EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSH_ChallengeResponse_BO

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#5327
Posted: 03/10/2008 07:19:18
by aljaz (Standard support level)
Joined: 01/10/2008
Posts: 18

Hi.

My Firewall blocks connection to the SSH Server.

Reason:
[Unauthorized Access Attempt] This signature looks at 32768 bytes of SSH connection traffic beginning 1024 bytes after the software version information has been exchanged. The signature fires when it finds 48 consecutive characters of ASCII data. The number of bytes to examine (pam.ssh.search.charcount) and the number of consecutive ASCII bytes to trigger the signature (pam.ssh.search.threshold) are user configurable.

Details:
susspectTraffic hmac-sha1.6d64352c686d61632d6d64352d39362c6e6f6e65
pam.ssh.search.threshold 48
server_protocol 2.0
server_software EldoS.SSHBlackbox.5

Mored details about the Event: http://www.iss.net/security_center/reference/2106130.html

How to remove these consecutive characters?

Thank you.
Aljaz
#5328
Posted: 03/10/2008 07:35:23
by Eugene Mayevski (EldoS Corp.)

Quote
aljaz wrote:
How to remove these consecutive characters?


This is not a software problem, but network management problem. Please contact your network administrator for assistance and make him tune up the firewall properly.


Sincerely yours
Eugene Mayevski
#5329
Posted: 03/10/2008 08:10:54
by aljaz (Standard support level)
Joined: 01/10/2008
Posts: 18

Quote
Eugene Mayevski wrote:
This is not a software problem, but network management problem. Please contact your network administrator for assistance and make him tune up the firewall properly.


But it means that the Application may be vulnerable. When I connect with putty to OpenSSH server, there is no firewall notification and the connection is established although my firewall is enabled.
When I try the same situation just that i connect to Secureblackbox ssh server, my firewall blocks the connection saying the connection is not safe...

Did I miss smth?
#5330
Posted: 03/10/2008 08:35:08
by Ken Ivanov (EldoS Corp.)

Quote
But it means that the Application may be vulnerable.

It's OpenSSH server who is vulnerable, but I can make you sure that SecureBlackbox does not exploit this vulnerability in any way.

The firewall says it detects the issue by the following rule:
Quote
The signature fires when it finds 48 consecutive characters of ASCII data.

It's not the best rule, as 48 consequentive ASCII characters can mean almost everything. In this particular case, I suppose that the large list of encryption algorithms supported by SecureBlackbox is the reason. Please try to do the following to resolve the problem: turn off all the supported algorithms, leaving the following algorithms enabled:
* 3DES and DES encryption algorithms,
* HMAC-MD5 and HMAC-SHA1 mac algorithms,
* RSA and DSS public key algorithms,
* SSH_KEX_DH_GROUP and SSH_KEX_DH_GROUP_EXCHANGE key exchange algorithms

and check if the problem has gone.

#5338
Posted: 03/11/2008 05:13:42
by aljaz (Standard support level)
Joined: 01/10/2008
Posts: 18

These settings don't resolve the problem.

I will just have to inform my customers, that this problem may occur and insure that the firewall triggers a false alarm.

Thank you for the answers.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 2786 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!