Time to update OpenSSH if you haven't already done so, in order to deal with a recently discovered root hole.

Initial advisory here: http://www.pine.nl/advisories/pine-cert-20020301.txt

this is another bad one too. Much like the telnetd hole. This is another one that you'll probably see worms attacking port 22. Its made even worse since openssh is very popular and redhat uses it in 7+ maybe below that. Also made worse is that all the recent versions have the hole.

Wow... thanks for the security update...

Maybe this goes along with what i noticed in my logs a couple of minutes ago.......

Mar 7 10:12:18 earth sshd[1420]: scanned from 62.153.xx.xx with SSH-1.0-SSH_Version_Mapper. Don't panic.
Mar 7 10:12:52 earth sshd[1418]: Did not receive identification string from 62.153.xx.xx.
Mar 7 10:12:52 earth sshd[1419]: Did not receive identification string from 62.153.xx.xx.
Mar 7 10:12:52 earth sshd[1421]: Did not receive identification string from 62.153.xx.xx.
Mar 7 10:12:52 earth sshd[1424]: Did not receive identification string from 62.153.xx.xx.

that looks like the version 1 hole thats maybe a few years old. But i'd upgrade asap.

It looks like maybe we are safe if we do not allow shell access to our users? Or maybe the hole can be exploited with any valid user account, regardless of whether shell access is allowed? I'm just trying to weigh the risks until a patch is available for the RAQ.


Also, consider moving ssh port from 22 to something very high. If someone is scanning boxes for ssh, it is better not to be found. I think security with obscurity is the way to go.

its only users with accounts on your system.

How does everyone actually upgrade ssh?

I'm not talking about configure/make/make install.

We only have ssh access to our box (it's remotely located). Should we open up telnet for a bit just in case ssh goes belly up after the install? How do you normally upgrade???

Yes i'd open telnet up just in case. You can kill the running sshd processes from running via telnet then install the new version run sshd.. make sure it works.. then get off telnet and close it up. Another thing i recommend is not to su to root via telnet. Install sudo. Change your passwd in ssh and then telnet in sudo su - to root do your thing then ssh into your new version of sshd and change your passwd

Thanks for the alert. I let my brother know that he failed me. Usually he tells me of these things before anyone else does. :)

None of the mirror sites that I tried actually have the file, but the download from openbsd.org went pretty fast.

Don't forget to configure with pam, for you Red Hat people. I always forget to do this the first time. "Hmm, why can't I log in." Then I actually read the docs. "Oh yeah."

Red Hat has released an update. I don't see it on their site yet, but when I ran up2date a few minutes ago it installed openssh-3.1p1-2.i386.rpm and its associated packages.

Originally posted by uuallan
Red Hat has released an update. I don't see it on their site yet, but when I ran up2date a few minutes ago it installed openssh-3.1p1-2.i386.rpm and its associated packages.

RedHat 6.x and below don't come with openssh, so any updates must be done manually. And I also found out that simply rebuilding RedHat 7.x SRPMS in 6.x environment won't result in correct binaries. It just crashes everytime RSA authentication is used. I had to use SRPMS on openssh.com site to have that problem fixed.

Originally posted by priyadi

RedHat 6.x and below don't come with openssh, so any updates must be done manually. And I also found out that simply rebuilding RedHat 7.x SRPMS in 6.x environment won't result in correct binaries. It just crashes everytime RSA authentication is used. I had to use SRPMS on openssh.com site to have that problem fixed.

Right, I assumed since I mentioned up2date people would assume I was talking about Red Hat 7.0+ (I don't think 6.x is compatible with up2date -- though I may be wrong).

Originally posted by pita
How does everyone actually upgrade ssh?

I'm not talking about configure/make/make install.

We only have ssh access to our box (it's remotely located). Should we open up telnet for a bit just in case ssh goes belly up after the install? How do you normally upgrade???


I run two totally separate instances of the sshd, one called sshd and the other called adminsshd. Each one has its own configuration directory, and they listen on different ports.

When I'm upgrading or changing the sshd configuration, I can always connect to the adminsshd port if I botch something up. When the upgrade or whatever changes I've made have settled down, then I copy the sshd file over to adminsshd.

Hi

How do i verify what version of openssh i am using

Regards,

Try this in SSH:
rpm -q openssh

It shows the output as

openssh-3.1p1-1


Regards,

Originally posted by Haze
Try this in SSH:
rpm -q openssh

Or if your like us, people who are against most rpm's....


'telnet 127.0.0.1 22'

It'll return something like:
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.1p1

Protocol mismatch.
Connection closed by foreign host.

I bolded the version info...

or ssh -v :)

Gives me this

OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
Usage: ssh [options] host [command]

So i guess my upgrade went fine

Regards,

-------
Solution

The OpenSSH project will shortly release version 3.1.

Upgrading to this version is highly recommended.
This version will be made available at ww.openssh.com

The FreeBSD port of OpenSSH has been updated to reflect the patches as supplied in this document.
-------

And how wisely have I chosen my OS! I would like to know why the majority of Internet servers are running Linux [and RH at that] when the best OS is also free and much more stable... is it because of the control panles available for Linux?

Cheers
Balaji

Originally posted by MotleyFool

And how wisely have I chosen my OS! I would like to know why the majority of Internet servers are running Linux [and RH at that] when the best OS is also free and much more stable... is it because of the control panles available for Linux?


Having the latest release of SSH issued first hardly means that one OS is better than another. I run Red Hat because there is more support and configuration information available for Linux in general, and Red Hat in particular. As for stability, my Red Hat server ran for 6 months with no reboot (I finally had to reboot because I did a kernel upgrade), and it will continue to run until the next kernel upgrade I perform. The only control panel I use is Webmin (which is available for BSD if you would like to use it).

If you would like to turn this into a my something is better than your something discussion, why do you insist on using MySQL when PostGreSQL is much more stable and robust, and why would you use djbdns (not djdbdns as your signature indicates) when BIND has a much less restrictive licensing and is obviously more stable -- after all what DNS software do you think is running the root nameservers?

It is very easy to critique someone else's choice in software, I have no doubt you will provide an excellent and secure hosting service to your clients, but that does mean that others cannot using different tools.

O uuallan,

I am sorry if my post seemed provocative; it was merely an inquisitive question trying to find out if there are things about Linux I have been ignorant of [and as is seen from your reply, I do have a long way to go in knowing things].

I generally dont argue and particularly not in WHT, where I come only to learn [and the last 6 months have been a very real learning experience for me], so my intention was certainly not that.

And BTW thanks for pointing out the typo in my sig [and I am really glad some one reads a fool's signature!]

Cheers
Balaji

Originally posted by MotleyFool

I am sorry if my post seemed provocative; it was merely an inquisitive question trying to find out if there are things about Linux I have been ignorant of [and as is seen from your reply, I do have a long way to go in knowing things].


No worries -- my reply came off a little harsh, I don't think I had had my morning orange juice yet :). I am sure you are going to be successful, and I wish you luck in your new venture :)

Originally posted by MotleyFool


And how wisely have I chosen my OS! I would like to know why the majority of Internet servers are running Linux [and RH at that] when the best OS is also free and much more stable... is it because of the control panles available for Linux?

Cheers
Balaji


Linux is only free if your time is worth nothing. Now if only the FreeBSD project can take a cue from the OpenBSD installer and make their installer a little less braindead.

Running FreeBSD and wanting a decent control panel is quite a quandary. H-Sphere is great and functional, but with it comes quite a price (that will affect most hosts' bottom lines). Plesk is great too, but the hoops you have to jump through to integrate it with anything and the lack of customizations make it quite frustrating; please, an API or something, throw me a bone. Some of us have bigger aspirations than pointing and clicking and being a hosting company.

Originally posted by MotleyFool


And how wisely have I chosen my OS! I would like to know why the majority of Internet servers are running Linux [and RH at that] when the best OS is also free and much more stable... is it because of the control panles available for Linux?

Cheers
Balaji


Linux is only free if your time is worth nothing. Now if only the FreeBSD project can take a cue from the OpenBSD installer and make their installer a little less braindead.

Running FreeBSD and wanting a decent control panel is quite a quandary. H-Sphere is great and functional, but with it comes quite a price (that will affect most hosts' bottom lines). Plesk is great too, but the hoops you have to jump through to integrate it with anything and the lack of customizations make it quite frustrating; please, an API or something, throw me a bone. Some of us have bigger aspirations than pointing and clicking and being a hosting company.