Sunday, 25 January 2015

OpenSSH discovery

Hi folks,

Recently, I overlooked a small project from Matt Dillon, basically protecting OpenSSH servers from Man of the middle attacks from clients. So sshlockout were born ! He confirmed to me slightly later it was more a kind of "proof of concept" rather than a guenine project. I decided in my side to use a completely different approach and to implement a mitigation against those attacks in OpenSSH directly. My base os was OpenBSD and the idea is to use Packet Filter tables. Indeed, if an ip address has too many failed authentication, it is pushed in "quarantine", every further attempts to connect to the server are blocked, the packet are dropped by PF ... Some new SSH parameters are added, FailedLoginsGard to turn it on/off and FailedLoginsThreshold for the amount of failures (max_authtries / 2 per default) ... Not yet finished but was able already to block some test ip addresses. Later, will be useful to make it more portable ... FreebSD/IPFW2 ? Linux/Netfilter ? Will see ...

For HardenedBSD, was studying the OpenSSL library replacement by LibreSSL. Had successfully did the code replacement but FreeBSD still uses OpenSSL in base and update it and as the code is quite different (LibreSSL is less "hacky" and more readable), some git conflicts occur ... Solving those git conflicts by bringing back OpenSSL's code logic in LibreSSL won't bring any good for sure ... Somehow, lately some FreeBSD people begin to consider switching to LibreSSL, so hopefully will be able to see it on base in the future !

Labels: , , , , ,

View David Carlier's profile on LinkedIn