From owner-freebsd-security Fri Nov 30 8:14: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 69AB837B41F for ; Fri, 30 Nov 2001 08:14:03 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA22893; Fri, 30 Nov 2001 09:13:46 -0700 (MST) Message-Id: <4.3.2.7.2.20011130084920.042827e0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 30 Nov 2001 09:01:25 -0700 To: , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: sshd exploit In-Reply-To: References: <20011129012235.U6446-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:30 AM 11/30/2001, bsd-sec@boneyard.lawrence.ks.us wrote: >Perhaps so. However, at the univeristy department where I work, RH Linux lab >machines running both 2.5.x and 2.9.x versions of OpenSSH were indeed >compromised while running ssh version 1. The only other services with >externally available ports were portmap and syslogd. Interesting. Any way we can do a postmortem analysis to determine whether sshd was the weak link? While I wouldn't suggest that people panic, I am concerned about intrusions even though all of my FreeBSD boxen are now running 3.0.1p1. We have several people with SSHv1 clients who send and receive e-mail from the road via port forwarding. We need to keep a secure (at least as much as the protocol allows) SSHv1 server running. So, we're doing VERBOSE logging and watching for suspicious activity. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message