Page 1 of 3 123 LastLast
Results 1 to 25 of 56

Thread: Insecure =/

  1. #1
    Join Date
    Nov 2001
    Location
    Canada
    Posts
    1,963

    Insecure =/

    Why do hosting companies leave open holes like this?

    [root@sandton root]# telnet <edit> 22
    Trying <edit>...
    Connected to <edit>
    Escape character is '^]'.
    SSH-1.99-OpenSSH_3.1p1

    Protocol mismatch.
    Connection closed by foreign host.
    Cogentco.com also runs 3.0 (openssh)

    I Just dont understand why so many hosting companies are so slow on fixing their security. I mean..

    If i was looking for shared hosting, I for one would not want to be hosted with a company that is running old daemons that have vulnerabilities in them, ya know?

    Am I the only one who feels this way, i mean really......
    Last edited by Chicken; 07-13-2002 at 11:44 AM.

  2. #2
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    hahah...

    Damn... I always spend the first 3 days we have a server on updating...

    There really is no excuse not to upgrade your servers anymore.. Hell even RPMs are available for upgrade if you need it....

    I even spent the time to update an RaQ2, everything on it

  3. #3
    Join Date
    Nov 2001
    Location
    Canada
    Posts
    1,963
    I mean, what are these companies going to do when someone comes along and compromises their servers??

    I think it's sad.

    [root@sandton root]# telnet <edit> 22
    Trying <edit>...
    Connected to <edit>.
    Escape character is '^]'.
    SSH-1.5-OpenSSH_3.1p1

    [root@sandton root]# telnet <edit> 22
    Trying <edit>...
    Connected to <edit>.
    Escape character is '^]'.
    SSH-1.99-OpenSSH_2.9p2

    [root@sandton root]# telnet <edit> 22
    Trying <edit>...
    Connected to <edit>.
    Escape character is '^]'.
    SSH-1.99-OpenSSH_2.9p2

    Protocol mismatch.

    [root@sandton root]# telnet <edit> 22
    Trying <edit> ...
    Connected to <edit>.
    Escape character is '^]'.
    SSH-1.99-OpenSSH_2.9p2

    And the list goes on and on, i wont try to embarrass too many companies

    I just think that if a company can't keep up to date with security, they shouldn't jeopardize other people's data.

    I certainly would only choose hosts that keep good security.
    Last edited by Chicken; 07-13-2002 at 11:44 AM.

  4. #4
    Join Date
    Feb 2002
    Location
    South California
    Posts
    333
    Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...
    Matt Mahvi
    Staminus, Infrastructure DDoS Protection and Appliances
    @ 200+ Gbps global ddos mitigation network. Local or Remote. Proxy, GRE, and direct cross connects.
    @ Available in Amsterdam, New York, Los Angeles and Orange County. Anycast BGP.

  5. #5
    Join Date
    Nov 2001
    Location
    Canada
    Posts
    1,963
    Originally posted by toro
    Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...
    Yeah, i know what you mean. Especially those people who just got online last week and are already web hosts. I can understand how they wouldn't know a DAMN thing about security.

    Everybody is a web host now a days

    What worries me even more is those HUGE web hosting companies like mchost

    it would be a shame if someone were to compromise their systems and erase all data including back ups.

    I hope this thread will convince some people to start upgrading. I mean come on guys. You guys were suppose to upgrade weeks ago. What's going on? Really

    just my 0.02

  6. #6
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    Hahahahha.. So....

    They are running RedHat.... And prolly a panel, and they can't install 3 freaking rpms?????

    Now that worries me

  7. #7
    Join Date
    Nov 2001
    Location
    Canada
    Posts
    1,963
    hacker PM

  8. #8
    Originally posted by toro
    Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...
    i hope you are being sarcastic.

    i really do.....

  9. #9
    Join Date
    Nov 2001
    Location
    Canada
    Posts
    1,963
    Originally posted by bacid


    i hope you are being sarcastic.

    i really do.....
    Sarcasm? Of course not. He's telling the truth

    Besides, what do you konw? You're just a junior guru wannabe!!

    lol just kidding

  10. #10
    Err... why does OpenSSH 2.9 need to be updated?

    The recently announced issue only dealt with versions 2.99 - 3.3.

    (Thanks Theo!)
    Dr. Colin Percival, FreeBSD Security Officer
    Online backups for the truly paranoid: http://www.tarsnap.com/

  11. #11
    Join Date
    Aug 2000
    Posts
    1,167
    You can't necessarily tell by the version number alone. Granted upgrading is better, but the security hole is easily plugged with a couple edits to sshd_config or by re-compiling the current version with the available code patches.

    There are a total of three security holes variously affecting versions 2.3.1 through 3.3.
    Last edited by alchiba; 07-11-2002 at 01:07 AM.

  12. #12
    Join Date
    Jul 2002
    Posts
    3,734
    As long as PAMAuthenticationViaKbdInt isn't enabled in the config file, 3.1p1 shouldn't be vulnerable. Not that I'm against upgrading. As long as cpanel doesn't decide to like kick it back to the old version the next day...lol

    <edit> that's on a redhat 7.2</edit>

  13. #13
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    And thats why you don't let Cpanel auto update

  14. #14
    Originally posted by alchiba
    There are a total of three security holes variously affecting versions 2.3.1 through 3.3.
    Yes, but some of those were already patched. The openssh 2.9p2 which FreeBSD uses is uneffected by these problems (which is why people were so annoyed with Theo for advising them to move to 3.3 -- which *was* effected).
    Dr. Colin Percival, FreeBSD Security Officer
    Online backups for the truly paranoid: http://www.tarsnap.com/

  15. #15
    Join Date
    Jul 2002
    Posts
    3,734
    Originally posted by The Prohacker
    And thats why you don't let Cpanel auto update
    I'd had my first server about 10 minutes before I disabled that...

    Of course, I trust it about as much as I trust Real Player...

  16. #16
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    I believe if you go here http://rhn.redhat.com/errata/RHSA-2002-127.html you will see that 3.1p1 is the correct version that is recomended by Red Hat and they have updated the RPM files to include the security patches for the explot, but the version number when checking thru shell still shows the same. I know I updated last week and I just checked and it still shows the same.

  17. #17
    Join Date
    Jul 2002
    Posts
    3,734
    Originally posted by Monte
    I believe if you go here http://rhn.redhat.com/errata/RHSA-2002-127.html you will see that 3.1p1 is the correct version that is recomended by Red Hat and they have updated the RPM files to include the security patches for the explot, but the version number when checking thru shell still shows the same. I know I updated last week and I just checked and it still shows the same.
    Thank you...makes me feel better. I was sure I installed an upgrade before. I thought I was going nuts there for a minute. Ok, Nick...you're off the hook...:p

  18. #18
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....

    Lets see who tries

  19. #19
    Join Date
    Jul 2002
    Posts
    3,734
    Originally posted by The Prohacker
    Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....

    Lets see who tries
    LOL Gobbles is comin for ya...

  20. #20
    Originally posted by clocker1996
    What worries me even more is those HUGE web hosting companies like mchost

    ...

    I hope this thread will convince some people to start upgrading. I mean come on guys. You guys were suppose to upgrade weeks ago. What's going on? Really
    We upgraded all servers about 2 weeks ago, you should definately do that. There are lots of people just scanning random IP ranges to find exploits.
    Marc Wyss - marc@mchost.com
    MCHost Inc - Experts in Private Label Reseller Plans
    http://www.mchost.com

  21. #21
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Originally posted by The Prohacker
    Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....

    Lets see who tries :D
    Tell me, out of your comments, how security concious do you deem yourself to be in regards to all things being Internet related? That's to say, how you handle your data, accounts, web space, web forum memberships and the like? Do you suppose you have a pretty solid idea? I'm simply curious is all.

  22. #22
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    Originally posted by Tim_Greer


    Tell me, out of your comments, how security concious do you deem yourself to be in regards to all things being Internet related? That's to say, how you handle your data, accounts, web space, web forum memberships and the like? Do you suppose you have a pretty solid idea? I'm simply curious is all.

    I don't do it professionally... I try to keep my boxes as secure as possible, but I'm not anal retentive, like keep the hard drives encrypted, only allow certain IPs to ssh....

    One most servers, we do things like change ssh ports, require that an ssh key for loging in as root.... Stuff like that..

    My forum accounts are pretty lax, I use alot of the same passwords, but not always... forum memberships aren't a top priority to me...

    For data, I have an encrypted partition on my hdd, for keeping secure stuff like names, phone numbers, stuff I don't want giving out about other people, just incase... I'm really not that careful with my home computer... I still run Win2k Pro sp1, but no IIS

    I used to be really on top of all the latest holes that come out and everything.. But I'm a little more laid back now... I don't patch the hour a hole comes out, but I don't wait a week

    And when it comes to my programming, I try to be security conscious, but, I really don't abid by all the good secure ways to do things... To a point I do...

    But in the past years, I've learned life is to damn short to always worry about who can attack you


    [edit]An example, I didn't know RH was releasing a patched 3.1p1....Learn something new all the time.. [/edit]

  23. #23
    Join Date
    Jan 2002
    Posts
    574
    Most of these companies simply do not have time, nor trained staff to keep up with this.

    If you want decent security, you're going to need to hire full time staff for it.

    Not to mention set restrictions (lots of them) on customers, and will they like that? No.

    How many of you allow shell access? Might want to look into local security too, much easier to have a system cracked internally.

    Oh.. and do you keep track of customers passwords or who they give them to?

    Blah, blah, blah.

  24. #24
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    Originally posted by clockwork
    Most of these companies simply do not have time, nor trained staff to keep up with this.

    If you want decent security, you're going to need to hire full time staff for it.
    And do you think thats a good excuse?? Think customers will like it when they loose data??

    Not to mention set restrictions (lots of them) on customers, and will they like that? No.
    What would you think they'd hate most, restrictions or loosing their site?????

    How many of you allow shell access? Might want to look into local security too, much easier to have a system cracked internally.

    Oh.. and do you keep track of customers passwords or who they give them to?

    Blah, blah, blah.
    Shell isn't a big security hole, if you have a semi-secure mind set, you'd know to update things... Hell most local attacks don't come from shell, but from apache since it runs as nobody....

  25. #25
    Join Date
    Jan 2002
    Posts
    574
    It's not an excuse, it's real life. (Welcome to it!)

    Customers hate restrictions.
    How many of you here don't offer normal FTP access, raise your hand. (As opposed to scp/sftp)

    Ok, I was with you until your last comment about most attacks coming from apache... uhhh?

    Elaborate on that for me..

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •