[95203] in cryptography@c2.net mail archive
Re: improving ssh
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Ivan_Krsti=C4=87?=)
Thu Jul 19 09:30:12 2007
In-Reply-To: <46991969.5070502@nma.com>
Cc: Cryptography <cryptography@metzdowd.com>
From: =?UTF-8?Q?Ivan_Krsti=C4=87?= <krstic@solarsail.hcs.harvard.edu>
Date: Mon, 16 Jul 2007 22:25:19 -0400
To: Ed Gerck <edgerck@nma.com>
On Jul 14, 2007, at 2:43 PM, Ed Gerck wrote:
> 1. firewall port-knocking to block scanning and attacks
> 2. firewall logging and IP disabling for repeated attacks (prevent =20
> DoS,
> block dictionary attacks)
> 3. pre- and post-filtering to prevent SSH from advertising itself and
> server OS
> 4. block empty authentication requests
> 5. block sending host key fingerprint for invalid or no username
> 6. drop SSH reply (send no response) for invalid or no username
None of these are crypto issues. The OpenSSH dev list (http://=20
www.openssh.com/list.html) would almost certainly lend itself to a =20
more productive discussion of these concerns. Cheers,
--
Ivan Krsti=C4=87 <krstic@solarsail.hcs.harvard.edu> | http://radian.org=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
