XMPP Service Operators - 2025-02-18

Qualys struck again: https://marc.info/?l=oss-security&m=173986993304277&w=2 (MitM in ssh client under centain circumstances; pre-auth resource exhaustion (both memory and CPU) in both client and server)

Nice, after last set of openssh vulns I changed it to no longer listen on the public interface, now I have to connect via wireguard to ssh in, little peace of mind against this kind of stuff

wait until the first wireguard rce ;)

but yeah.

I'm also looking forward to when I do that.

https://lists.debian.org/debian-security-announce/2025/msg00030.html

wireguard has the huge advantage that it's invisible to attackers / network scanners, it won't respond unless you have the right keys

wg is the way to go

wg is the w(t)g :D

> wg is the w(t)g :D 😂 ↺

Looks like the default settings in recent versions mitigate this sufficiently, right?

I don't think so

robbystk, they mitigate the MitM, but not the resource exhaustion (on the client side at the very least, not sure about server)

The update I did earlier mitigates it I guess

> robbystk, they mitigate the MitM, but not the resource exhaustion (on the client side at the very least, not sure about server) Well openssh defaults mean nothing vs what your distro ships or what you have configured, they specifically note that freebsd shipped with this enabled ↺

So upgrade or at least check your config

> On the server side, this attack can be easily mitigated by mechanisms that are already built in OpenSSH The defaults for LoginGraceTime, MaxStartups, and PerSourcePenalties look reasonable to me. Are any of you tweaking those at all?

moparisthebest: good point that the distro can modify the defaults. I will check my configs

one way to check is `ssh -G some-host | grep -i verify`, though you should note that settings can change by the target host you connect to

Wgitm attack?