SSL Certificate checking
I understand that hobbit (and bbgen) will check the validity of SSL certificates on a HTTPS site, but I was wondering if hobbit (or bbgen) would also check that a ssh certificate does NOT change?
Note, all the rest of this email is off-topic, so please don't respond to it on the list. Feel free to send your comments offlist.
Reason being, this morning one of my servers was hacked, I found out because: *) BB noticed /var/log/messages was truncated *) BB noticed sshd wasn't running any longer
I then noticed, because the SSH key had been changed, and basically someone had compiled a new ssh and in the process changed the key. It would have been nice had BB detected that as well (since a hacker might not always truncate log files, nor change the process name of ssh, even though it is still running).
For those that are interested, and I'd be keen to hear from people (probably off-list) regarding their thoughts/suggestions.
This machine is running debian testing, and I have a BB ext which alerts me if updates are available but not installed, so I install them daily, so it is always up to date. The machine runs a kernel which likely to have a local exploitable bug (2.4.25) The machine has open services to the internet of: *) apache-perl (from debian) *) DJB's tinydns (from debian source package) *) DJB's qmail (from debian source package) *) ssh (from debian)
apache-perl is serving up RT (from debian) and no other CGI/etc
qmail calls qmail-scanner-queue.pl which calls spamassassin + clamav which are also both from debian.
The machine is listed as secondary MX for a load of domains, and also primary NS for a load of domains.
The machine had 4 users with a password set (root + 3 admin users) all the rest were disabled in /etc/shadow.
As for password brute-force, I've had john running for over an hour, and it hasn't found anything yet, at 1221 attempts per second, I think that comes to 1025640 passwords it has tried..... guesses: 0 time: 0:01:10:13 (3) c/s: 1221 trying: agig1
ie, the password for the 4 users are not easily guessable.... password are never sent in cleartext either...
Basically, so far as I can tell, the person has set a password for user games, compiled/installed openssh (into /usr/local/), and that's all I can see so far.
The thing that bothers me most is that this is a debian (testing) machine, with all the patches/updates etc, and yet it was still hacked.
My suspicion is that they gained access via ssh, since they went to the trouble of replacing that....
My fear is that I won't find HOW they got in, and therefore can't put the machine back online with any degree of confidence that it won't happen again....
As above, please send comments/suggestions to me offline.
Regards, Adam
--
Adam Goryachev Website Managers Ph: +61 2 8304 0000 adam at websitemanagers.com.au Fax: +61 2 8304 0001 www.websitemanagers.com.au
On Tue, May 17, 2005 at 01:23:52PM +1000, Adam Goryachev wrote:
I understand that hobbit (and bbgen) will check the validity of SSL certificates on a HTTPS site, but I was wondering if hobbit (or bbgen) would also check that a ssh certificate does NOT change?
You mean the SSH host key. Hobbit cannot do that currently, since it doesn't know about the SSH protocol other than to expect the "SSH-..." banner when it connects to an SSH service.
One could probably pick out the necessary pieces of code from the OpenSSH client to build a checker for this. That would be useful, because it would also eliminate the warnings that OpenSSH logs when Hobbit checks the service.
Reason being, this morning one of my servers was hacked [...]
Ouch - whatever you find out, I'll be interested to hear about it. My server setup looks disturbingly much like yours, so if there is a new root exploit out there, I'd like to know.
Regards, Henrik
participants (2)
-
adam@websitemanagers.com.au
-
henrik@hswn.dk