Way OT: SSH worries

William Burns William.Burns at AEROFLEX.COM
Tue Aug 17 15:41:48 IST 2004


<x-flowed>
John:

I disagree, but before I go into the reasons for that, possibly we could
agree that this method is better?
http://portknocking.org/view/details

Back to stunnel:

Following the "do no harm" philosophy, I use telnet to access a program
that puts an *additional* level of  security in front of sshd. While
this additional layer is very weak, it provides no additional
opportunities for buffer-overflow style exploits. stunnel (by
comparison) *might* allow an attacker to break into my system without
even having to contact sshd.
While an attacker who could sniff my traffic could easily find out how I
was turning on my ssh daemon, the attacker would not be able to use that
same technique to exploit sshd.

If you're already using https, and /or pop3s on your system, you might
not view the use of stunnel as an *additional* vulnerability, because
you're *already* exposed to it, in which case, go for it.

My site was one of the first to be affected by the linux slapper worm.
This worm made use of an SSL exploit. I assume (possibly incorrectly)
that there are more vulnerabilities to be discovered in ssl, and that
these vulnerabilities may be exploitable regardless of the protocol
being tunneled inside of it.
Telnet is the "lowest common denominator". Telnet is a very simple
protocol, not supporting much beyond TCP itself. Since virtually every
other protocol uses TCP, telnet (as a transport) is as "at least as
safe" as all those other protocols in regard to exploits.

Of course, if I were to ever terminate that telnet session directly to a
login prompt, that would be horribly insecure, because the login prompt
itself can be brute-forced, and telnet does not provide any encryption
to prevent legitimate traffic from being monitored by hostile users, but
that's not my application.
My application is "safe".

-Bill

/"Ah," said Arthur, "this is obviously some strange usage of the word
safe that I wasn't previously aware of."
(Hitchhiker's Guide to the Galaxy)
/
John Rudd wrote:

> On Aug 16, 2004, at 11:17 PM, William Burns wrote:
>
>> Re: using stunnel, there are ssl related exploits, no?
>> It seems to me that using stunnel to protect sshd from a *real* exploit
>> is kind of defeating the intended purpose.
>> Wouldn't stunnel be just as vulnerable?
>
>
> Stunnel would be in the same degree of vulnerability as sshd, yes (and,
> to be clear, it's all "degrees of security", nothing is perfect).  But
> stunnel would be a better level of security than telnet, which is the
> right comparison to make.
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list