send a tag suggestion

which tags should be associated with each other?

why should these tags be associated?

Use the form below to provide more context.

#sshd

catball
@catball

shell script to generate 4096-bit moduli for your /etc/ssh/moduli

#!/usr/bin/env sh

# Generate and screen 4096-bit moduli file for /etc/ssh/moduli
#
# Refs:
#   `man ssh-keygen`, section MODULI GENERATION
#   `man moduli`
#   https://infosec.mozilla.org/guidelines/openssh

set -eux

mkdir -p /tmp/moduli

# Generate some 4096-bit Sophie Germain primes
echo "Generating 4096-bit moduli candidates."
time ssh-keygen -M generate -O bits=4096 /tmp/moduli/moduli-4096.candidates

# Check that they pass Miller-Rabin primality tests
echo "Screening moduli candidates."
time ssh-keygen -M screen -f /tmp/moduli/moduli-4096.candidates /tmp/moduli/moduli-4096 

# Move the resulting file to the shell's pwd & cleanup temp files.
mv /tmp/moduli/moduli-4096 ./moduli
rm -rf /tmp/moduli

echo "Complete! File 'moduli' created in current working directory."
echo "Remember to move the 'moduli' file to /etc/ssh/moduli if you are satisfied with it, and then restart your SSH daemon with 'systemctl restart ssh'."
strangebroadcasts
@strangebroadcasts

Fail2ban by default: OpenSSH adds time penalties for misbehaving clients

One interesting change in OpenSSH 9.8, which released today - and you should update ASAP - sshd will now temporarily block connections from clients which either provide wrong credentials or crash the server, akin to Fail2ban:

... sshd will now identify situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly
indicating an attack against one or more accounts, e.g. password
guessing), or when client behaviour caused sshd to crash (possibly
indicating attempts to exploit bugs in sshd).
When such a condition is observed, sshd will record a penalty of
some duration (e.g. 30 seconds) against the client's address. If
this time is above a minimum configurable threshold, then all
connections from the client address will be refused [...] until the
penalty expires. [...]
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd itself. This option is enabled by default.

OpenSSH 9.8 also contains a fix for RegreSSHion, a security vulnerability that allows code execution with root privileges, which currently requires 3-4 hours of continuous connections (and has only been demoed on 32-bit systems) - hopefully time penalties makes it much harder to exploit this type of vulnerability.

sundry
@sundry

Something I’m not clear on on the xz backdoor issue: People are saying the big scary vulnerability is through sshd. So for say my home desktop that does not have port 22 exposed to the public that part is probably not going to be an issue, right? I understand that there is a general issue with xz and things that use it too (and I’ve updated and Manjaro do seem to have pushed out updated package for xz) but the most pressing concern involving an open vulnerability isn’t that scary unless youy have a public ssh server running, right?

I mean I do also have some servers running with ssh access but I checked and they are all at least not on the versions of xz people are saying are affected.

Â