From owner-freebsd-security@FreeBSD.ORG Mon Sep 15 17:52:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1593C16A4B3 for ; Mon, 15 Sep 2003 17:52:04 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C3A243F93 for ; Mon, 15 Sep 2003 17:52:03 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8G0paCl075070 for ; Mon, 15 Sep 2003 20:51:46 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030915205323.076ad580@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Mon, 15 Sep 2003 20:53:56 -0400 To: security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Fwd: Re: [Full-Disclosure] new ssh exploit? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 00:52:04 -0000 Has anyone around here heard of this ? ---Mike >Subject: Re: [Full-Disclosure] new ssh exploit? >From: christopher neitzert >Reply-To: chris@neitzert.com >To: full-disclosure@lists.netsys.com >X-Mailer: Ximian Evolution 1.4.3.99 >Sender: full-disclosure-admin@lists.netsys.com >X-BeenThere: full-disclosure@lists.netsys.com >X-Mailman-Version: 2.0.12 >List-Unsubscribe: , > >List-Id: Discussion of security issues >List-Post: >List-Help: >List-Subscribe: , > >List-Archive: >Date: Mon, 15 Sep 2003 13:48:34 -0400 >X-Virus-Scanned: by Sentex Communications (avscan1/20021227) >X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > >More on this; > >The systems in question are FreeBSD, RedHat, Gentoo, and Debian all >running the latest versions of OpenSSH. > >The attack makes an enormous amount of ssh connections and attempts >various offsets until it finds one that works permitting root login. > >I have received numerous messages from folks requesting anonymity or >direct-off-list-reply confirming this exploit; > >The suggestions I have heard are: > >Turn off SSH and > >1. upgrade to lsh. > >or > >2. add explicit rules to your edge devices allowing ssh from only-known >hosts. > >or > >3. put ssh behind a VPN on RFC-1918 space. > >thanks. > > > > >On Mon, 2003-09-15 at 12:02, christopher neitzert wrote: > > Does anyone know of or have source related to a new, and unpublished ssh > > exploit? An ISP I work with has filtered all SSH connections due to > > several root level incidents involving ssh. Any information is > > appreciated. > > > > >-- >Christopher Neitzert - GPG Key ID: 7DCC491B -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike