What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

[PerpetualNewbie]

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

(Claimed regression of CVE-2006-5051)
( https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc )

Assuming there will be a patched sshd in a new OPNSense hotfix/release, what is the present best advice for people running sshd?

sshd.config alter "LoginGraceTime" to "0" (unlimited) then bounce sshd service or some other step?

Thanks!

[meyergru]

Either that or closing up the SSH port from the WAN side, perhaps?

Considering that the expected time for a full-scale attack is deemed to be around at least a week, you can wait for at least that long for a hotfix.

[Seattle2k]

If you have SSH open from outside, you're doing something wrong.
And, as PerpetualNewbie mentioned, this vulnerability is not exactly simple to exploit.

[alex303]

If you have SSH open from outside, you're doing something wrong.

Exactly. SSH from outside should always be accessed via VPN. In fact, everything from outside should go through VPN.

[Monviech (Cedrik)]

And suddenly your VPN protocol has a CVE. And then people are like "Oh no you are not supposed to open a VPN to the outside." xD

Anything exposed can be potentially attacked. And if the attack surface is known, it will be mitigated.

E.G.:
https://en.m.wikipedia.org/wiki/Anti-replay

[Patrick M. Hausen]

VPN is not fundamentally more secure than SSH. It's one of the most secure protocols and products existing.

[alex303]

And suddenly your VPN protocol has a CVE. And then people are like "Oh no you are not supposed to open a VPN to the outside." xD

Anything exposed can be potentially attacked. And if the attack surface is known, it will be mitigated.

E.G.:
https://en.m.wikipedia.org/wiki/Anti-replay

Well. By that logic, lets not use computers at all. Lets get back to stone age.

VPN is not fundamentally more secure than SSH. It's one of the most secure protocols and products existing.

Its about layers of protection not X vs Y.

[Patrick M. Hausen]

A VPN might expose a root RCE with more or less the same probability as SSH.

[alex303]

A VPN might expose a root RCE with more or less the same probability as SSH.

It might. World war 3 might happen tomorrow. See where im going with this ? This whole thing is so blown out of proportions its ridiculous.

[Monviech (Cedrik)]

Layers <3

https://forum.opnsense.org/index.php?topic=40654.msg199395#msg199395

But Layers mean nothing if the most front facing technology can be exploited to give remote code execution with root access.

[alex303]

Layers <3

https://forum.opnsense.org/index.php?topic=40654.msg199395#msg199395

But Layers mean nothing if the most front facing technology can be exploited to give remote code execution with root access.

Leave the IT space and go do something else. 

[Greg_E]

Well. By that logic, lets not use computers at all. Lets get back to stone age.

Can we please go back, my life would be SO much more simple!

[alex303]

Well. By that logic, lets not use computers at all. Lets get back to stone age.

Can we please go back, my life would be SO much more simple!

On a serious note, people have become so spoiled, nitpicky and entitled. They are impossible to please because "everything is broken and everything can be exploited". Sometimes when i read forums i wish opnsense team goes fully closed source and switch to subscription model only with hefty prices.

[seed]

I also do not understand why people become angry so easy.

When the community version support is not enough for one, go bui a business licence and escalate this on the support side.

There are a lot of others that enjoy OPNsense and its high frequency patch releases and community.

[Patrick M. Hausen]

Who's getting angry? The only person in this discussion insulting others is @alex303.