Displaying 20 results from an estimated 700 matches similar to: "[Bug 3705] New: Disk space exhaustion from PerSourcePenalties logging"
2024 Jun 25
3
An Analysis of the DHEat DoS Against SSH in Cloud Environments
On Wed, 2024-06-19 at 16:11 -0400, Joseph S. Testa II wrote:
> I suppose in the next few days, I'll try reproducing my original
> steps
> with the new version and see what happens.
I managed to do some limited testing with a local VM, and the results
are... interesting.
I installed openssh-SNAP-20240626.tar.gz on a fresh and fully-updated
Ubuntu Linux 24.04 LTS VM with 1 vCPU.
2024 Jun 27
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
I'd like to withdraw the last set of metrics I reported. I couldn't
reproduce some of them, and I suspect I made a mistake during testing.
Being more careful this time, I set up another fully updated Ubuntu
24.04 VM with 4 vCPUs running openssh-SNAP-20240628.tar.gz with all
defaults unchanged.
When running using "ssh-audit.py --conn-rate-test=16 target_host", the
system idle
2024 Aug 01
0
ratelimiting for PerSourcePenalties logging
Hi,
A few people have requested rate-limiting for PerSourcePenalties logging.
These patches add it. Please give them a try if you're interested in this
feature.
-d
-------------- next part --------------
2024 Jun 19
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
In the upcoming v9.8 release notes I see "the server will now block
client addresses that repeatedly fail authentication, repeatedly
connect without ever completing authentication or that crash the
server." Has this new PerSourcePenalties config directive been tested
against the DHEat attack?
- Joe
On Thu, 2024-04-25 at 18:09 -0400, Joseph S. Testa II wrote:
> A few days ago, I
2024 Jun 26
1
CISA et al: "Exploring Memory Safety in Critical Open Source Projects"
i'm not sure if anything has changed since
https://marc.info/?l=openbsd-misc&m=151233345723889&w=2
On Wed, Jun 26, 2024 at 9:32?AM Joseph S. Testa II
<jtesta at positronsecurity.com> wrote:
>
> Has anyone done any initial research into how much effort it would take
> to port OpenSSH to Rust? If not, I might find that interesting to
> start. (Mind you, this would
2019 Nov 02
2
U2F support in OpenSSH HEAD
I've had a patch on the bugzilla for a while related to U2F with
support for a few additional settings such as providing a path to a
specific key to use instead of the first one found and setting if user
presence is required when using the key. Is there any objection to
folding those parts in if appropriate?
Joseph, to offer comment on NIST P-256. There was originally quite a
limited subset
2008 Jun 23
2
sshd key comment logging
Hi,
I admin a box that has Subversion users authenticate with public keys
to a restricted 'svnuser' account. The comment field of all the keys
describe who they belong to (it has their usernames), but unfortunately,
sshd does not log this when a user successfully authenticates:
Jun 21 08:18:22 localhost sshd[23636]: Accepted publickey for svnuser
from x.x.x.x port 2065 ssh2
Jun
2024 Apr 25
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
A few days ago, I published an article analyzing the susceptibility of
the DHEat denial-of-service vulnerability against default OpenSSH
settings in cloud environments. I thought those on this list might be
interested:
https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/
A short summary: the default MaxStartup setting is fully ineffective
2001 Jan 05
3
subject: ssh non-intuitive logging setting. (priority names)
subject: ssh non-intuitive logging setting (priority names).
I installed openssh 2.3.0p1 on Solaris 7 for x86 box and
sshd worked fine.
However, somehow the logging of connection and disconnection to
sshd was not recorded as I wished.
Time to investigate.
On a host where sshd from data-fellows once ran,
the log was recorded with auth.info level.
After trying to modify sshd_config, I found
that
2001 Feb 12
0
log-server.c patch: adding tag to every log output.
The attached modification to log-server.c
add a "tag" to all the
syslog output. The tag is a composite of
the internal verbose level names used in sshd and the
external syslogd names.
The form of the tag is as follows.
ssh_internal_name(syslog_priority)
This might be instructive for a learning sysadmin
trying to setup syslog for sshd logging.
(I have posted earlier about
2016 Sep 08
0
AST-2016-007: RTP Resource Exhaustion
Asterisk Project Security Advisory - AST-2016-007
Product Asterisk
Summary RTP Resource Exhaustion
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated Sessions
Severity Moderate
2017 May 19
0
AST-2017-004: Memory exhaustion on short SCCP packets
Asterisk Project Security Advisory - AST-2017-004
Product Asterisk
Summary Memory exhaustion on short SCCP packets
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity
2024 Jun 26
2
CISA et al: "Exploring Memory Safety in Critical Open Source Projects"
Has anyone done any initial research into how much effort it would take
to port OpenSSH to Rust? If not, I might find that interesting to
start. (Mind you, this would be just to get a handle on the project,
not do the full porting work--unless it somehow turns out to be very
easy.)
- Joe
--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
2009 Sep 04
0
[Fwd: AST-2009-006: IAX2 Call Number Resource Exhaustion]
Hello,
Just in case someone hasn't upgraded yet, and is using IAX2.
-------- Original Message --------
Subject: AST-2009-006: IAX2 Call Number Resource Exhaustion
Date: Thu, 03 Sep 2009 17:47:35 -0500
From: Asterisk Security Team <security at asterisk.org>
To: bugtraq at securityfocus.com
Asterisk Project Security Advisory - AST-2009-006
2020 Aug 12
0
CVE-2020-12100: Receiving mail with deeply nested MIME parts leads to resource exhaustion.
Open-Xchange Security Advisory 2020-08-12
Affected product: Dovecot IMAP server
Internal reference: DOP-1849 (Bug ID)
Vulnerability type: Uncontrolled recursion (CWE-674)
Vulnerable version: 2.0
Vulnerable component: submission, lmtp, lda
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-04-23
CVE reference: CVE-2020-12100
CVSS: 7.5
2020 Aug 12
0
CVE-2020-12100: Receiving mail with deeply nested MIME parts leads to resource exhaustion.
Open-Xchange Security Advisory 2020-08-12
Affected product: Dovecot IMAP server
Internal reference: DOP-1849 (Bug ID)
Vulnerability type: Uncontrolled recursion (CWE-674)
Vulnerable version: 2.0
Vulnerable component: submission, lmtp, lda
Fixed version: 2.3.11.3
Report confidence: Confirmed
Solution status: Fix available
Vendor notification: 2020-04-23
CVE reference: CVE-2020-12100
CVSS: 7.5
2014 Jun 12
0
AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections
Asterisk Project Security Advisory - AST-2014-007
Product Asterisk
Summary Exhaustion of Allowed Concurrent HTTP Connections
Nature of Advisory Denial Of Service
Susceptibility Remote Unauthenticated Sessions
Severity
2014 Jun 12
0
AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections
Asterisk Project Security Advisory - AST-2014-007
Product Asterisk
Summary Exhaustion of Allowed Concurrent HTTP Connections
Nature of Advisory Denial Of Service
Susceptibility Remote Unauthenticated Sessions
Severity
2016 Feb 04
0
AST-2016-002: File descriptor exhaustion in chan_sip
Asterisk Project Security Advisory - AST-2016-002
Product Asterisk
Summary File descriptor exhaustion in chan_sip
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Minor
2001 Jul 05
1
OpenSSH Logging Madness
Feature request:
- Please add a new LogLevel corresponding to the LOG_NOTICE syslog level.
- Then modify OpenSSH to log to LOG_NOTICE only these events:
- login failures
- login successes
Specifically, please:
- add a new element to the LogLevel enum, say, 'SYSLOG_LEVEL_NOTICE',
between 'SYSLOG_LEVEL_INFO' and 'SYSLOG_LEVEL_ERROR', in log.h
-