Re: SSH with potato, not very secure?
Hi,
and thanks to everybody for all the useful information I have received. :)
One good thing about using SSH2.4 in stead of OpenSSH is that if someone
installed an RSA key in my .ssh/authorized_keys file, it would be of no
use :) Besides, I have heard that the SSH1.1 protocol is unsecure, and
that it is recommended to upgrade to SSH2.
One reason why I did not install any security-updates to SSH1.1 is that on
the web page of www.debian.org they say that there is a remote exploit in
OpenSSH (DSA-027) but it is fixed in Debian 2.2 (potato) and that is the
one I installed. I did not think that I had to install all
security-updates as well, figured they would be in the install. Perhaps
that is something which should be clearly stated on the debian pages?
Regards,
Runar
On Thu, 1 Mar 2001, Noah L. Meyerhans wrote:
> On Thu, Mar 01, 2001 at 09:32:19AM +0100, Runar Bell wrote:
> > 1) I noticed that somebody had logged in to my computer using my username.
> > I can't see how they could have discovered my password (7 letters,
> <snip>
> >
> > 2) When inspecting /var/log/messages I noticed quite a lot of attempts to
> > send a buffer overflow (or something like that) on the port running
> > rcp.statd. Is there some security hole there I am not aware of? I have
> <snip>
>
> OK, here's what I think happened here. They broke in to your system via
> a vulnerable rpc.statd. They might have installed some non-obvious back
> door. It is hard to guess this point. However, that doesn't explain
> the unauthorized login to your account. I suspect that what they did
> was either replace sshd with one that provides a back door or installed
> an RSA key in your .ssh/authorized_keys file. The latter action is
> particularly devious, as that file probably won't get re-created when
> you re-install your system or upgrade ssh or something like that. Most
> people keep their home directory intact. With the RSA key in place,
> though, they can log in as you without needing your password. Once
> they've got access to your system there's a whole new list of root
> exploits available to them.
>
> > 3) I couldn't find any "obvious" back-doors, but that doesn't necessarily
> > mean that there were none, so be on the safe side, I re-installed linux,
> > and am now using SSH2.4 from www.ssh.com. Hopefully I won't have to do
> > this again. :-)
>
> I would not bother with this. Provided you've got security.debian.org
> in your apt.sources list and subscribe to debian-security-annouce you'll
> have an easier time reacting to any newly discovered ssh
> vulnerabilities. With an unsupported version of SSH you'll have to
> monitor their site and watch for security updates, then build them by
> hand.
>
> > I am definitely going to install some sort of firewall, are there any
> > recommendations? ipchaining is not supported in my kernel as of now, so I
> > will compile a new kernel when I get the time. But, are there any
> > documentation available discussing recommendations regarding security? (I
> > am not paranoid, but would like it to be as hard as possible to get
> > unauthorized access to my computer)
>
> Ipchains works. Also, for services that you do want open, use
> tcp_wrappers (man 5 hosts_access). It also helps to have access to a
> portscanner on a non-local host. Run something like nmap against your
> machine and see what shows up. This is what a potential cracker will
> see when they are watching your machine.
>
> noah
>
>
Reply to: