Re: S: ssh worms FAQ

From: Joe (joe_at_jretrading.com)
Date: 09/15/04

  • Next message: Paul remove-the-nospam Day: "Re: S: ssh worms FAQ" 
    Date: Wed, 15 Sep 2004 21:06:42 +0100

    In message <41488934.72093429@comtv.ru>, Innocenti Maresin
    <av95@comtv.ru> writes
    >Hello!
    >
    >There is many ssh worms in the Internet since this summer.
    >These worms often try to access
    >"test", "guest", "admin", "user" and "root" accounts.
    >See details in http://seclists.org/lists/fulldisclosure/2004/Jul/1243.html
    >
    >But I didn't find any resource
    >such worm's [potentional] victims may be pointed to.
    >Not general morals on UNIX security,
    >but namely some considerations on ssh security aspects
    >related to worms vulnerability.
    >UNIX shell worms appears as poorly documented topic,
    >compared e.g. to M$XP RPC flaws or mail .EXE winworms.
    >
    >Namely, I want a text readable by UNIX novices
    >that ssh is a very powerful remote access method,
    >that it's extremely dangerous to have
    >accounts with "default" (set by distro etc.) password
    >even because of spammers' menace,
    >that some Linux kernels can be easily rooted
    >by any [unprivileged] local account
    >(do_brk flaw up to 2.4.23pre etc.),
    >that admin should change "default" passwords and delete unused accounts,
    >that there is some automated scripts (worms) exploiting ssh in the Net,
    >their traces can be found in /var/log/ ,
    >that it's good to notify the admin/owner of the originating host(s),
    >that a lot of outgoing ssh request is very suspicious fact,
    >that, last but not least, a great army of script kiddies exist...
    >
    >
    >Do somebody have or read such FAQ?
    >
    I don't think there is a step-by-step guide to running and securing ssh,
    but I'm not sure there should be. Step-by-step is good for making
    something work when you don't understand it, indeed the only way, and if
    you miss a step it will not work and you will go back and find what you
    did wrong. If you miss a step in securing something it will probably
    still work and you won't know you left a hole.

    There are several tutorials on ssh, as I'm sure you found when you
    looked. None of them seem to contain all the important security bits.
    Much of ssh security comes from using hosts.allow and hosts.deny, and
    iptables, as well as good general habits concerning users, passwords and
    so on. These are not ssh specific and do not really belong in a tutorial
    for a particular service.

    The success of the current ssh worm is totally dependent on very bad
    user and password control, or poor Unix morals as you put it. You
    already know the answer to that. You don't need a detailed understanding
    of either ssh or worm anatomy to stop it. I could be wrong, but I
    believe all the ssh vulnerabilities in the last few years have required
    either local access or remote login to a genuine account to exploit
    them. A matter of Unix security morals. If the bad guys have got as far
    as logging on to your machine, you're already too late.

    Probably most of the ssh-specific information is in the sshd_config man
    page and the file itself. AllowUsers is probably the single most
    important feature here, though an understanding of the various
    authentication mechanisms is also necessary. I would suggest that if
    these sources and the general ssh tutorials on key pairs are too hard to
    deal with, then it is not appropriate to open ssh to the Internet.
    There's too much knowledge required for a beginners' FAQ to be of much
    use. It would need to contain much of the man page.

    Unfortunately, the only simple security instruction for the novice is
    not to open any service at all to the Internet until such a time as it
    is understood, along with firewall operation and the other general
    Linux/Unix security measures. Sorry if that's not what you want to hear,
    but the world is full of Windows machines opened to the Net by people
    who have no idea about the risks, and how to (try to) avoid them. Their
    uncracked life expectancy is currently about 20 minutes. 

    -- 
Joe
  • Next message: Paul remove-the-nospam Day: "Re: S: ssh worms FAQ"