Zimbra

Bill Brock · #1 (**permalink**) 08-27-2008, 05:50 AM

Is this something Zimbra users need to worry about?

Linux under attack: Compromised SSH keys lead to rootkit | Zero Day | ZDNet.com

If anyone has the time, how do these attacks work?

p24t · #2 (**permalink**) 08-27-2008, 11:32 AM

That one mostly seems to be targeting the flaw that Debian had in their SSH key generation. The attack would either target the flawed key, or try to use already stolen SSH keys to gain access. Then they install the rootkit.

Debian / Ubuntu have already released fixes for this. If you use SSH keys for logging in, you may want to use a passphrase. And don't let anyone get your private keys.

Baylink · #3 (**permalink**) 08-27-2008, 11:40 AM

And if you run an sshd that is visible to the outside world, either directly or via NAT, you should read this article, and implement one of the solutions -- I like the /etc/hosts.allow approach myself.

bonoboslr · #4 (**permalink**) 08-27-2008, 12:33 PM

You should not be accessing a machine via SSH over any other medium than a VPN.
Basic security should help you to avoid this vulnerability

Baylink · #5 (**permalink**) 08-27-2008, 01:13 PM

Aw, that's horse-crap. If ssh isn't hardened enough to be on the edge, your VPN probably isn't either.

Bill Brock · #6 (**permalink**) 08-27-2008, 01:30 PM

After reading at us-cert, I guess some SSH access is done using keys without passwords or passphrases. These are the ones at most risk. I'm having trouble believing someone would not be using a password for access but I guess it is happening.

bonoboslr · #7 (**permalink**) 08-27-2008, 02:09 PM

Agree. Again, basic security. As for putting SSH on the edge - Good luck with that.
Anyone remember that scene in the matrix where trinity uses the old ssh exploit to kick the door in on a server.
Had to do that an old HP-UX box some years ago...

dijichi2 · #8 (**permalink**) 08-30-2008, 08:45 AM

Quote:

Agree. Again, basic security. As for putting SSH on the edge - Good luck with that.
Anyone remember that scene in the matrix where trinity uses the old ssh exploit to kick the door in on a server.
Had to do that an old HP-UX box some years ago...

are you being serious?

bonoboslr · #9 (**permalink**) 08-30-2008, 01:27 PM

About what? Putting ssh on the edge or exploiting the HP-UX box?

macyh · #10 (**permalink**) 09-29-2008, 07:40 AM

This exploit should not threaten any site that has taken a few basic steps to secure ssh. At a minimum:

- Don't allow root login on ssh, easy to configure in sshd_config
- Don't use port 22 on any system accessible from the outside world. Add port in sshd_config and iptables to allow access via high numbered misc port, e.g. 53764
- Note that Zimbra uses port 22 for internal admin, so use iptables to lockout outside access, add "-s localhost" to the port 22 config entry
- Install and thoughtfully configure the denyhosts package to shutdown attackers after a few login attempts.

Basic sysadmin practice, but well worth repeating for the benefit of all here.

Zimbra

Downloads

Product Information

Toolbox

Why Join?