| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <769E8CE8D1A0BF438B62C3DB10C60B9F352094@mtccexchg04.ad.bmhcc.org> From: Stephen.Agar at bmhcc.org (Stephen Agar) Subject: !SPAM! Automated ssh scanning Somehow, this message got to me before Ron's reply did, so I will respond to both inline. > On Thu, 26 Aug 2004 12:26:04 -0500 (CDT), Ron DuFresne > <dufresne@...ternet.com> wrote: > > On Thu, 26 Aug 2004, Stephen Agar wrote: > > > > > I think many of you are missing the point. Yes the guest/guest > > > account is weak, but this kernel is (according to debian) > > > patched..therefore free from local exploits that can be > used to gain > > > superuser access. I mean if this were the case, then any box that > > > ran this version of debian to do something like "web > hosting" that > > > gave users shell access, may as well give them all full sudo. > > > Because you people are assuming that if someone can gain > access to the box, secured or not, they can gain root..i disagree. > > > > > > The issue here is why does debain include such a weak > account,m thaqt > > has not been tamed via a very restricted chroot env!? That is one issue, but given that I haven't installed debian in years, I can't really answer it. However, I don't think it's the "main" issue. The main issue to me is, if I do install debian, and give an account to a friend (albeit not a trusted friend), do I have to worry about a "fully patched" box still getting rooted via a local exploit? > > That's not the issue though. As someone who has installed > and maintained debian systems over a period of years, I can > assure you that debian does not include a guest account (or > any account) with a weak password or shell. > > There aren't any shell accounts other than root on a debian > install until added by the administrator. > > The weak account in question here was created by the original > poster with the intent of catching one of these apparently > automated ssh attacks. If he did create those accounts himself for "honeypot" purposes, and this isnt default on that debian install then it has shown us all something. It has opened the flood gates for discussion about local exploits in that particular install, that we would assume were patched (unless they are undisclosed vulns..but do we really think the script kiddies have that many 0day exploits...yikes!) > > > As Barry pointed to directly, it all depends upon what you make > > available to your clients once in a shell. It;s very likely your > > server would be as exploitable as most 'default' installs > with the kitchen sink dropped in. > > Perhaps not, but likely, depending upon what you 'installed > and allow > > clients access to'. > > > > Thanks, > > > > Ron DuFresne I agree, if this was a production box...then any shell account I had would either be set up for something like "scp only" for a "web host", or jailed very tightly..along with every other service running on the box. I was just saying, that if I install my box, and apply every available patch, I would expect it to be free of local exploits as well as remote ones. > As for the defaults on the original posters install... that > would of course depend entirely on what install method he > chose. Like many current distros (Mandrake, Redhat etc) > Debian offers a packaged install of a couple varieties > (desktop, server, workstation etc) for an admin to pick from, > or they can choose to run dselect (package management > interface) and choose by hand what they do and do not want. > > This of course again comes back to not knowing what the > initial poster did with the system beyond running dselect -> > update -> install which would have autohandled updates and > dependency resolution for installed packages. > > -- > Tremaine > IT Security Consultant Thanks, Stephen
Powered by blists - more mailing lists