OpenSSH Must be Taken Very Seriously and Not Left for Microsoft/NSA/GCHQ to Handle
No distro should leave such critical packages at the hands of fake security crackpots
4 days ago in "OpenSSH introduces options to penalize undesirable behavior" OpenBSD Journal said: "In a recent commit, Damien Miller (djm@) introduced the new sshd(8) configurations options, PerSourcePenalties and PerSourcePenaltyExemptList, to provide a built in facility in sshd(8) itself to penalize undesirable behavior, and to shield specific clients from penalty, respectively."
This message was sent a day after Daniel Pocock had published "Edward Brocklesby (ejb) & Debian: Hacking expulsion cover-up in proximity to Oxford and GCHQ" and a day before he published "Edward Brockelsby: how expelled hacker took over Debian's SSH2 package".
Damien Miller (aka "djm") is quoted and then Anonymous Coward is shown to have said that "seems like this is duplicating functionality of fail2ban, but in more security-critical code. any idea why implementing this as a seperate [sic] tool was not considered/done?"
Stefan Sperling (stsp) says "fail2ban cannot be used on OpenBSD. It's not even ported/packaged."
An associate of ours argues that "stsp dodges the main question. While fail2ban is not in ports, sshgaurd is. Either way the functionality previously provided by a separate tool is being re-implemented is very sensitive code."
Anonymous Coward says: "Another package similar, sshguard, has been in ports for a long while, and AWK with PF have been in base for even longer. It would be interesting to know the motivation or goal as to why was this functionality was added to security-critical code."
"Apropos the attacks on SSH mentioned in Pocock's blog post," our associate notes. There's going to be a lot more on OpenSSH, OpenSSL etc. because Debian hid all sorts of security problems and is now attacking the messengers who speak about these problems.
Even Debian's fake security 'gurus', who are sometimes charlatans and posers/phonies, are lawyering up. That won't work, it will only exacerbate matters. █