RE: !SPAM! Automated ssh scanning

[Ron DuFresne <dufresne () winternet com>]

On Thu, 26 Aug 2004, Stephen Agar wrote:

> Somehow, this message got to me before Ron's reply did, so I will respond to
> both inline.
> > On Thu, 26 Aug 2004 12:26:04 -0500 (CDT), Ron DuFresne
> > <dufresne () winternet com> wrote:
> > > On Thu, 26 Aug 2004, Stephen Agar wrote:
> > >
> > > > I think many of you are missing the point. Yes the guest/guest
> > > > account is weak, but this kernel is (according to debian)
> > > > patched..therefore free from local exploits that can be
> > used to gain
> > > > superuser access. I mean if this were the case, then any box that
> > > > ran this version of debian to do something like "web
> > hosting" that
> > > > gave users shell access, may as well give them all full sudo.
> > > > Because you people are assuming that if someone can gain
> > access to the box, secured or not, they can gain root..i disagree.
> > > The issue here is why does debain include such a weak
> > account,m thaqt
> > > has not been tamed via a very restricted chroot env!?
>
> That is one issue, but given that I haven't installed debian in years, I
> can't really answer it. However, I don't think it's the "main" issue. The
> main issue to me is, if I do install debian, and give an account to a friend
> (albeit not a trusted friend), do I have to worry about a "fully patched"
> box still getting rooted via a local exploit?


most likely.


> > That's not the issue though.  As someone who has installed
> > and maintained debian systems over a period of years, I can
> > assure you that debian does not include a guest account (or
> > any account) with a weak password or shell.
> >
> > There aren't any shell accounts other than root on a debian
> > install until added by the administrator.
> >
> > The weak account in question here was created by the original
> > poster with the intent of catching one of these apparently
> > automated ssh attacks.
>
> If he did create those accounts himself for "honeypot" purposes, and this
> isnt default on that debian install then it has shown us all something. It
> has opened the flood gates for discussion about local exploits in that
> particular install, that we would assume were patched (unless they are
> undisclosed vulns..but do we really think the script kiddies have that many
> 0day exploits...yikes!)


how many times in the last year has kde or gnome been patched to deal
with a particular security issue?  How about the kernel?  apache?
openssl?  etc..., now consider what one poster said a few replies back
about there being undisclosed holes in merely the kernel for linux, then
reconsider his statements inline with all the packages installed in a
desktop, server etc offered by the various dists setups...


Now to tweak the issues tightly into mind, look at how many updated RPM's
or DBM's or what yer fav dist formats it's packages and understand, the
vast majority of those updated packages are there because they addressed
security issues from this and the various other lists on the topic...


Then, take a deep breath so as to not turn purple once you have taken this
in....

> > > As Barry pointed to directly, it all depends upon what you make
> > > available to your clients once in a shell.  It;s very likely your
> > > server would be as exploitable as most 'default' installs
> > with the kitchen sink dropped in.
> > > Perhaps not, but likely, depending upon what you 'installed
> > and allow
> > > clients access to'.
> > >
> > > Thanks,
> > >
> > > Ron DuFresne
>
> I agree, if this was a production box...then any shell account I had would
> either be set up for something like "scp only" for a "web host", or jailed
> very tightly..along with every other service running on the box. I was just
> saying, that if I install my box, and apply every available patch, I would
> expect it to be free of local exploits as well as remote ones.

Unless you know and trust all the folks you share shells with on the net,
be concerned.

expect nothing, you now have a clue.  Oh, and understand, even the pay
large sums vendors face the same issues, hp, solaris, sgi, etc, same
issues.  Make  all choices carefully with full awareness of the
consquences of the choices you make.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html