https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
(Claimed regression of CVE-2006-5051)
( https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc )
Assuming there will be a patched sshd in a new OPNSense hotfix/release, what is the present best advice for people running sshd?
sshd.config alter "LoginGraceTime" to "0" (unlimited) then bounce sshd service or some other step?
Thanks!
Either that or closing up the SSH port from the WAN side, perhaps?
Considering that the expected time for a full-scale attack is deemed to be around at least a week, you can wait for at least that long for a hotfix.
If you have SSH open from outside, you're doing something wrong.
And, as PerpetualNewbie mentioned, this vulnerability is not exactly simple to exploit.
Quote from: Seattle2k on July 02, 2024, 05:35:21 PM
If you have SSH open from outside, you're doing something wrong.
Exactly. SSH from outside should always be accessed via VPN. In fact, everything from outside should go through VPN.
And suddenly your VPN protocol has a CVE. And then people are like "Oh no you are not supposed to open a VPN to the outside." xD
Anything exposed can be potentially attacked. And if the attack surface is known, it will be mitigated.
E.G.:
https://en.m.wikipedia.org/wiki/Anti-replay
VPN is not fundamentally more secure than SSH. It's one of the most secure protocols and products existing.
Quote from: Monviech on July 02, 2024, 09:02:07 PM
And suddenly your VPN protocol has a CVE. And then people are like "Oh no you are not supposed to open a VPN to the outside." xD
Anything exposed can be potentially attacked. And if the attack surface is known, it will be mitigated.
E.G.:
https://en.m.wikipedia.org/wiki/Anti-replay
Well. By that logic, lets not use computers at all. Lets get back to stone age.
Quote from: Patrick M. Hausen on July 02, 2024, 09:06:55 PM
VPN is not fundamentally more secure than SSH. It's one of the most secure protocols and products existing.
Its about layers of protection not X vs Y.
A VPN might expose a root RCE with more or less the same probability as SSH.
Quote from: Patrick M. Hausen on July 02, 2024, 10:15:42 PM
A VPN might expose a root RCE with more or less the same probability as SSH.
It
might. World war 3
might happen tomorrow. See where im going with this ? This whole thing is so blown out of proportions its ridiculous.
Layers <3
https://forum.opnsense.org/index.php?topic=40654.msg199395#msg199395
But Layers mean nothing if the most front facing technology can be exploited to give remote code execution with root access.
Quote from: Monviech on July 02, 2024, 11:04:07 PM
Layers <3
https://forum.opnsense.org/index.php?topic=40654.msg199395#msg199395
But Layers mean nothing if the most front facing technology can be exploited to give remote code execution with root access.
Leave the IT space and go do something else.
Quote from: alex303 on July 02, 2024, 10:10:11 PM
Well. By that logic, lets not use computers at all. Lets get back to stone age.
Can we please go back, my life would be SO much more simple!
Quote from: Greg_E on July 03, 2024, 03:10:41 PM
Quote from: alex303 on July 02, 2024, 10:10:11 PM
Well. By that logic, lets not use computers at all. Lets get back to stone age.
Can we please go back, my life would be SO much more simple!
On a serious note, people have become so spoiled, nitpicky and entitled. They are impossible to please because "everything is broken and everything can be exploited". Sometimes when i read forums i wish opnsense team goes fully closed source and switch to subscription model only with hefty prices.
I also do not understand why people become angry so easy.
When the community version support is not enough for one, go bui a business licence and escalate this on the support side.
There are a lot of others that enjoy OPNsense and its high frequency patch releases and community.
Who's getting angry? The only person in this discussion insulting others is @alex303.
Quote from: seed on July 03, 2024, 05:12:24 PM
I also do not understand why people become angry so easy.
Because they dont understand that using opnsense is a privilege. The fact that opnsense offers so much for free is not enough for them. No. They want opnsense developers to respond to their emails or posts
right away and fix bugs or implement features that they want
immediately because product X or product Y already has those features. They literally act like a entitled spoiled brats. If their wishes are not fulfilled in timely matter, they either start bashing developers for being lazy and irresponsible or they "threat" that they will switch to alternative solution X or Y.
God forbid they make a donation or buy Deciso hardware when opnsense is working as expected.
Quote from: seed on July 03, 2024, 05:12:24 PMWhen the community version support is not enough for one, go bui a business licence and escalate this on the support side.
Exactly. Or go use something else.
Quote from: seed on July 03, 2024, 05:12:24 PMThere are a lot of others that enjoy OPNsense and its high frequency patch releases and community.
Exactly. Im thankful for this wonderful piece of free software.
Quote from: Patrick M. Hausen on July 03, 2024, 05:35:26 PM
Who's getting angry? The only person in this discussion insulting others is @alex303.
Im getting angry. However, im not insulting anyone. Im sorry if you somehow recognized yourself in what i wrote.
I commit a lot to OPNsense. If it would be closed source I couldn't do that anymore. :'(
Theres also lots of other comitters. Its great that its open source.
I found that line insulting:
QuoteIt might. World war 3 might happen tomorrow. See where im going with this ? This whole thing is so blown out of proportions its ridiculous.
And that one - not directed at myself, though:
QuoteLeave the IT space and go do something else.
And I stand by my verdict that VPN and SSH are ultimately equivalent technologies and in this specific setting layering does not buy you anything unless your outer layer is proven secure - which we probably both know does not exist outside of small theoretical example programs in universities. This is backed by 30 years of experience including consulting for state agencies.
An RCE in SSH or any VPN technology for that matter is the absolute worst case. I hope we can agree on that. And I did not see anyone in this thread demand Deciso fix it *now*.
After a more thorough assessment it seems to be the general consensus that FreeBSD can be considered safe unless proven otherwise. And we will get a patch next week.
The initial advisory by the FreeBSD security team might have been a bit overblown, but I understand and also fully support their better safe than sorry approach.
And last I also have a track record of 30 years of giving back to the FreeBSD project, and the OPNsense project more recently. Code, advocacy, donations, support, hosted two EuroBSDCons ...
If you want to chat about this over a beer or two - Dublin in September ;)
Kind regards,
Patrick
QuoteQuote
Leave the IT space and go do something else.
Full support, such comments are neither helpful nor serve any issue for the community. Hoped it would go uncommented.
The people aware of the shortcommings broadly accepted in everday life of "pros" should not leave the profession, but have more responsibility in decission making for further hard- and software security. The next few years will be a hard time for security on a global scale...
I bought 3 years of Business license, and intend to buy 3 more when that runs out. Also going to try and buy some hardware in the next 2 years, so not exactly a free-loader.
I am very grateful to be using the Community edition, and I deeply appreciate the forums.
Thank you to the devs and all who offer support in whatever form they can afford.