SSH server zero-day exploit - Suggestions to protect ourselves

ssh security linux hacking exploit

Comment from Damien Miller (OpenSSH developer): http://lwn.net/Articles/340483/

In particular, I spent some time analysing a packet trace that he provided, but it seems to consist of simple brute-force attacks.

So, I'm not pursuaded that an 0day exists at all. The only evidence so far are some anonymous rumours and unverifiable intrusion transcripts.


My suggestion is to block SSH access on the firewall to everyone else besides your ip. On iptables:

/sbin/iptables -A INPUT --source <yourip> -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP

According so the SANS post, this exploit does not work against current versions of SSH, and thus isn't really a 0day. Patch your servers, and you should be fine.


Complain to your vendors

That way everybody gets the newer version.


FYI, the original source of the story: http://romeo.copyandpaste.info/txt/ssanz-pwned.txt

There are also two similar stories (hacking astalavista.com and another site): romeo.copyandpaste.info/txt/astalavista.txt
romeo.copyandpaste.info/txt/nowayout.txt

It seems like someone has an agenda: romeo.copyandpaste.info/ ("Keep 0days private")

Related

nginx reverse ssl proxy with multiple subdomains
How to manage a global VM startup order across the whole datacenter?
How to set a frequent period for NTP client to sync with the NTP server
setfacl: x.txt: Operation not supported
How to find out the virtualization type of an linux VPS?
Deciphering continuing mpt2sas syslog messages
VLAN tags not shown in packet capture (Linux) via tcpdump
Can a virtualized machine have the CPU and RAM resources of multiple underlying physical machines?
How to install Windows Updates from command-line
How to unlock an SSD disk with hdparm?
Adding both CNAME and TXT DNS records for one subdomain
Why do DNS zone files require NS records?