Hacker News new | ask | show | jobs
by jacquesm 3297 days ago
Is there a good reason to open up access to your ssh port for some service by a novelty account which could easily collect information on what version ssl sub-protocols you do and do not support?

Consider me paranoid but I don't like services like this unless they come from reputable sources and even then I'd much rather run something local.

Remember to close your port in your firewall after running the test.
2 comments
simias 3297 days ago
I'm not sure I get you, I find this service most useful for public-facing SSH services (where the risk of attack in the greatest). I wouldn't bother forwarding my laptop's port 22 just to test it, that's for sure.

If an attacker wants to gather a list of vulnerable SSH servers in the wild they just have to map a bunch of random addresses (and that seems to be extremely common judging by the number of failed auths on my public server). Although it could be useful if you wanted to get a list of ssh servers not running on port 22.

link
jacquesm 3297 days ago
Yes, if it is public then I agree.

But if it is private you're going to have to unlock a port, let the service do its thing and then re-lock afterwards. If you forget the last step you are now more at risk than before.

Also, since the service does not advertise what IP it will be connecting from beforehand (presumably the host you complete that form on, but that's not a certainty, it's IP is 40.112.150.31, in an MS Azure block) you would open up access to the world in order to do this.

link
sajagi 3297 days ago
Even if the IP address was guaranteed static then I wouldn't dare recommending admins to add an exception to firewall. That would certainly be a very bad practice. There are tools available (mentioned in the comments around) that do the same job and can be run in the DMZ (the question is, would anyone go through the source code and verify the tool does not contain any malicious code?).
link
jacquesm 3297 days ago
Excellent, so how about the opposite: tell people on the website not to make an exception for your service.
link
sajagi 3297 days ago
I am tempted to not interfere with the darwinian process ;) But seriously, we'll probably add some note like that.
link
sajagi 3297 days ago
I think it's more the other way round. You already have a public SSH server for whatever reason (e.g. hosting, tunelling, ...) and you might use this tool to check its capabilities.

The reputability of such service or even existence thereof does not have anything to do with how much your server is or is not secured.

link