Results 1 to 25 of 56
Thread: Insecure =/
-
07-11-2002, 12:11 AM #1Disabled
- Join Date
- Nov 2001
- Location
- Canada
- Posts
- 1,963
Insecure =/
Why do hosting companies leave open holes like this?
[root@sandton root]# telnet <edit> 22
Trying <edit>...
Connected to <edit>
Escape character is '^]'.
SSH-1.99-OpenSSH_3.1p1
Protocol mismatch.
Connection closed by foreign host.
Cogentco.com also runs 3.0 (openssh)
I Just dont understand why so many hosting companies are so slow on fixing their security. I mean..
If i was looking for shared hosting, I for one would not want to be hosted with a company that is running old daemons that have vulnerabilities in them, ya know?
Am I the only one who feels this way, i mean really......Last edited by Chicken; 07-13-2002 at 11:44 AM.
-
07-11-2002, 12:15 AM #2Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
hahah...
Damn... I always spend the first 3 days we have a server on updating...
There really is no excuse not to upgrade your servers anymore.. Hell even RPMs are available for upgrade if you need it....
I even spent the time to update an RaQ2, everything on it
-
07-11-2002, 12:18 AM #3Disabled
- Join Date
- Nov 2001
- Location
- Canada
- Posts
- 1,963
I mean, what are these companies going to do when someone comes along and compromises their servers??
I think it's sad.
[root@sandton root]# telnet <edit> 22
Trying <edit>...
Connected to <edit>.
Escape character is '^]'.
SSH-1.5-OpenSSH_3.1p1
[root@sandton root]# telnet <edit> 22
Trying <edit>...
Connected to <edit>.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2
[root@sandton root]# telnet <edit> 22
Trying <edit>...
Connected to <edit>.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2
Protocol mismatch.
[root@sandton root]# telnet <edit> 22
Trying <edit> ...
Connected to <edit>.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2
And the list goes on and on, i wont try to embarrass too many companies
I just think that if a company can't keep up to date with security, they shouldn't jeopardize other people's data.
I certainly would only choose hosts that keep good security.Last edited by Chicken; 07-13-2002 at 11:44 AM.
-
07-11-2002, 12:24 AM #4Web Hosting Guru
- Join Date
- Feb 2002
- Location
- South California
- Posts
- 333
Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...
Matt Mahvi
Staminus, Infrastructure DDoS Protection and Appliances
@ 200+ Gbps global ddos mitigation network. Local or Remote. Proxy, GRE, and direct cross connects.
@ Available in Amsterdam, New York, Los Angeles and Orange County. Anycast BGP.
-
07-11-2002, 12:27 AM #5Disabled
- Join Date
- Nov 2001
- Location
- Canada
- Posts
- 1,963
Originally posted by toro
Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...
Everybody is a web host now a days
What worries me even more is those HUGE web hosting companies like mchost
it would be a shame if someone were to compromise their systems and erase all data including back ups.
I hope this thread will convince some people to start upgrading. I mean come on guys. You guys were suppose to upgrade weeks ago. What's going on? Really
just my 0.02
-
07-11-2002, 12:30 AM #6Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
Hahahahha.. So....
They are running RedHat.... And prolly a panel, and they can't install 3 freaking rpms?????
Now that worries me
-
07-11-2002, 12:32 AM #7Disabled
- Join Date
- Nov 2001
- Location
- Canada
- Posts
- 1,963
hacker PM
-
07-11-2002, 12:38 AM #8Junior Guru Wannabe
- Join Date
- Mar 2002
- Posts
- 91
Originally posted by toro
Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...
i really do.....
-
07-11-2002, 12:39 AM #9Disabled
- Join Date
- Nov 2001
- Location
- Canada
- Posts
- 1,963
Originally posted by bacid
i hope you are being sarcastic.
i really do.....
Besides, what do you konw? You're just a junior guru wannabe!!
lol just kidding
-
07-11-2002, 12:56 AM #10Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
Err... why does OpenSSH 2.9 need to be updated?
The recently announced issue only dealt with versions 2.99 - 3.3.
(Thanks Theo!)Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
07-11-2002, 01:02 AM #11Web Hosting Master
- Join Date
- Aug 2000
- Posts
- 1,167
You can't necessarily tell by the version number alone. Granted upgrading is better, but the security hole is easily plugged with a couple edits to sshd_config or by re-compiling the current version with the available code patches.
There are a total of three security holes variously affecting versions 2.3.1 through 3.3.Last edited by alchiba; 07-11-2002 at 01:07 AM.
-
07-11-2002, 01:05 AM #12Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,734
As long as PAMAuthenticationViaKbdInt isn't enabled in the config file, 3.1p1 shouldn't be vulnerable. Not that I'm against upgrading. As long as cpanel doesn't decide to like kick it back to the old version the next day...lol
<edit> that's on a redhat 7.2</edit>
-
07-11-2002, 01:23 AM #13Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
And thats why you don't let Cpanel auto update
-
07-11-2002, 01:27 AM #14Web Hosting Master
- Join Date
- Jan 2001
- Posts
- 2,605
Originally posted by alchiba
There are a total of three security holes variously affecting versions 2.3.1 through 3.3.Dr. Colin Percival, FreeBSD Security Officer
Online backups for the truly paranoid: http://www.tarsnap.com/
-
07-11-2002, 01:29 AM #15Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,734
Originally posted by The Prohacker
And thats why you don't let Cpanel auto update
Of course, I trust it about as much as I trust Real Player...
-
07-11-2002, 01:29 AM #16Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
I believe if you go here http://rhn.redhat.com/errata/RHSA-2002-127.html you will see that 3.1p1 is the correct version that is recomended by Red Hat and they have updated the RPM files to include the security patches for the explot, but the version number when checking thru shell still shows the same. I know I updated last week and I just checked and it still shows the same.
-
07-11-2002, 01:33 AM #17Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,734
Originally posted by Monte
I believe if you go here http://rhn.redhat.com/errata/RHSA-2002-127.html you will see that 3.1p1 is the correct version that is recomended by Red Hat and they have updated the RPM files to include the security patches for the explot, but the version number when checking thru shell still shows the same. I know I updated last week and I just checked and it still shows the same.
-
07-11-2002, 01:34 AM #18Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....
Lets see who tries
-
07-11-2002, 01:42 AM #19Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,734
Originally posted by The Prohacker
Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....
Lets see who tries
-
07-11-2002, 01:49 AM #20Web Hosting Master
- Join Date
- May 2001
- Posts
- 2,129
Originally posted by clocker1996
What worries me even more is those HUGE web hosting companies like mchost
...
I hope this thread will convince some people to start upgrading. I mean come on guys. You guys were suppose to upgrade weeks ago. What's going on? ReallyMarc Wyss - marc@mchost.com
MCHost Inc - Experts in Private Label Reseller Plans
http://www.mchost.com
-
07-11-2002, 03:00 AM #21Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
Originally posted by The Prohacker
Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....
Lets see who tries :D
-
07-11-2002, 03:26 AM #22Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
Originally posted by Tim_Greer
Tell me, out of your comments, how security concious do you deem yourself to be in regards to all things being Internet related? That's to say, how you handle your data, accounts, web space, web forum memberships and the like? Do you suppose you have a pretty solid idea? I'm simply curious is all.
I don't do it professionally... I try to keep my boxes as secure as possible, but I'm not anal retentive, like keep the hard drives encrypted, only allow certain IPs to ssh....
One most servers, we do things like change ssh ports, require that an ssh key for loging in as root.... Stuff like that..
My forum accounts are pretty lax, I use alot of the same passwords, but not always... forum memberships aren't a top priority to me...
For data, I have an encrypted partition on my hdd, for keeping secure stuff like names, phone numbers, stuff I don't want giving out about other people, just incase... I'm really not that careful with my home computer... I still run Win2k Pro sp1, but no IIS
I used to be really on top of all the latest holes that come out and everything.. But I'm a little more laid back now... I don't patch the hour a hole comes out, but I don't wait a week
And when it comes to my programming, I try to be security conscious, but, I really don't abid by all the good secure ways to do things... To a point I do...
But in the past years, I've learned life is to damn short to always worry about who can attack you
[edit]An example, I didn't know RH was releasing a patched 3.1p1....Learn something new all the time.. [/edit]
-
07-11-2002, 04:32 AM #23Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 574
Most of these companies simply do not have time, nor trained staff to keep up with this.
If you want decent security, you're going to need to hire full time staff for it.
Not to mention set restrictions (lots of them) on customers, and will they like that? No.
How many of you allow shell access? Might want to look into local security too, much easier to have a system cracked internally.
Oh.. and do you keep track of customers passwords or who they give them to?
Blah, blah, blah.
-
07-11-2002, 11:06 AM #24Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
Originally posted by clockwork
Most of these companies simply do not have time, nor trained staff to keep up with this.
If you want decent security, you're going to need to hire full time staff for it.
Not to mention set restrictions (lots of them) on customers, and will they like that? No.
How many of you allow shell access? Might want to look into local security too, much easier to have a system cracked internally.
Oh.. and do you keep track of customers passwords or who they give them to?
Blah, blah, blah.
-
07-11-2002, 11:19 AM #25Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 574
It's not an excuse, it's real life. (Welcome to it!)
Customers hate restrictions.
How many of you here don't offer normal FTP access, raise your hand. (As opposed to scp/sftp)
Ok, I was with you until your last comment about most attacks coming from apache... uhhh?
Elaborate on that for me..