After some digging I found what I believe is the way this person got in and much to my surprise it was because Mandrake installs sshd with ssh protocol 1 enabled. Shocked and horrified to see that my /etc/ssh/sshd_config file contained the line Protocol 2,1. This line allows a client to force a protocol 1 connection.
It is common knowledge that ssh protocol 1 can be easily exploited to gain root access. For years now the exploit tools have been available for download and everyone that has any information about how this exploit works says to disable it.
I quickly checked all my Mandrake systems and found that ssh protocol 1 is enabled in Mandrake 9.0, 9.2 and 10.0. My first experience with this exploit was when Red Had 6.0 was still new so why is Mandrake still shipping with this known exploit enabled?
If you are running any systems that have ssh enabled to Internet you should check to make sure that your /etc/ssh/sshd_config does not have this problem.
Assuming that this could happen again I have come up with some ideas about how to prevent anyone from doing any damage to my server even if they were to gain root access. I would like to know what you have done, tried or looked into. What do you use to secure your server? I invite everyone to visit the Lethbridge LUG web site and post a comment to http://llug.linux.ab.ca/modules.php?name=News&file=article&sid=40
Also there is a cool new threat to any sendmail servers running on DMZ or not behind a firewall.
Related links
http://www.openssh.org/security.html
http://hpcf.nersc.gov/help/access/ssh1to2_user.php
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
|
signature.asc
Description: This is a digitally signed message part
_______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
