LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Brute-Force SSH Server Attacks Surge (InformationWeek)

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 15, 2008 0:29 UTC (Thu) by tialaramex (subscriber, #21167)
In reply to: Brute-Force SSH Server Attacks Surge (InformationWeek) by eru
Parent article: Brute-Force SSH Server Attacks Surge (InformationWeek) 

There's no reason it needs to be so dangerous that you'd want to disable it.

If you don't have root logins, and you require a key for access (where the search time is
controlled by a computer algorithm rather than by a human's ability to remember complicated
strings of letters and digits) you can make SSH an uninteresting target.

If the script kiddies had a dozen boxes chewing away for weeks at a time and didn't get a
single hit they'd stop doing it. That they're currently still doing it suggests that it
probably still works. Which means there are still machines where you can ssh in with username
'root' password 'sesame' and get a root bash prompt. I think we should fix /this/ part rather
than just disabling SSH by default.

(Log in to post comments)

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 15, 2008 4:34 UTC (Thu) by bronson (subscriber, #4806) [Link] 

> There's no reason it needs to be so dangerous that you'd want to disable it.

Sure there is.  A closed port is infinitely more safe than a listening port.

Well, maybe not infinitely.  But it's a huge number.  The difference is so big that running
listening servers that the user isn't actually using is downright irresponsible.

> If you don't have root logins, and you require a key for access ... you can make SSH an
uninteresting target.

Not if you were running Debian or Ubuntu.  :(

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 15, 2008 9:19 UTC (Thu) by ekj (subscriber, #1524) [Link] 

True, but you exxagerate somewhat. Not only the *relative* risk, but also the *absolute* risk
is relevant.

It may be true that a non-listening port is one million times safer from network-exploits than
a listening-port. (number grasped out of thin air)

But if the risk that a certain service causes problems is miniscule enough, then that
reduction in risk is still ignorable.

If, for example, there's a 1:100 chance that a certain setup will be compromised in a year,
and a 1:1000000 chance that a given service will be compromised, then turning off that service
while in principle good, in practice makes no detectable difference to the overall security of
the host.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 15, 2008 15:33 UTC (Thu) by bronson (subscriber, #4806) [Link] 

Hm, are you saying that worrying about running services is silly because there are so many
more reliable ways of rooting a box?  If so, I have two replies:

- Running services have always been most effective way of remoting a box.  They are the 1:100
number you quoted.

- Disregarding a 1:100000 chance event might make sense on some level.  The problem is that
Linux deployments are immense and the downside of having your box rooted is so enormous.  If
36,000 Linux boxes will be compromised this year, and a particular running service is
responsible for only 60 of those breakins, it sounds like you're saying that the service is
statistically insignificant and can be ignored.

That might keep the statisticians happy but I think it is clearly wrong.  At least, I hope
that the distros I use don't feel that way!

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 16, 2008 6:00 UTC (Fri) by ekj (subscriber, #1524) [Link] 

Nah. We don't really disagree. I'm just nitpicking. Specifically, I'm nitpicking the claim
that a large relative reduction in risk by ITSELF is a reason to do something. Cutting a risk
by 99% sounds great, my point was merely that if the risk is miniscule already, it may be that
it's not worthwhile.

Arguably, the safest default is to install no servers, unless the user specifically requests
the install (default: not installed), but some services are probably still better left
installed. Indeed, the safest default is to install NOTHING whatsoever, but this is hardly
reasonable, despite improvements to security.

Similarily, the safest default if the user DOES explicitly install a service is to not run it
-- requiring the user to explicitly enable it if he wants it. But this is unreasonable; most
people who install say "openssh-server" also wants to run it, so defaulting to off is
unfriendly, even though sligthly more secure.

Further, the safest default config would be something like disable-root-login
disable-password-authenthication allow-login-only-from-whitelisted-hosts, but again, this
would be unfriendly because it would mean extra work for most people. So this is probably not
worth it -- despite being more secure.

Brute-Force SSH Server Attacks Surge (InformationWeek)

Posted May 15, 2008 5:48 UTC (Thu) by MattPerry (subscriber, #46341) [Link] 

> There's no reason it needs to be so dangerous that you'd want to disable it.

Then disable it because it's not needed.  It's trivial to enable for those who need it.  For
others who don't, it's just using system resources unnecessarily.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds