Date: Tue, 05 Jan 1999 15:51:21 -0800 From: Brian Behlendorf <brian@hyperreal.org> To: bmah@CA.Sandia.GOV, The Hermit Hacker <scrappy@hub.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh "error" message .. Message-ID: <4.1.19990105154103.00ba7100@hyperreal.org> In-Reply-To: <199901052215.OAA19362@stennis.ca.sandia.gov> References: <Your message of "Tue, 05 Jan 1999 17:45:05 -0400." <Pine.BSF.4.05.9901051744120.18250-100000@thelab.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:15 PM 1/5/99 -0800, Bruce A. Mah wrote: >If memory serves me right, The Hermit Hacker wrote: > >> Has anyone seen the following before? I'm thinking a port-attack, since >> I've gotten two reports so far, each reporting the same host, but >> different IP... >> >> hub> logout >> Waiting for forwarded connections to terminate... >> The following connections are open: >> X11 connection from tntport0581.cwjamaica.com port 1488 >> X11 connection from tntport0581.cwjamaica.com port 1918 > >Yes, many many times. These are the error messages that you see when you ssh >to another machine, fire up some X clients on the remote host, then try to >logout. The X protocol messages from the X clients are tunneled over the >encrypted SSH connection, so the SSH connection can't go away without killing >the clients. The behavior you see gives you (the user) a chance to gracefully >shut down the X clients first. > >If I don't care about those X clients, I'll usually kill the window from which >I ran ssh. Um, I think he's saying that "tntport0581.cwjamaica.com" isn't one of his domains, but a third party, and he's suspicious that an attack may be underway. When you use SSH and tell it to forward X11 packets, it opens an X port on the remote machine for X clients to connect to, to get tunnelled to your local X server. E.g., from "lsof": sshd1 6362 root 9u inet 0xf4930900 0t0 TCP *:6011 (LISTEN) The port is open - local X clients AND remote X clients can connect to it. Now, your X server will probably mandate the use of some sort of auth, like what's in the .Xauthority file on your remote machine; remember back before xauth when it was "cute" to open an X app on someone else's screen, surprising them? :) This isn't a security hole, since the standard X security mechanisms *should* protect you, but there is the potential for exploiting buffers in either the sshd or your desktop X server. If you don't need X, you probably want to turn off "forward X11 packets", just to be safe. If F-Secure was thinking, they'd give an option to only allow local connections to the remote end of the tunnel, as you can do when setting up other tunnels manually. I'm going here by the GUI for the windows & mac SSH clients; the Unix ssh client has far more configurability of course. Brian --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- History is made at night; brian@hyperreal.org character is what you are in the dark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990105154103.00ba7100>