*** This bug is a security vulnerability ***
Public security bug reported:
ssh is now handling by upstart native jobs(with /etc/init/ssh.conf
configs), and "respawn" stanza. This is great works. But this behavior
is not familiar for security paranoid.
Scenario:
- sshd is enougth to berief, but this is not perfect. In future, if we have
got vuln for exploiting sshd, that can "randomly" type atacks (e.g.: buffer
overflow, it is exploitable with probabilistic atacks, like brute force.).
- endless respawning is weaken for these "memory address brute force" atacks.
IMHO, when using "respawn" stanza, it needs something "limit" stanza (e.g.:
respawn limit 60 30) or any other way ( e.g.: MAC by AppArmor). limitation by
"limit" can mitigates(atack speed limitation) probabilistic atacks. This
limitation provides potential over-limit DoS, but unlimited respawning is
dangerous.
# May be, we have to improvement upstart respawn stanza, like "respawn delay"
feature...
....Yes, this wish is not only ssh services. But ssh is most popular +
internet accessible services.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
[LUCID] We need "limit" Upstart-ed ssh respawning
https://bugs.launchpad.net/bugs/533352
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
