Possible OpenSSH 0day

[n0cmonkey]

http://isc.sans.org/diary.html?storyid=6742

The rumor is flying around, hot and heavy. No real data yet though.

 

[Crusty]

Nice to see 'recent' versions not affected... but exactly how recent?

 

[n0cmonkey]

We don't even know if this is true yet. 😉

5.2 was released on Feb. 23, 2009. That isn't very "recent," and I can't image up to date systems not having it at this point. It's just the legacy installs. Right? 😛

 

[n0cmonkey]

Damien Miller's thoughts: http://marc.info/?l=openssh-un...&m=124705272824524&w=2

 

[n0cmonkey]

I'm going with hoax until proof is posted: http://isc.sans.org/diary.html?storyid=6760&rss

 

[n0cmonkey]

Ok, so this may not be a crisis, but it would be a good excuse to audit all of your available SSH capable systems. Are you using the latest version (or latest version put out by your packing system)? Have you disabled/enabled the right accounts (should root be able to login? How about billing_user?)? Do you have accounts that have only 1 function that can be limited with ForceCommand? How about ssh keys? Do you need password accessible accounts? Time for a key rotation? Are your host keys recorded anywhere to verify against (the dns option looks interesting)? Are you logging failures? Are you looking at these logs? Can you automate it?

Any other auditing ideas?

 

[Crusty]

I'm a fan of having a private management network for SSH access 🙂

 

[n0cmonkey]

In a perfect world all of my systems would be on at least 3 networks.
1. Normal
2. admin network
3. logging network
4. storage network

Unfortunately, it's really hard to do with geographically disperse systems. 😉

 

[michael19]

This is a hoax

 

[Crusty]

Originally posted by: n0cmonkey
In a perfect world all of my systems would be on at least 3 networks.
1. Normal
2. admin network
3. logging network
4. storage network

Unfortunately, it's really hard to do with geographically disperse systems. 😉

That only depends on how hard you want to try 😉

After some upgrades here in the office, mostly an upgrade to a new managed switch for our core, I've managed to get a pretty good setup with servers in Chicago, Dallas and Austin. I've got an IPSEC VPN into Dallas which is hooked up to Chicago with a fast MPLS circuit.

The only public bandwidth our servers use now is for client access and any local internet access, all management/storage/backups are done over the private networks w/ encryption between end points. It works pretty well, although the latency can get pretty high when working with Chicago and I'm not in the office, but it's workable.