Educause Security Discussion mailing list archives
Re: SSH password capture
From: Scott Beardsley <scott () CSE UCDAVIS EDU>
Date: Mon, 28 Jun 2010 10:07:49 -0700
what is everyone else doing to manage system updates in their *nix (and/or heterogeneous) environments?
We are 100% linux so we aren't exactly heterogeneous but we do use both debian-based and redhat-based distros. For system updates we maintain a on-site mirror of all third-party software, all our machines point to it (we disable the fastestmirror "feature"). On some systems we enable auto updates[1,2], on others we prefer to update manually. We use puppet for config management and cobbler for provisioning.
We recently found trojan openssh programs on a few machines, busy = logging passwords in and out.
Hopefully you've reinstalled these machines, forced a password change for all users, and notified your users. Any idea how they got in?
I just wondered if anyone else had been hit by this,
Not since we disabled passwords on our ssh servers. We are lucky in that we don't store *any* passwords or pasword hashes on our machines. So even if the bad guys get in they aren't going to get too far. If you do move to keys-only access be sure to have a mechanism to audit your users' keys against a blacklist. There are a ton of keys out there that are "known compromised" (ahem debian ahem). Scott ------------ [1] http://linuxsoft.cern.ch/cern/slc55/updates/x86_64/SRPMS/repoview/yum-autoupdate.html [2] https://wiki.ubuntu.com/AutomaticUpdates
Current thread:
- Re: SSH password capture John Ladwig (Jun 27)
- <Possible follow-ups>
- Re: SSH password capture Scott Beardsley (Jun 28)
- Re: SSH password capture Andrew Daviel (Jun 28)