I didn't watch the video, but I tend to stay very current with the latest security news... (comes with the territory - I spend 2hrs on the road each day - radio is boring - podcasts and security crap are where its at). There have been no rumblings of a new 0-day for openssh. Remember that there are various understandings of 0-day, so it may not truly be 0-day... in any case the show notes are clear that it is for version 4.3 - openssh is currently at 5.9. Update, update, update....
These days, anyone using ssh open to the web - with a root account allowed, or on the default port of 22, is simply asking for trouble. Seriously, just set up an ssh server on port 22 (make sure its locked down first!) and then watch your firewall/sshd logs for a day or so, then run it on another port for a bit (pick a higher one -like over 10000). Much, much less chatter on any other port. Don't make yourself a target unless you must. Run ssh without the root account enabled as Andrew K points out. Run ssh key-based instead of password based to deal with the brute forcing issue. Take the time to read through your sshd config file and look at all the crap you can disable if you don't use it. Port knocking and SPA are also good things to consider. I wish there were solutions that your average joe (non-technically inclined) could more easily implement, but that's the beauty of the open source and 'nix' world - we have all sorts of options!! and community!! On Fri, 2011-12-02 at 20:29 -0800, [email protected] wrote: > Send clug-talk mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of clug-talk digest..." > > > Today's Topics: > > 1. 0-day exploit for OpenSSH in the wild (Royce Souther) > 2. Re: 0-day exploit for OpenSSH in the wild (Gustin Johnson) > 3. Re: 0-day exploit for OpenSSH in the wild (Andrew J. Kopciuch) > 4. Re: 0-day exploit for OpenSSH in the wild (Dan Graham) > 5. Re: The State of the Art (Joe S) > 6. downloading digital pictures. (Ralph Boland) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 2 Dec 2011 15:38:02 -0700 > From: Royce Souther <[email protected]> > To: CLUG General <[email protected]> > Subject: [clug-talk] 0-day exploit for OpenSSH in the wild > Message-ID: > <CAMRh8CXx0B3kWduu6b=VqTy-cQ68k6Ocj5JDBd7O6ua+5d=4...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > If you watch TechSNAP it has more information. > http://www.jupiterbroadcasting.com/14561/allans-zfs-server-build-techsnap-34/ > > PKI may not be enough, I am thinking that port knocking to restrict access > to port 22 is a good idea now. > > -- > Easy, fast GUI development. > http://PerlQt.wikidot.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://clug.ca/pipermail/clug-talk_clug.ca/attachments/20111202/500a9d35/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Fri, 2 Dec 2011 17:24:20 -0700 > From: Gustin Johnson <[email protected]> > To: CLUG General <[email protected]> > Subject: Re: [clug-talk] 0-day exploit for OpenSSH in the wild > Message-ID: > <CAPM=hj5xoB=qsutfemtqzlxdmd2aorvbyibwnms4q-cfv9a...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > I have never been a fan of port knocking. Single Port Auth seems like > a better idea to me. > > The 0-day is actually a rumor. While OpenSSH has had it's share of > problems over the years, what this podcast is talking about are old > OSs with old services. The compromised machines were running a very > old version of ssh on old versions of Cent-OS (5.2). > > The lesson here is that you have to patch, regardless of the OS that > you are using. > > On Fri, Dec 2, 2011 at 3:38 PM, Royce Souther <[email protected]> wrote: > > If you watch TechSNAP it has more information. > > http://www.jupiterbroadcasting.com/14561/allans-zfs-server-build-techsnap-34/ > > > > PKI may not be enough, I am thinking that port knocking to restrict access > > to port 22 is a good idea now. > > > > -- > > Easy, fast GUI development. > > http://PerlQt.wikidot.com > > > > _______________________________________________ > > clug-talk mailing list > > [email protected] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > **Please remove these lines when replying > > > > ------------------------------ > > Message: 3 > Date: Fri, 2 Dec 2011 17:34:41 -0700 > From: "Andrew J. Kopciuch" <[email protected]> > To: CLUG General <[email protected]> > Subject: Re: [clug-talk] 0-day exploit for OpenSSH in the wild > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > On December 2, 2011, Royce Souther wrote: > > If you watch TechSNAP it has more information. > > http://www.jupiterbroadcasting.com/14561/allans-zfs-server-build-techsnap-3 > >4/ > > > > PKI may not be enough, I am thinking that port knocking to restrict access > > to port 22 is a good idea now. > > I believe the exploits were not 0-day, but rather a brute force attack using > the root account. > > As Gustin pointed out, the versions were very very old, and should have been > patched. Additionally setting "PermitRootLogin no" in sshd_config would > have been a good thing. > > Also, some sort of HIDS like ossec (http://www.ossec.net). It has an > active-response which will block the IPs using ipables from brute force > attacks detected. > > > Andy > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 189 bytes > Desc: This is a digitally signed message part. > URL: > <http://clug.ca/pipermail/clug-talk_clug.ca/attachments/20111202/774680fc/attachment-0001.bin> > > ------------------------------ > > Message: 4 > Date: Fri, 2 Dec 2011 18:18:56 -0700 > From: Dan Graham <[email protected]> > To: [email protected], CLUG General <[email protected]> > Subject: Re: [clug-talk] 0-day exploit for OpenSSH in the wild > Message-ID: > <caaalewb34m7k2+b27ytyaabhbvzq4n2-qguprhjxtgxkmid...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > I've been using fail2ban to deal with remote brute force attacks and it > works like a charm. .. . So far anyway :-) > > > > On Fri, Dec 2, 2011 at 5:34 PM, Andrew J. Kopciuch <[email protected]>wrote: > > > On December 2, 2011, Royce Souther wrote: > > > If you watch TechSNAP it has more information. > > > > > http://www.jupiterbroadcasting.com/14561/allans-zfs-server-build-techsnap-3 > > >4/ > > > > > > PKI may not be enough, I am thinking that port knocking to restrict > > access > > > to port 22 is a good idea now. > > > > I believe the exploits were not 0-day, but rather a brute force attack > > using > > the root account. > > > > As Gustin pointed out, the versions were very very old, and should have > > been > > patched. Additionally setting "PermitRootLogin no" in sshd_config would > > have been a good thing. > > > > Also, some sort of HIDS like ossec (http://www.ossec.net). It has an > > active-response which will block the IPs using ipables from brute force > > attacks detected. > > > > > > Andy > > > > _______________________________________________ > > clug-talk mailing list > > [email protected] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > **Please remove these lines when replying > > > > > > -- > One thing you can be sure of. If you throw a loaded gun in a monkey cage, > something bad is going to happen. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://clug.ca/pipermail/clug-talk_clug.ca/attachments/20111202/8c3ee055/attachment-0001.html> > > ------------------------------ > > Message: 5 > Date: Fri, 2 Dec 2011 18:33:41 -0700 > From: Joe S <[email protected]> > To: CLUG General <[email protected]> > Subject: Re: [clug-talk] The State of the Art > Message-ID: <[email protected]> > Content-Type: Text/Plain; charset="iso-8859-1" > > That was an interesting video. > How far in the future is this happening? > How far will this go? Won't people want to work on files on their > computer without being connected to the internet, especially if > that wasn't convenient or for personal documents. > > On Thursday 01 December 2011 10:42:53 am Shawn Grover wrote: > > On 11-11-30 05:35 PM, Gustin Johnson wrote: > > > Anyway, the whole debate is moot as the desktop is dead. I > > > do not mean extinct but it is becoming irrelevant from a > > > consumer point of view. I suspect the modern desktop is > > > going to live on as a niche that is outside the mainstream > > > consciousness. > > > > your comments made me think of this: > > http://youtu.be/sQzZVP1mua0 from 2010... Just ignore the MC. > > > > > > _______________________________________________ > > clug-talk mailing list > > [email protected] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > **Please remove these lines when replying > > > > ------------------------------ > > Message: 6 > Date: Fri, 2 Dec 2011 21:29:43 -0700 > From: Ralph Boland <[email protected]> > To: [email protected] > Subject: [clug-talk] downloading digital pictures. > Message-ID: > <capmv+mwcz40lp52mcbuygn8wvlsecbkuooutm+o5cuqs-y+...@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > I recently borrowed a digital camera with which I will talk a dozen or > so pictures. > I wish to download these pictures, one per file using a usb connection. > Is there preferred software I should use for this? > I am using Ubuntu 11.04. I will send these pictures to a Windows based system > by email though I don't see why that should matter. > > Ralph (Rocky) Boland > > > > ------------------------------ > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > > End of clug-talk Digest, Vol 85, Issue 3 > **************************************** > -- This message has been scanned for viruses and dangerous content by the Cistra MailScanner and is believed to be clean. _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
