SSH Server Attacks Surge (InformationWeek) Posted May 15, 2008 19:39 UTC (Thu) by pcampe (subscriber, #28223) [Link] >Except that, according to the Metasploit project, on Debian/Ubuntu boxes >with broken OpenSSL That is an implementation problem, limited to Debian and derivated systems. Certificates are the only way to be sure that your server is not password-guessed.
|
|
||||||||||||