On Thu, Mar 17, 2005 at 07:14:27PM +0100, Marc Haber wrote: > On Thu, 17 Mar 2005 10:03:15 -0700, Joel Aelwyn <fenton@debian.org> > wrote: > >On Thu, Mar 17, 2005 at 01:09:33PM +0100, Marc Haber wrote: > >> I am routinely running systems without any packet filtering capability > >> on the network, and they are perfectly able to cope. They just only > >> accept network connections for needed services. > > > >And just how full of attempts to root SSH are your logs? > > A lot. What's the problem? http://www.cve.mitre.org/cve/refs/refmap/source-BUGTRAQ.html Search for "ssh". You didn't think those scripts the kiddies run appeared just to randomly annoy folks running SSH, did you? Yes, a local admin *can* just disable SSH when faced with a 0-hour announcement. So can a remote admin. The latter, however, is forced to choose between "risk a compromise" or "risk waiting until the local admin can be present", if there isn't any firewall support. If there is, they can slap on a temporary ACL limiting access to port 22 to certain machines that are trusted (maybe they run a different version of SSH that isn't believed to be vulnerable, or maybe they're local to the 'remote' admin, whatever), and be reasonably confident that the script kiddies won't be able to get *to* the SSH daemon to compromise it, until a new SSH package can be built that addresses the vulnerability. There are other concerns which may apply (such as determining whether the SSH daemon has already been compromised, if you don't happen to have an active root shell on the machine in question), but the point stands. -- Joel Aelwyn <fenton@debian.org> ,''`. : :' : `. `' `-
Attachment:
signature.asc
Description: Digital signature