From owner-freebsd-security Tue Jan 5 15:49:58 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA03743 for freebsd-security-outgoing; Tue, 5 Jan 1999 15:49:58 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA03734 for ; Tue, 5 Jan 1999 15:49:55 -0800 (PST) (envelope-from brian@hyperreal.org) Received: (qmail 9917 invoked by uid 24); 5 Jan 1999 23:49:28 -0000 Message-Id: <4.1.19990105154103.00ba7100@hyperreal.org> X-Sender: brian@hyperreal.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 05 Jan 1999 15:51:21 -0800 To: bmah@CA.Sandia.GOV, The Hermit Hacker From: Brian Behlendorf Subject: Re: ssh "error" message .. Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199901052215.OAA19362@stennis.ca.sandia.gov> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:15 PM 1/5/99 -0800, Bruce A. Mah wrote: >If memory serves me right, The Hermit Hacker wrote: > >> Has anyone seen the following before? I'm thinking a port-attack, since >> I've gotten two reports so far, each reporting the same host, but >> different IP... >> >> hub> logout >> Waiting for forwarded connections to terminate... >> The following connections are open: >> X11 connection from tntport0581.cwjamaica.com port 1488 >> X11 connection from tntport0581.cwjamaica.com port 1918 > >Yes, many many times. These are the error messages that you see when you ssh >to another machine, fire up some X clients on the remote host, then try to >logout. The X protocol messages from the X clients are tunneled over the >encrypted SSH connection, so the SSH connection can't go away without killing >the clients. The behavior you see gives you (the user) a chance to gracefully >shut down the X clients first. > >If I don't care about those X clients, I'll usually kill the window from which >I ran ssh. Um, I think he's saying that "tntport0581.cwjamaica.com" isn't one of his domains, but a third party, and he's suspicious that an attack may be underway. When you use SSH and tell it to forward X11 packets, it opens an X port on the remote machine for X clients to connect to, to get tunnelled to your local X server. E.g., from "lsof": sshd1 6362 root 9u inet 0xf4930900 0t0 TCP *:6011 (LISTEN) The port is open - local X clients AND remote X clients can connect to it. Now, your X server will probably mandate the use of some sort of auth, like what's in the .Xauthority file on your remote machine; remember back before xauth when it was "cute" to open an X app on someone else's screen, surprising them? :) This isn't a security hole, since the standard X security mechanisms *should* protect you, but there is the potential for exploiting buffers in either the sshd or your desktop X server. If you don't need X, you probably want to turn off "forward X11 packets", just to be safe. If F-Secure was thinking, they'd give an option to only allow local connections to the remote end of the tunnel, as you can do when setting up other tunnels manually. I'm going here by the GUI for the windows & mac SSH clients; the Unix ssh client has far more configurability of course. Brian --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- History is made at night; brian@hyperreal.org character is what you are in the dark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message