From owner-freebsd-questions  Tue Dec  4 11: 3:50 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242])
	by hub.freebsd.org (Postfix) with ESMTP id 118CC37B6AE
	for <freebsd-questions@FreeBSD.ORG>; Tue,  4 Dec 2001 10:56:16 -0800 (PST)
Received: from emilyd (emilyd.wilshire.net [10.100.123.20])
	by aji.wilshire.net (8.11.1/8.11.1) with SMTP id fB4Irfx23654;
	Tue, 4 Dec 2001 10:53:41 -0800 (PST)
From: "Riley J. McIntire" <rileyjmc@pacbell.net>
To: "Stephen Hovey" <shovey@buffnet.net>,
	"Riley J. McIntire" <rileyjmc@pacbell.net>
Cc: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG>
Subject: RE: icmp dos attack?   sshd core dump
Date: Tue, 4 Dec 2001 10:56:09 -0800
Message-ID: <NCBBLBILEPCHLFJAPIIPMEBAKFAA.rileyjmc@pacbell.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-reply-to: <Pine.BSF.4.05.10112041245260.25439-100000@buffnet11.buffnet.net>
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Stephen Hovey
> Sent: Tuesday, December 04, 2001 9:46 AM
> Subject: Re: icmp dos attack? sshd core dump
>
> An advisory just came out on a hole in ssh (I wont touch that
> with a 10
> foot pole!)
>

Steve,

The "OpenSSH UseLogin directive permits privilege escalation advisory",
if that's what you're referring to, doesn't seem to apply.  It's a hole
for an otherwise authorized user (hmmm) and only with "UseLogin"
enabled, which it isn't.

Thanks,

Riley


> On Tue, 4 Dec 2001, Riley J. McIntire wrote:
>
> > Greetings:
> >
> > This just showed up in a security check output log:
> >
> > > icmp-response bandwidth limit 240/200 pps
> > > icmp-response bandwidth limit 213/200 pps
> > snip pages of this
> > then
> > > pid 49374 (sshd), uid 0: exited on signal 11 (core dumped)
> > > pid 49375 (sshd), uid 0: exited on signal 11 (core dumped)
> > snip
> > > pid 49391 (sshd), uid 0: exited on signal 11 (core dumped)
> > > pid 49394 (sshd), uid 0: exited on signal 11 (core dumped)
> > > pid 49396 (sshd), uid 0: exited on signal 10 (core dumped)
> > > pid 49397 (sshd), uid 0: exited on signal 10 (core dumped)
> > snip
> > > pid 49465 (sshd), uid 0: exited on signal 10 (core dumped)
> > > pid 49466 (sshd), uid 0: exited on signal 10 (core dumped)
> >
> > Note the change from a sig 11 to 10.
> >
> >
> > A DOS attack?  The machine is up, I can connect via ssh,
> and I'm a bit
> > at a loss of what, if anything, to do about this?
> >
> > Thanks,
> >
> > Riley
> >
> >
> > "They that can give up essential liberty to obtain a little
> temporary
> > safety deserve neither liberty nor safety."
> > Benjamin Franklin
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message