Possible OpenSSH 0day

Crusty

Lifer
Sep 30, 2001
12,684
2
81
Nice to see 'recent' versions not affected... but exactly how recent?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
We don't even know if this is true yet. ;)

5.2 was released on Feb. 23, 2009. That isn't very "recent," and I can't image up to date systems not having it at this point. It's just the legacy installs. Right? :p
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Ok, so this may not be a crisis, but it would be a good excuse to audit all of your available SSH capable systems. Are you using the latest version (or latest version put out by your packing system)? Have you disabled/enabled the right accounts (should root be able to login? How about billing_user?)? Do you have accounts that have only 1 function that can be limited with ForceCommand? How about ssh keys? Do you need password accessible accounts? Time for a key rotation? Are your host keys recorded anywhere to verify against (the dns option looks interesting)? Are you logging failures? Are you looking at these logs? Can you automate it?

Any other auditing ideas?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
In a perfect world all of my systems would be on at least 3 networks.
1. Normal
2. admin network
3. logging network
4. storage network

Unfortunately, it's really hard to do with geographically disperse systems. ;)
 

Crusty

Lifer
Sep 30, 2001
12,684
2
81
Originally posted by: n0cmonkey
In a perfect world all of my systems would be on at least 3 networks.
1. Normal
2. admin network
3. logging network
4. storage network

Unfortunately, it's really hard to do with geographically disperse systems. ;)

That only depends on how hard you want to try ;)

After some upgrades here in the office, mostly an upgrade to a new managed switch for our core, I've managed to get a pretty good setup with servers in Chicago, Dallas and Austin. I've got an IPSEC VPN into Dallas which is hooked up to Chicago with a fast MPLS circuit.

The only public bandwidth our servers use now is for client access and any local internet access, all management/storage/backups are done over the private networks w/ encryption between end points. It works pretty well, although the latency can get pretty high when working with Chicago and I'm not in the office, but it's workable.