From: Robert T W. <rob...@ma...> - 2006-12-07 20:21:21
|
René Berber wrote: > Jason L Tibbitts III wrote: > >> So, you can make denyhosts block any host by logging in with a >> username that looks like an IP address. Any quick fixes? >> >> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6301 > > Not an issue, just look at what they say: > > "as demonstrated by loggig in to ssh using a login name containing certain > strings with an IP address" > > And who is going to create a user in their system with "certain strings" and > whatever? Answer: nobody. > > So they found a flaw, so what? is not exploitable just a fluke to brag about > (for them) -- a waste of time for us. > -- René Berber They don't have to have a user with such a name, they just have to try to log in to your machine with that name. I agree that I'm not going to worry about this, but not because it couldn't be a problem for somebody. Rather, it is not a problem for me to have extraneous people blocked from my computer. It could be a problem if someone endeavored to check this news list for the various IPs that I have posted from and then blocked me from logging in to my own machines, but I can live with those consequences also. Denyhosts is still my choice for blocking ssh attacks. Here's a useful thread for an example of the exploit: http://bugs.gentoo.org/show_bug.cgi?id=157163 |