Run a net-facing ssh server with (only) password authentication ?? Wow, just wow.
A bug in OpenSSH allows an attacker to check whether user names are valid on a 'net-facing server - because the Blowfish algorithm runs faster than SHA256/SHA512. The bug hasn't been fixed yet, but in his post to Full Disclosure, Verint developer Eddie Harari says OpenSSH developer Darren Tucker knows about the issue and is …
Not a huge issue in my book. If you're exposing port 22 or any other comm port externally... you have bigger issues to worry about, and by now... most host based firewalls should only accept comms from other internal systems; hopefully, along with a log management system which sends out some sort of notification after 10 consecutive login fails. Yes, I know this can be irritating when decommissioning servers.
Not a huge issue in my book.
I agree. If you have Internet-facing SSH access with username/password authentication then you will see dozens and dozens of failed login attempts every day trying root, admin, guest, mysql, ubnt, etc so if you have any sense you will be running something to throttle those back, e.g. Fail2ban and a big blocklist, anyway.
Biting the hand that feeds IT © 1998–2022