brute force ssh attack

Guy Fraser guy at incentre.net
Thu Apr 28 18:21:46 UTC 2005 

On Thu, 2005-28-04 at 10:38 -0700, John Wendel wrote:
> William Hooper wrote:
> > 
> > Well, the question asked would be nice:
> > "Thus it has some method of getting root privileges."
> > 
> > The response:
> > "Inexperienced sysadmins."
> > 
> > The quote showing that was the case:
> > "Daniel Kirsten wrote:
> > 'Yesterday, I examined the directory ~daikanyama/.undernet and probably I
> > executed mech as root. The file mech is indeed infected by Linux/Rst-B.
> > This explains everything.......'
> > 
> > So the "method of getting root privileges" is "regular users of their own
> > machines" running random executables (like the ones downloaded by a script
> > kiddie) as root.
> > 
> > I'm interested in hearing how you would like to close this vulnerability.
> > 
> > --
> > William Hooper
> > 
> 
> I should probably keep quiet, but I don't really mind looking like a fool.
> 
> I'm an "inexperienced sysadmin" for my Linux boxes, and I have 
> destroyed a few by doing stupid things, like running an untested 
> script (that I wrote) as root that deleted all the file in /etc.
> 
> What I'd really like is for system files to be mounted read only. 
> Maybe by having a hardware switch that makes the system disk read 
> only. Booting from a DVD that contained everything except /var, /tmp, 
> and /home would be another alternative. This of course requires that 
> everyone cleans up their code to only update files in /var, instead of 
> writing in /etc.

There are a number of thing an experienced administrator can do 
to alleviate these problems. Unfortunately many of the people 
who are using or want to use Linux are not experienced 
administrators. There are a number of options that can be 
used to mount partitions with more strict permissions, but in 
order for that to work, more directories need to be mounted in 
separate partitions. There is not a lot of consensus on how to 
define what partitions should be created or how big they need 
to be or with what permissions they should have, so administrators 
tend to customize each machine for the situation in which it will 
be used.

A long, long time ago Redhat decided how it was going to arrange 
the locations of system files and add on packages. I seem to 
recall questioning some of the file locations back around 3 or 4
but decided to just live with Redhats file locations. Unfortunately 
I am not alone in questioning some of the file locations. If files 
were placed in locations more consistent with old school hierarchal 
system used by most BSD systems and a few Linux distributions, it 
would be easier to protect the base system binaries and configuration 
files.

SELinux has a lot of promise in alleviating the file location 
issues. SELinux is supposed to be able to properly secure a system 
without having to create a bunch of partitions with different 
mounting options. It should allow a more general file system 
structure that is not dependant on the situation in which the 
machine will be used, as is created by the current default 
install.

> 
> I'm sure some smart people have already worked out the details for a 
> system like this. Anyone aware of this kind of work? I'd be interested 
> in seeing it.
> 
> Thanks,
> 
> John Wendel

More information about the fedora-list mailing list