On Tue, 19 Oct 2004 09:00:19 -0500, gp <[EMAIL PROTECTED]> wrote: > We installed Linux on the box from a RH7.2 CD so I guess > it was all right off the CD. I did a rpm -qa and my version > is openssh-server-2.9p2-7. And actually I wanted to upgrade > the openssh but there were a lot of dependencies. My > problem really re-started on an attack on SSH on our box. > I am not sure if my OpenSSH version have a vulnerability > but my guess it has. Thanks for the advices guys.
that's a *really* old RH version. ian and a few others have posts (see the archives) on how long such an old version of RH can stay online before getting cracked). for old versions of anything, you can upgrade (lots of security problems are fixed in new versions) or make sure you can get security patched RPMs for the version you're using (after a while a version is just going to get to end-of-life and then there won't be any official support for it, then you'll have to find volunteer RPM builders, but even those will eventually give up on old versions) or you can build your own patched RPMs (probably not an option if you're having trouble enough managing the RPM dependency hell). unless there's a really compelling reason to stay with that old version (e.g., you've got some sort of enterprise software that won't run on anything else and you can't upgrade that to run on newer distributions) i would recommend an upgrade. if you *can't* upgrade or install better RPMs, you should probably totally firewall that box off and just never let anything from the internet connect to it. it's too dangerous out there. use another, newer box, for ssh. at some point (around RH 7.3, probably, sometime around 2001-2002 i think), there was a remote root exploit for openssh that did not require authentication. some sort of buffer overflow or integer overflow i think. you might have been hit by that. if you can't get openssh RPMs (or the RPM hell of dependencies is too hard to fix), and you can't upgrade, you can download openssh. it's not hard to build from source. there are probably related security holes in 7.2 supplied libraries which openssh depends on. so if you're going to build openssh, i'd suggest downloading all the encryption and security related libraries it needs, building them all, and then building openssh and specifying all the manually compiled libraries you built (instead of having openssh use the standard libraries in /lib or /usr/lib). to figure out what libraries to download and build, just go into the openssh build directory and do ./configure --help > help.txt and view help.txt. it'll list what directories you can specify, for openssh to use those directories. this might not be sufficiently secure though. you might also strace sshd and see what libraries it's loading. then you can figure out what packages those libraries come from and download and build those (except maybe for some things like the standard C library). but again, i'd just upgrade. i mean, i *could* do all of that and figure out what the source dependencies are and install them all, but it would take long enough that it's just not worth the trouble. oh, sendmail from around that time (7.2) was, i think, an open relay. but you might have fixed that already. tiger -- Gerald Timothy Quimpo http://bopolissimus.sni.ph [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78" Mene sakhet ur-seveh -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
