On Thu, Mar 17, 2005 at 07:14:27PM +0100, Marc Haber wrote:
> On Thu, 17 Mar 2005 10:03:15 -0700, Joel Aelwyn <fenton@debian.org>
> wrote:
> >On Thu, Mar 17, 2005 at 01:09:33PM +0100, Marc Haber wrote:
> >> I am routinely running systems without any packet filtering capability
> >> on the network, and they are perfectly able to cope. They just only
> >> accept network connections for needed services.
> >
> >And just how full of attempts to root SSH are your logs?
>
> A lot. What's the problem?
http://www.cve.mitre.org/cve/refs/refmap/source-BUGTRAQ.html
Search for "ssh".
You didn't think those scripts the kiddies run appeared just to randomly
annoy folks running SSH, did you?
Yes, a local admin *can* just disable SSH when faced with a 0-hour
announcement. So can a remote admin. The latter, however, is forced to
choose between "risk a compromise" or "risk waiting until the local admin
can be present", if there isn't any firewall support.
If there is, they can slap on a temporary ACL limiting access to port 22
to certain machines that are trusted (maybe they run a different version
of SSH that isn't believed to be vulnerable, or maybe they're local to the
'remote' admin, whatever), and be reasonably confident that the script
kiddies won't be able to get *to* the SSH daemon to compromise it, until a
new SSH package can be built that addresses the vulnerability.
There are other concerns which may apply (such as determining whether the
SSH daemon has already been compromised, if you don't happen to have an
active root shell on the machine in question), but the point stands.
--
Joel Aelwyn <fenton@debian.org> ,''`.
: :' :
`. `'
`-
Attachment:
signature.asc
Description: Digital signature