On Sat, Nov 4, 2017 at 10:14 AM, Petr Štetiar <yn...@true.cz> wrote: > Hans Dedecker <dedec...@gmail.com> [2017-11-03 13:46:14]: > > Hi, > >> By default dropbear logs to syslog which discloses info about account names >> when doing connection attempts (e.g. "Bad password attempt for 'engineer' >> from x.x.x.x:y") > > I don't get it, syslog discloses this information to whom and how? One case is different accounts being defined configured on a router like user/engineer/administrator/root each having access to logread. People using an account should not be able to find out the the other defined accounts eg by simple using logread > >> As this facilitates brute force attempts against account names; > > So instead of preventing this brute force attempts, you'll just ignore them > now? I'm wondering how is the brute forcing easier with syslog logging. > >> make syslog support configurable in order not to leak sensitive info via >> syslog. > > I think, that those are nice warning messages, reminding you, that you're Visions differ about these being nice warning messages dependant on whom you're talking to; after the latest dnsmasq CVE and Krack vulnerabilities people/ISPs have become worried and want to have the knobs not to leak sensitive info. Classifying info as sensitive is again another matter of discussion and differs from person to person. > doing it wrong: > > 1. You should use pubkey auth. > 2. You should limit access to your network services. I've had the very same discussion with ISPs this can be achieved in other ways; but often security discussions almost turn into religious discussions due to the different visions. Remark this patch just offers a knob to turn off syslog logging and does not change the current default behavior being logging to syslog
Hans > > -- ynezz _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
