Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[Rumor] SSH 0-day
From: Kevin Wilcox <kevin () tux appstate edu>
Date: Thu, 9 Jul 2009 11:46:11 -0400

2009/7/9 Charles Majola <charles.lists () gmail com>:

From the LWN article (OpenSSH maintainer Damien Miller), its probably
not real, well just have to wait and see

Agreed.

Even if you *do* believe the secer site, look at the particulars. It's
a brute force. Properly configure your ssh servers (including
rate-limiting, possibly port knocking, key based authentication and
user () host allow
statements) and file this under a non-issue.

Of course this is all theoretical so far so I suppose everyone is free
to wring their hands and gnash their teeth as much as they wish over
this.

Original CC recipients cut  because I'm the guy that can't remember
which addresses are subscribed to which lists.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, ‘the
guarantee to every one of a free exercise of his industry, & the
fruits acquired by it.'

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]