Displaying 20 results from an estimated 5000 matches similar to: "[Bug 3711] New: How do you defend against the D (HE) ater attack?"
2023 Apr 12
1
Defend against user enumeration timing attacks - overkill
Dear colleagues,
I have a question about this commit:
https://github.com/openssh/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95#diff-a25e40214ca9c9f78abce22f23bf2abdb2a24384c6610d60bbb314aed534eb48R216
The function ensure_minimum_time_since effectively doubles the time
spent in the input_userauth_request (mostly presumably in PAM). So if
PAM processing is really slow, it will
2023 Jun 28
1
Defend against user enumeration timing attacks - overkill
Dear colleagues,
May I ask you to explain whether I am wrong in my conclusions?
On Wed, Apr 12, 2023 at 11:55?AM Dmitry Belyavskiy <dbelyavs at redhat.com> wrote:
>
> Dear colleagues,
>
> I have a question about this commit:
>
>
2023 Jun 28
1
Defend against user enumeration timing attacks - overkill
Dmitry Belyavskiy wrote:
> May I ask you to explain whether I am wrong in my conclusions?
I guess it's not clear what problem you are trying to solve.
//Peter
2023 Jun 28
1
Defend against user enumeration timing attacks - overkill
Dear Peter,
I'm trying to balance the original problem statement (protection from
users enumeration) and avoid doubling time here if the process has
already taken a long time to provide faster auth method iteration.
I believe that a better solution is to set some arbitrary (probably
configurable) timeout and, in case when we spend more time than that
value, avoid doubling it.
On Wed, Jun 28,
2024 Jun 25
3
An Analysis of the DHEat DoS Against SSH in Cloud Environments
On Wed, 2024-06-19 at 16:11 -0400, Joseph S. Testa II wrote:
> I suppose in the next few days, I'll try reproducing my original
> steps
> with the new version and see what happens.
I managed to do some limited testing with a local VM, and the results
are... interesting.
I installed openssh-SNAP-20240626.tar.gz on a fresh and fully-updated
Ubuntu Linux 24.04 LTS VM with 1 vCPU.
2008 Sep 18
0
domU cpuinfo shows only 16 KB ater upgrading to Xen-3.3.0!
Hi folks!
After upgrading my Xen-3.2.0 to new Xen-3.3.0/Linux-2.6.18.8-xen-3.3.0 my
domU /proc/cpuinfo shows only:
administrativo@vsrvXX:~$ cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 15
model : 6
model name : Intel(R) Pentium(R) D CPU 3.40GHz
stepping : 4
cpu MHz : 3391.500
*cache size : 16 KB*
physical id : 0
siblings
2005 May 16
1
problems with asterisk starting from init.d
Hi All
I had asterisk running on a xercom install, I upgraded the box to a full
debian install and now asterisk is not starting from on boot. I can start
asterisk from the command line fine no problems, but when i type
/etc/init.d/asterisk start it says asterisk PBX started. It doesn't start it
though, when I look at the log file it has this.
May 16 10:19:05 WARNING[3711]: Unable to open
2024 Jan 13
6
[Bug 3656] New: How to fix row hammer attacks?
https://bugzilla.mindrot.org/show_bug.cgi?id=3656
Bug ID: 3656
Summary: How to fix row hammer attacks?
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
2024 Jun 19
2
An Analysis of the DHEat DoS Against SSH in Cloud Environments
On Wed, 2024-06-19 at 09:19 -0400, chris wrote:
> real world example (current snapshot of portable on linux v. dheater)
Thanks for this. However, much more extensive testing would be needed
to show it is a complete solution. In my original research article, I
used CPU idle time as the main metric. Also, I showed that very low-
latency network links could bypass the existing countermeasures.
2008 Sep 20
2
Re: My domU cpuinfo shows "cache seize: 16KB" ater upgrading to Xen-3.3.0... but in Xen-3.2 it has 2048KB!
No one knows about this?!
It''s normal for domU in Xen-3.3 to have only 16KB of CPU cache size?
Thanks!
Thiagi
2008/9/18 Thiago Camargo Martins Cordeiro <thiagocmartinsc@gmail.com>
> Hi folks!
>
> After upgrading my Xen-3.2.0 to new Xen-3.3.0/Linux-2.6.18.8-xen-3.3.0 my
> domU /proc/cpuinfo shows only:
>
> administrativo@vsrvXX:~$ cat /proc/cpuinfo
>
2024 Jun 19
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
In the upcoming v9.8 release notes I see "the server will now block
client addresses that repeatedly fail authentication, repeatedly
connect without ever completing authentication or that crash the
server." Has this new PerSourcePenalties config directive been tested
against the DHEat attack?
- Joe
On Thu, 2024-04-25 at 18:09 -0400, Joseph S. Testa II wrote:
> A few days ago, I
2024 Jun 19
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
On Tue, 18 Jun 2024, Joseph S. Testa II wrote:
> In the upcoming v9.8 release notes I see "the server will now block
> client addresses that repeatedly fail authentication, repeatedly
> connect without ever completing authentication or that crash the
> server." Has this new PerSourcePenalties config directive been tested
> against the DHEat attack?
Not explicitly but
2024 Jun 18
2
Call for testing: openssh-9.8
On Tue, 18 Jun 2024, Chris Rapier wrote:
> Just curious, has this been tested at scale? I see that there are, by
> default, a maximum number of hosts it can track (default of 64k it
> seems). At that point I think one of two things happen - sshd stops
> allowing all connections until some of the banned IPs age out (with
> the exception of those IPs on an approved list) or it drops
2024 Jul 12
1
[Bug 3709] New: PerSourceMaxStartups no longer works as advertised
https://bugzilla.mindrot.org/show_bug.cgi?id=3709
Bug ID: 3709
Summary: PerSourceMaxStartups no longer works as advertised
Product: Portable OpenSSH
Version: 9.8p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at
2024 Jun 24
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
On 6/19/24 4:11 PM, Joseph S. Testa II wrote:
> On Wed, 2024-06-19 at 09:19 -0400, chris wrote:
>> real world example (current snapshot of portable on linux v. dheater)
>
> Thanks for this. However, much more extensive testing would be needed
> to show it is a complete solution. In my original research article, I
> used CPU idle time as the main metric. Also, I showed that
2024 Apr 25
1
An Analysis of the DHEat DoS Against SSH in Cloud Environments
A few days ago, I published an article analyzing the susceptibility of
the DHEat denial-of-service vulnerability against default OpenSSH
settings in cloud environments. I thought those on this list might be
interested:
https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/
A short summary: the default MaxStartup setting is fully ineffective
2023 Jul 07
3
[Bug 3587] New: Would OpenSSH consider adding a switch to hide the specific OpenSSH version number?
https://bugzilla.mindrot.org/show_bug.cgi?id=3587
Bug ID: 3587
Summary: Would OpenSSH consider adding a switch to hide the
specific OpenSSH version number?
Product: Portable OpenSSH
Version: -current
Hardware: Other
OS: Linux
Status: NEW
Severity: security
Priority: P5
2024 May 28
4
[Bug 3693] New: Is SFTP local command execution implemented based on an RFC protocol?
https://bugzilla.mindrot.org/show_bug.cgi?id=3693
Bug ID: 3693
Summary: Is SFTP local command execution implemented based on
an RFC protocol?
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: sftp
2016 Oct 11
3
samba 4 migration (doamin admins & domain users renamed)
Hi,
I'm trying to migrate a samba 3 domain, and I have detected that our domain
users and doamin admins are migrated/renamed during migration, we have this
grousp in other language than english and ater migration are migrated to
domain admin and domain users.
Members of this groups are migrated correctly, only question is this change
in name could genereate a problem and if this is an issue
2023 Aug 01
3
[Bug 3597] New: Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled?
https://bugzilla.mindrot.org/show_bug.cgi?id=3597
Bug ID: 3597
Summary: Why do we check both nsession_ids and
remote_add_provider when judging whether allow remote
addition of FIDO/PKCS11 provider libraries is
disabled?
Product: Portable OpenSSH
Version: -current
Hardware: Other