[ale] hack attempts

Michael H. Warfield mhw at wittsend.com
Fri Feb 11 13:27:36 EST 2005 

On Tue, 2005-02-08 at 16:39 -0500, Bob Toxen wrote:
> On Mon, Feb 07, 2005 at 02:12:30AM +0000, Jay Loden wrote:
> > I got exactly the same thing on my home desktop (which has ssh so I can log in 
> > from away) and i mean exactly...same usernames and everything.  
> 
> > I'd also be interested to know what if anything one can do about this,
> > besides blocking the IPs 
> 1. If you don't need SSH, turn it off.

	I would tend to agree with this point.  But that pretty well limits you
to the cases where you only want to use your system while sitting at the
keyboard.  Any remote management or operation and ssh becomes the tool
of choice.  Remember, it's not just an application for getting a shell,
it's also a transport for rsync and a tunnel for vnc and many many other
valuable operations.  But...  If you don't do any of that and you truly
don't need to secure any remote access to your systems, then, by all
means, disable it.  You really should.

> 2. Use the ssh.com version of SSH as it has a better security history than
>    OpenSSH by about 4:1.

	I would have to strongly disagree with this point.  From my experience
(and, if you look in the README file with the commercial version of ssh,
you'll find me listed as a contributer) I've been less than impressed
lately with the level of support and development of the commercial ssh
vs OpenSSH.  And, once you mix in the quagmire of licensing issues and
shifting definitions of what is and is not "commercial usage", I'm not
comfortable with the direction Tatu has taken his version of ssh and the
license requirements.  I'm not sure I trust him not to change his
licensing yet again (there are at least three different ones out there,
depending on version).  He's virtually disappeared off the ssh
discussion forums and was even threatening the IETF, demanding that
they, and OpenSSH, change the name of the standard (he lost on both
counts).  I use to blame some of his PR troubles on the licensing front
on some of his minions running the business but the last foo-fa-rah over
the SSH name convinced me otherwise.

	I particularly find this disturbing...  SSH now calls the old SSH
Workstation product "SSH Tectia Client" and the server product "SSH
Tectia Server (A)".  Over under the "Secure Applications Connectivity
Products", you find these notes:


> When these products are used to protect a single business application
> without centralized management, SSH Tectia Connector licenses are
> provided free of charge. 
> 
> SSH Tectia Connector can only be used with SSH Tectia Server (T).

	Ok...  So the "connector" licenses are still free for single business
apps "without central management".  But the connector can only be used
with the Tectia Server (T).  What means that?  That they no longer work
with OpenSSH?  Or is there some difference between Server (A) and Server
(T).  Sounds like the quagmire over there has gotten deeper since 4.0.

	And Bob, if you are using any of the free versions of ssh version 2.0
or later from SSH, Inc and using it in your consulting practice, IN ANY
WAY, I can guarantee you that you are violating the SSH2 license.  Had
that discussion with Tatu, years ago.  Non-commercial use of SSH1 would
allow the use in a business where you are not making money off it.  Not
so with SSH2.  In fact, in education, you are not even allowed to use
the free license commercial version of SSH2 to manage your systems
(that's now considered "commercial"), even though you can use it to
teach with.  Confused yet?

	OpenSSH, OTOH, has responded rapidly and proactively to many of these
issues.  You don't find advanced techniques such as privilege separation
in the commercial version of ssh.  Yes, we (Internet Security Systems)
actually caught Theo and crowd on OpenSSH (that's why they had to change
the OpenBSD Web page about "no holes" to "one hole") but I would still
stick to OpenSSH (only one remote root hole).  We weren't real thrilled
when Theo chose to use our discovered vulnerability to push his
"privilege separation" feature out the door and into the mainstream
packages, but it was his shot to call and we had a very congenial
advisory and release coordination with him and Markus (and those of you
who know Theo can pick your jaws up right now, yes it was friendly and
pleasant dealing with him).

	If one were to go purely on "track record", then we should all be using
MMDF as our mail transport.  After all, it's every bit as old as
Sendmail, and it's had the massive deployment of being the default mail
transport on SCO Unix / SCO OpenServer (and massively used in the
military - it was jokingly referred to as "Military Mail Distribution
Facility" back then) since the early 80's.  And yet, it's only had ONE
minor security advisory, that I'm aware of, in its entire history (QMail
has only had a fraction of the history and a fraction of the deployment
and yet has had several more).  Yet, most of us stick with Sendmail.
Sendmail use to be referred to as the "bug of the month club" (or "bug
of the week club"), yet it's been stable and reliable and is still the
number one MTA.  Bind has also had a checkered past.  Yet, most of DNS
runs on Bind and Bind 9 has been very stable (some problems, but they've
gotten fixed at warp speed).  I don't see that much djbdns/tinydns,
dents, or other DNS servers in the DNS survey.  Past history is not
always a good indicator of future performance.  Both bind and sendmail
as well as openssh continue to be the leaders in their respective realms
and will continue to be so.

	All that said, the commercial version of SSH is not going to help you
out one iota with the current round of ssh scanning.  Most of this is
LAME brute force attacks, thanks to the Metasploit package and morons
who like to play with matches, which will be just as effective against
any ssh version.  You have a stupid password, commercial ssh is not
going to be of any help.  You have a good password, you can ignore the
ankle bitters that are just playing around with the latest version of
Metasploit.  You turn off passwords and just use OPIE / S/Key or RSA
keys and they can FOR-GET-IT.

	Remember when "RootShell" was busted into a few years back and all the
rage was that the break-in was "through ssh"?  Correct!  On its face,
absolutely correct.  But the REAL STORY was that they had their root
password on another machine sniffed in another (clear text) protocol and
that root password was the same as the RootShell site.  So the attacker
connected to RootShell as root and logged in.  Literally, he came in
THROUGH ssh.  But he had the root passwd.  Yes, they were broken into
through ssh.  But not because of ssh.  Commercial ssh vs OpenSSH, no
difference.

> 3. Edit your /etc/hosts.allow and /etc/hosts.deny to allow SSH access only
>    from those systems that need it.

	True.  That helps, but I find less and less need to even allow IPv4
access to ssh when IPv6 is available everywhere to every machine whether
the supporting infrastructure supports it or not.  Oh, and hosts.allow
and hosts.deny (tcpwrappers and friends) all support IPv6 as well.

	I keep my ssh access on IPv6 where I can get at it from anywhere on
IPv4 and yet it can not be scanned for.  Metasploit is just doing brute
force, scan-the-planet, scanning and won't touch IPv6.  And IPv6 is
unscanable.  Even 6to4, if you take appropriate precautions (non-trivial
EUI and restricte ICMP errors returns to non-listening addresses). IPv6
is also a lot easier to set up and use then that silly "port
knocking" (which works just as well on IPv6 as well, but who needs it).

> > -Jay

> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
> 
> 
> > On Sunday 06 February 2005 10:38 pm, Jim Philips wrote:
> > > Feb  6 06:53:55 localhost sshd[1659]: Invalid user patrick from
> > > 62.193.234.89
> > > Feb  6 06:53:55 localhost sshd[1659]: Failed password for invalid user
> > > patrick from 62.193.234.89 port 37002 ssh2
> > > Feb  6 06:53:57 localhost sshd[1663]: Invalid user patrick from
> > > 62.193.234.89
> > > Feb  6 06:53:57 localhost sshd[1663]: Failed password for invalid user
> > > patrick from 62.193.234.89 port 37199 ssh2
> > _______________________________________________

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list