[Quoted in full for other mailing lists]
What happened is that intruders were able to login to routers and do some
commands. As for Cisco's running SSH - this is available on low-end routers
only with the 'T' IOS series which is another way of saying 'beta'. ('T' means
technology.) SSH is mainstream on the 'S' series which is available only on
7206, 75xx and 12xxx GSR afaik.
I have not been successful in putting SSH on our 72xx's as you can only
readily download Single DES IOS and I was told of the need to rebuild OpenSSH
to support that. 3DES requires an "Export License" and my attempt to request
for that has not succeeded so far.
Thus the workaround of having a console server jacked in the to the router and
accepting SSH logins as a proxy.
Another caveat - while SSH is secure cryptographically, the fact that sshd
itself is a complex program that is required to root opens it up to more
vulnerabilities. And, replacing your OpenSSH with a trojaned 'ssh.fi' (old)
SSH 1.5 sshd is a common part of rootkits.
On Sun, Jun 24, 2001 at 12:29:47PM +0800, Rafael R. Sevilla wrote:
>
> On Sun, 24 Jun 2001, Tonton Rabena wrote:
> >
> > I myself is using telnet, do you think they can sniff my password??
> >
>
> Yes, of course. They can also see EVERYTHING you're doing. And it's not
> only by means of sniffing. They can also do a MITM attack and fool you
> into believing you're connecting to your host when in reality you're
> connecting to them and they're silently forwarding your traffic to the
> real host.
>
> > security breaches were made by running exploitable daemons ...
>
> Not just. There are many, many ways a compromise can occur. I've learned
> this lesson the hard way. If someone guesses passwords which are pitifuly
> obvious, if you get socially engineered, there are SO many ways that a
> break can occur. Don't be so foolish as to believe that buggy services
> are the only way security breaches can happen.
>
> > in the first place how could they run a sniffer if they dont have access to
> > your servers?
> >
>
> It's this attitude of complacency that gets your systems cracked. And as
> previously mentioned, unencrypted protocols are vulnerable to MITM
> attacks. In an extreme case, your opponents could have TEMPEST hardware
> that listens to stray electromagnetic emissions by your computers. :)
>
> > I dont think you can use SSH only at all times, for instance you can't use
> > ssh on a router.
>
> Some newer model Ciscos have SSH support built in, by the way, so this is
> not absolutely true. And that's the reason for having host PC's on serial
> ports that do speak SSH.
>
> > why would you put a host pc to console a router? do you think you have only
> > one router at one place?
>
> Of course not. Every router would have a host PC console. The extra
> expense involved in adding such host PC's (which need not be expensive
> computers, obsolete machines like old 486's running FreeBSD or Linux whose
> only job would be to listen to SSH connections and to allow people with
> access to use minicom on the routers) far outweighs the cost of having a a
> router compromise. A few weeks ago we learned how expensive such a
> compromise can be. We thought that since none of these compromisers have
> real knowledge of Cisco IOS it didn't matter if our routers were
> compromised. Boy were we wrong. I'll leave it to Migs to tell the rest
> of that story, he's my boss, and I'll let him explain what exactly
> happened in that incident if he will.
>
> > Cant you have a secure telnet connection?
> >
>
> Yes, it's called Secure Shell.
>
> Maybe you ought to watch the episode of Digitaltour which featured Ian and
> me. :)
--
http://www.internet.org.ph
Philippine Internet Resources
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
