Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland

An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."

Iceland? How hard could it be?

[cowbud]

Would one of the 320k icelanders please stand up and make it known who decided to do this. I mean come on this country is smaller than most cities people know. I bet they find out who dun it right quick.

Re:Iceland? How hard could it be?

[WWJohnBrowningDo]

Just because the server is in Iceland doesn't mean the perpetrator is.

In all likelihood the server is just another compromised machine.

Re:Iceland? How hard could it be?

[AK+Marc]

Check with Men and Mice, they are the only Icelandic company I know of that works with "security" and "Linux" in their company description.

Re:Iceland? How hard could it be?

[JWSmythe]

Yup. There are actually several reasonably priced hosting services in Iceland. I was shopping for international homes for some of my data, until I thought about it and none of my data is worth spending money to hide. :) Iceland was pretty high on the list though.

Re:Iceland? How hard could it be?

I am not him but let me look around for ya...........
Nope, I couldn't find him . Perhaps it was ólaugur, his eyes were kind of shifty

Re:Iceland? How hard could it be?

[Trepidity]

Maybe it wasn't a "who" but a "what".

Re:Iceland? How hard could it be?

[Runaway1956]

I don't think so. I suspect an extraterrestrial ship parked in a geothermal vent somewhere. They're out of sight, they get free energy, and they're close enough to a server to hack into it with their advanced computers. They've given up on those abductions and anal probes, now they're just hacking into the network to discover whatever might be on our minds.

Or, maybe it's occurred to them that we don't keep our brains next to our rectum?

Re:Iceland? How hard could it be?

Just because the server is in Iceland doesn't mean the perpetrator is.
 

True. The perp is no longer at Iceland but at the Embassy of Equador in London.

SSH Got Bjorked?

[Penguinshit]

Somebody had to say it.

Re: SSH Got Bjorked?

So who's distributing the binary?

Re:SSH Got Bjorked?

[ghmh]

And until now it was oh, so quiet!

Re: SSH Got Bjorked?

Warner Bros. Records.

Re:SSH Got Bjorked?

And if you complain once more, you'll meet an army of me.

Re:SSH Got Bjorked?

it's virus as tty

Re:SSH Got Bjorked?

That is pretty funny, even if one knows that it doesn't work due to the fact that it's pronounced "byerk."

Re:SSH Got Bjorked?

WTF is "Got Bjorked" I know who Bjork is but what does that mean. I don't pay any attention to the retarted Popular Social life of our unevolved aspects of humanity. Such as Gossip and such useless things.

Re:SSH Got Bjorked?

[drinkypoo]

This is completely normal human behaviour.

Re:SSH Got Bjorked?

[Penguinshit]

nice...

Re:SSH Got Bjorked?

[Penguinshit]

It's a play on "Borked" (hint "Robert Bork" - Google it) and the native country of the artist Bjork.

Re:SSH Got Bjorked?

[Penguinshit]

you're a djerk.

Re:SSH Got Bjorked?

[g0bshiTe]

I hope he's just having a piss. Otherwise someone needs to stop working with computers.

Re:SSH Got Bjorked?

Cold man that be cold

Re:SSH Got Bjorked?

[StarQuake64]

Yes, she feeds the passwords into her drummachine.

If it weren't for the mention of Iceland

[93+Escort+Wagon]

I'd think this was a story about Cisco gear from not that long ago.

Re:If it weren't for the mention of Iceland

[JWSmythe]

    I was asked to clean some exploited servers in the wild that had compromised SSH binaries in them. This was about 10 years or so ago, so this is really a not current news story.

    Thankfully most script kiddies are exactly that, and their script left the source on the machine for me to review. Why? I guess to compile on the machine to make sure it used the local libraries. They generally didn't have passwords hard coded though, they used SSH keys. The passwords they stole were usually stored locally in a file, and sent to somewhere in eastern Europe or Asia. I have no idea if that was by the script kiddie design or the person who rolled it up. It's a pretty slick trick though. You get the script kiddies to gather intel from compromised machines, and feed it back to you. Now you have access to every machine the script kiddies compromised.

    The funny part about most of the cleanups was, the version of SSH they put on was newer than the remotely exploitable version they got in with.

 

Re:If it weren't for the mention of Iceland

[pipatron]

I was asked to clean some exploited servers in the wild that had compromised SSH binaries in them. This was about 10 years or so ago, so this is really a not current news story.

Someone got murdered about 10 years ago, so there's no point reporting about current murders.

Or what is your point exactly?

Re:If it weren't for the mention of Iceland

[maxwell+demon]

Thankfully most script kiddies are exactly that, and their script left the source on the machine for me to review. Why?

Maybe it was an Open Source client, and they had to give you the source code to comply? :-)

Re:If it weren't for the mention of Iceland

[johnsie]

grumpy much?

Re:If it weren't for the mention of Iceland

I guess to compile on the machine to make sure it used the local libraries.

Better than some of the efforts I've seen. Like the time someone tried to install a 32bit rootkit comprised of a bunch of dynamically compiled replacements for things like 'ps'...on a 64bit machine that didn't have the IA32 libraries installed.

This was the same place where we ran a custom sshd anyway, so the one time someone got far enough to actually replace it with a backdoored version it was obvious within, ohhh, 3 seconds or so.

Re:If it weren't for the mention of Iceland

[JWSmythe]

I've seen that too. Mostly with fairly open hosting machines. Like, letting anyone sign up for free or low cost hosting. I saw a lot of them that were built for one platform (usually Redhat), where the libraries didn't quite line up with the running system.

At one place, I was collecting them. The script kiddie would put their SSH server on a high port. It worked great, except they couldn't get root with it, and they couldn't get to the daemon through the firewalls. It was rather entertaining.

I hated the free hosting servers. They were constantly trying to do bad things. They never succeeded, but I had to go prune those accounts on a regular basis. The worst were people trying to host anime porn on our servers, and link it from message boards in east Asia. I was tempted to block all access from east Asia, except we did have a lot of paying customers over there.

Re:If it weren't for the mention of Iceland

[grumpy_old_grandpa]

I know! Even I am not that grumpy. (but maybe his dog got murdered ten years ago)

Re:If it weren't for the mention of Iceland

[hazeii]

The point is, this story is about as new as "people die in cars".

Re:If it weren't for the mention of Iceland

[DirtyLiar]

+1 for complying with the GPL.

SSH daemon...

So being compromised is the first condition to get "infected"? I'd say it's a non-issue, although it's always better to be acknowledged.

Exfiltrate?

Please don't misuse silly words like exfiltrate because it sounds cool. You know, like saying it was cloud crowd sourced in the third inning of the ether space. It makes no sense in your context and your have blown all credibility in this story. You can replace "exfiltrate" (omg so cool) with "send" (omg..oh, so simple!).

Re:Exfiltrate?

Data exfiltration is a common phrase in computer security. Exfiltrate is the opposite of infiltrate, so it connotes a surreptitious and unauthorized removal from the host system. While saying send may be less silly in your eyes, it is also less precise.

Tip

[detritus.]

I cleaned up an a backdoored Debian system after discovering md5 sum mismatches on all the ssh binaries from the original packages some time ago.

debsums is a nice utility to check this for you, granted that the attackers didn't modify the signing keys and installed their own package.

Re:Tip

[MightyMartian]

So how is a compromised ssh binary getting on Debian?

Re:Tip

[UltraZelda64]

Simple: It snuck in the back door.

Re:Tip

[Nerdfest]

Poor passwords, other infected (non-repo) packages, exploits in services (like apache, etc) installed with too many permissions, etc.

Re:Tip

Same as always. The attacker gets in somehow (0day, outdated, bad passwords, etc) and then ensures he'll still be able to get in after the flaw he used is corrected (in this case, by replacing local binaries with his own). The infected ssh daemon was not on Debian's repositories (if the repositories are infected you're screwed), but on a user's server.

Re:Tip

[19thNervousBreakdown]

You can never clean up a system. MD5s help, but you know what one of the first things I'd do when rooting a system is? After making sure my rootkit didn't show up in directory listings, I'd patch md5, shasum, perl, and ruby to return the exact MD5 I wanted for every file I defined a magic string for.

You gonna catch me on some systems? Sure. You gonna catch me on an extremely common distro like Debian without installing out-of-tree software? Probably not.

Re:Tip

[davester666]

If there is one thing I truly dislike, it's getting backdoored.

Re:Tip

[NotBorg]

Yeah, I hate most Linux exploit articles. They always seem to be about what happens after the machine was rooted. Binaries changed out, configurations changed, permissions set, yadi yadi yada... They never seem to be about how they got rooted in the first place.

Re:Tip

man debsums:

"debsums is intended primarily as a way of determining what installed
files have been locally modified by the administrator or damaged by
media errors and is of limited use as a security tool.

If you are looking for an integrity checker that can run from safe
media, do integrity checks on checksum databases and can be easily
configured to run periodically to warn the admin of changes see other
tools such as: aide, integrit, samhain, or tripwire."

Re:Tip

[DarwinSurvivor]

Rule #1 of investigating a compromised system is you don't use the tools on the compromised system.

Re:Tip

Must have come from a Windows machine, coz Linux is so secure... ;)

Re:Tip

I will ALWAYS find your rootkit. This is because you're trapped in a VM, and I can always checksum the files from another uncompromised system (LiveCD / USB).

"You gonna catch me on an extremely common distro like Debian without installing out-of-tree software?" WTF do you mean by this? Straw-men can't find your rootkit? People who aren't looking won't find something!? Well, OK, man. FYI, I periodically create a list of all files from within a system, then compare it to one without. DIFF and LS are fucking "in-the-tree" software. Do you even hack? Stop fronting you lamer.

Re:Tip

I will ALWAYS find your rootkit. This is because you're trapped in a VM

Hmm... I think I hacked both your hypervisor and bios yesterday, but please keep on assuming that you are safe. Much better that way.
Only trouble coming from people that are always suspicious.

VMWare sales staff are my best friends. Their brainwashing on the advantages of virtualized servers works great!

Re:Tip

[Ford+Prefect]

I will ALWAYS find your rootkit. This is because you're trapped in a VM, and I can always checksum the files from another uncompromised system (LiveCD / USB).

This is, of course, assuming that you yourself are not running on another compromised virtual machine.

(There was one hack I was involved in where an investigator tried to get clever and started calculating MD5 checksums with a universal Turing machine operated using pencil and paper. Fortunately, I'd already trojaned base logic itself and managed to subvert alphanumeric characters to return the 'correct' values. Hacking the logical representations of arabic numerals? Now that's pretty advanced stuff. But then, there's always the worry that my own consciousness is running on something other than what I think is my own brain...)

Re:Tip

[GameboyRMH]

Mostly weak passwords/lack of anti-brute-force, Apache vulnerabilities is probably the second most common. Nothing new.

Re:Tip

Pfft... I hacked your mom last night.

Re:Tip

[cheekyboy]

I can always have a real hardware PPC or MIPS based linux or even old Solaris machines used as 'screeners, scanners' to verify the VMs.

Oh and I could use 2 identical machines that do a complete scan and compare results.

Re:Tip

[shipofgold]

Same way any Windows box gets compromised...two most common:

-- A security flaw is found in the distro and the patches are not up-to-date.
-- Someone installs some other program as root which contains the trojan.

Linux is just as vulnerable as Windows to these attacks....

Re:Tip

[bill_mcgonigle]

Rule #1 of investigating a compromised system is you don't use the tools on the compromised system.

Security is a process. Running a scanner on a compromised system has no guarantee of finding out that the system is compromised. But 98% of the time it will work just fine - these systems are usually compromised by script kiddie tools that don't spend a great deal of effort to find the rootkit scanners.

I suppose it would be better if somebody came up with a well-developed package for cross-scanning systems over shared storage (does it already exist?) but that's also only going to reduce your 98% to 98.5%. I suppose all you need to really do is to validate the integrity of the host system's scanner (or rpm or dpkg, etc.) but then again the remote system access method could also be compromised (today it's TLA stuff to compromise e.g. nfsd such that it will only return the wrong (but valid) md5sum and sha1sum and [randomhashsum] for only the scanners you might check for) but it's not likely.

Taking down every system on a frequent schedule for an offline scan would be a good idea but then again the BIOS could be compromised and you start to run into the collision of business needs and absolute security.

Re:Tip

[flyingfsck]

All the machines I cleaned up got hacked due to some wise guys who thought that using 4 letter passwords were kewl.

Re:Tip

[smpoole7]

Bootable CD or DVD with tools on it. Worth its weight in gold.

Re:Tip

[maxwell+demon]

Thank god that I use a five-digit password instead, that's so much more secure.
BTW, I use the same combination on my luggage.

Re:Tip

[maxwell+demon]

Pfft... I hacked your mom last night.

Too bad you left your fingerprints on the axe ...

Re:Tip

Agreed. It's a general pain in the ass and leaves a mess to clean up!

Re:Tip

[jcdr]

Yes, "out-of-tree" is the key.

I have experimented a very successful way to solve the problem: Internet connected servers using NFS root from an intranet NFS server. All the machines are using a standard distribution. The intranet NFS server handle the backup of all the internet servers using rsync. It's really easy and efficient as it's just moving data internally of the RAID array. It's easy to detect unexpected files change, to compare internet machines binaries with the intranet machine binaries, and to eventually recover them. The downside is that NFS is slow compared to HDD and SSD, but good caching practice should not depend on them anyway. The advantage is that managing all the machines is very easy and comfortable, that the internet server machines are extremely reliable without disks, and that I only have to care about a central RAID array.

Re:Tip

[jcdr]

I suppose it would be better if somebody came up with a well-developed package for cross-scanning systems over shared storage (does it already exist?) but that's also only going to reduce your 98% to 98.5%. I suppose all you need to really do is to validate the integrity of the host system's scanner (or rpm or dpkg, etc.) but then again the remote system access method could also be compromised (today it's TLA stuff to compromise e.g. nfsd such that it will only return the wrong (but valid) md5sum and sha1sum and [randomhashsum] for only the scanners you might check for) but it's not likely.

Taking down every system on a frequent schedule for an offline scan would be a good idea but then again the BIOS could be compromised and you start to run into the collision of business needs and absolute security.

I use NFS root internet servers connected to a intranet NFS server. On the last I use rsync to do backup and detection of any files change. The only permanent memory on the internet servers machines are the BIOS, ok, but I have yet to see an exploit that hack the BIOS in a way to compromise a TFTP + NFS boot without any detectable trace from the NFS server point of view. If your concern really go into this level of paranoia, then you can simply hack the write protection signal of your BIOS memory chip (see the /WP in of the datasheet) and reboot the internet servers periodically.

Re:Tip

[gweihir]

Yeah, I hate most Linux exploit articles. They always seem to be about what happens after the machine was rooted. Binaries changed out, configurations changed, permissions set, yadi yadi yada... They never seem to be about how they got rooted in the first place.

Unlike the MS world where typically some software maker (and often MS itself) has screwed up, Linux tends to be rooted because some administrator or user got careless. That is not very interesting and the details do not matter.

Re:Tip

Do you even lift bro?

Iceland needs the help

I always post my passwords at linuxrepository.org with our without a trojaned sshd

Effective

I myself have set up modified versions of the sshd dameon/ssh client on various rooted machines in the past (mine was simply allowing root login without logging anything with a hardcoded password + writing logins/hosts/passwords, after encryption, deep inside a fake shared library on the system - this took less than an hour to implement in the openssh source).

In all cases, despite the extreme simplicity of this mechanism, it was very, very easy to then gain access to a lot of other boxes on the network, and eventually to all the network itself. Just wait for the clueless sysadmin to log in (dumping his pass), then wait for him to use ssh to log in to another box in the network (dumping his pass as well). Then install the modified version of the daemon/client on to this new box. Rince, repeat.

It is in a way terrifying to see how most sysadmins are clueless. So, IMHO, a few measures that should be compulsory on any network:

- Do not allow write access to any essential binaries (like sshd, ls, and so on). If you have to, make sure you have a stealthy daemon checking the hashes of all critical binaries at regular intervals to make sure they have not been tampered with.
- Never, ever, log in to a server in your network from another server in the same network. Use port redirection, then log in from your initial box.
- Always use a dedicated server for system logs (syslog handles that very easily - sending logs over the network). That way, the logs of the initial system compromise will not be deletable. Do not ever log in remotely to this dedicated machine.
- After the initial system install, make a dump of the syscalls table of your kernel. Check it regularly to make sure it has not been tampered with (kernelspace rootkits usually hijack this table).
- ...there are also other ways to implement an effective kernelspace rootkit, like VFS hijacking, so make sure you disable modules loading in the kernel before compiling (and check the hash of the kernel image itself regularly as well).

Those are the main sane measures that come to mind (this is all based on real life experience intruding into large companies/laboratories/university systems, without ever having been detected). Posting anonymously for obvious reasons.

Re:Effective

[Gaygirlie]

- Do not allow write access to any essential binaries (like sshd, ls, and so on). If you have to, make sure you have a stealthy daemon checking the hashes of all critical binaries at regular intervals to make sure they have not been tampered with.

I'm sure there are plenty of other such systems, but Tripwire ( http://www.tripwire.org/ ) is one of the more popular tools to keep a check on your system and warn you immediately if it detects tampering attempts.

- After the initial system install, make a dump of the syscalls table of your kernel. Check it regularly to make sure it has not been tampered with (kernelspace rootkits usually hijack this table).

AFAIK Tripwire handles this, too.

Re:Effective

It does. It is the first thing that came to my mind. A problem I have with it is there really is no outstanding tripwirealike for Windows so I wrote my own simplified version. Such a simple thing as checking the hash of important files does wonders for security. It even detects data corruption.

Re:Effective

[DarwinSurvivor]

Also, don't use passwords for ssh.

Re:Effective

anon, can you descibe the port redirections are you talking about? I think what you mean is you have a laptop on the internet in a cafe, and it connects to your router then it port forwards to another server inside your home network. from server 1 you ssh to server 2? If thats the case you are suggesting that you jusy portforward to one node and then do something with the ports on that node?? of course i always use password and key and i change the password often.

Re:Effective

I wonder if this is how Leviticus was written. A list of proscriptions for practices identified to prevent certain problems... religiously followed until the end of time.

Re:Effective

[TheGratefulNet]

old school: send remote syslog to a printer. real paper printer.

can't rm -rf paper; at least not remotely.

Define "wild"

[dalmor]

The article says "...discovered on compromised servers."

If they are not distro(i.e. ubuntu, redhat,centos, etc.) servers, or openssh servers, this is a non-story. I can create a random domain, compile a version of openssh to sends passwords to me and host it on my server as an official ssh binary.

If I install stock wordpress with access to the file, would that then count a compromised?

XOR Conspiracy

[RedHackTea]

It seems odd to me that a recent /. article (read link in summary) also mentioned XOR style code that could identify the SQL Slammer perpetrator. It could just be coincidence... but the same guy that made this tojanized version of SSH could also be the same guy that made SQL Slammer. Both have an infatuation for XOR. Both Trojan and Slammer are sexual terms. SSH, SQL, and XOR are 3 letter-abbreviations. Conspiracy! 3^3^3=3! And it is the year 2013! OMGZ! Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh! This was also posted by timothy. Arrest TIM O THY!

Re:XOR Conspiracy

[Raenex]

That's funny, but for those that don't know: XOR is a well-known, poor man's encryption/obfuscation trick.

Re:XOR Conspiracy

XOR is part of practically all cryptographic systems, because it's how the clear-text and the key material are combined to form the cypher-text. XOR is the only mathematical operation in the only provably unbreakable encryption, the one-time-pad.

Re:XOR Conspiracy

ADD, SUB (the way they are normally implemented in hardware) also work with one time pads. XOR is simpler.

Re:XOR Conspiracy

Exactly. XOR is a special case of modular arithmetic. XOR(A,B) is equivilent to MOD(ADD(A,B),2)

Is this for real or just buzzword pizza?

[dbIII]

Do not allow write access to any essential binaries

This makes no sense. Once somebody has root and can write to those binaries you are already fucked and they can change access to anything they like, and then write over it to their hearts content.
Putting them on read only media sounds like a cool idea but is difficult to implement for anything other than the short term and can be circumvented if somebody roots your box anyway. There's the script kiddie toy of changing file attributes (and thus announcing to people that they've been rooted) which this AC may think is some sort of real security measure if sysadmins use it, but that's merely annoying to anyone that has root and isn't going to slow down even a newbie with access to google.

Re:Is this for real or just buzzword pizza?

On *BSD you can go beyond permissions and set flags on the files that disallow changing them. The flag can only be removed under a lower security level. You can only increase security levels while the box is running. To remove the locks (on files including kernel) you need to reboot to single user dropping the external network connection you try to break in with.

Re:Is this for real or just buzzword pizza?

[dbIII]

So? You have root, write a script to change those flags, have it run on startup in single user mode, and reboot in the middle of the night to single user mode so nobody notices. Of course your script could then change the box back to the right runlevel when it's finished and let you back in.
Once somebody has root (or full physical access and a screwdriver) they own the box, and about all you can do is make sure they can't easily get into other ones.

Re:Is this for real or just buzzword pizza?

[segedunum]

This makes no sense. Once somebody has root and can write to those binaries you are already fucked and they can change access to anything they like, and then write over it to their hearts content.

Quite right. Binaries are already write protected from users but if you're root you can do anything.

Re:Is this for real or just buzzword pizza?

[Junta]

It might be reasonable to map most system binaries to an nfs share where root is mapped to nobody...

Re:Is this for real or just buzzword pizza?

[smash]

So? You have root, write a script to change those flags,

Except you can't. The securelevel feature in FreeBSD (maybe others) disables the ability to write to files with the immutable bit set. The only way to write to these files is to reboot the box into single user mode, before the kernel securelevel is raised. Single user mode = no network running.

Setting securelevel is a one way thing, once it has been raised, you can not lower the securelevel.

Re:Is this for real or just buzzword pizza?

Maybe you should read past the first 11 words.

Re:Is this for real or just buzzword pizza?

[dbIII]

Now that's something more sensible than read-only media that's only going to have a short lifetime before you have to change things on it. Of course locking root out from changing the mount point is going to be a challenge in both cases.

Re:Is this for real or just buzzword pizza?

[jcdr]

Simply use NFS root for the internet server. It's reliable, easy to backup, and fun to manage.

Re:Is this for real or just buzzword pizza?

ahh yes... good ol' securelevel. did you know Darwin (as in OS X) respects it as well? not that it's well-behaved, but it does have... effects.

protip: just because the BSD API will not allow you to change a certain memory address doesn't mean those are the only APIs that can do so.

Re:Is this for real or just buzzword pizza?

[smash]

Maybe you should get the concept of immutable flags on configuration files.

Breaking and decorating

[OwenT]

Apparently it's quite common for attackers to actually patch the security holes they used to get in, once they've installed their backdoors. Don't want someone else getting in the same way, after all...

Bad advice because ...

[dbIII]

Personally I think a password is a very good idea if combined with a key. If a laptop gets stolen the thief can log in directly with the stolen key saved on the laptop. If they have to work out a password as well they only get what is on the laptop.

Re:Bad advice because ...

[Opportunist]

Security is usually one of three things: Something you know (password), something you have (key, token) or something you are (biometry). Alone, none of them is really a big security obstacle, at the very least you should combine two of them. If you're paranoid, require all three.

Using two of the same class is patently useless, as practice has shown. If one password can be sniffed, so can two and more. And people tend to store their keys and dongles and other work related gadgets in similar places (if you get their keys, you usually also get their ID dongles), so if one is gone, usually they are all gone. And I guess I needn't explain why fingerprinting and retina scans aren't really a sensible combo either (aside from the cost).

And preferably request them through two separate and independent channels. It's amazing how rarely this rather essential minimum of security is enforced.

Re:Bad advice because ...

You're talking about different things.

You're talking about encrypting your private key with a password. Everyone agrees that's a good idea.

The only legitimate exception is automated scripts, and in that case, you'll want to add 'command=...' to your authorized keys file to restrict what it can be used for to limit the damage if it gets stolen.

The parent is talking about logging in with password authentication, rather than public key authentication. The only protection offered here is the encrypted tunnel. The SSH daemon running on the server gets to see your plaintext password, which is kind of a bad thing if it was put there by an attacker.

Re:Bad advice because ...

[dbIII]

You're talking about different things

No - the above poster wrote "don't use passwords". Taken at face value that sounds like recommending not to encrypt your private key with a password - because that would mean "using a password" - thus bad advice.

The parent is talking about logging in with password authentication, rather than public key authentication.

No - that is called reading between the lines, adding something that is not there and making an assumption that somebody that doesn't know better will not make - thus it doesn't change that the post above is bad advice.

Re:Bad advice because ...

[segedunum]

That's what SSH key phrases are for.

Re:Bad advice because ...

[segedunum]

No - the above poster wrote "don't use passwords". Taken at face value that sounds like recommending not to encrypt your private key with a password - because that would mean "using a password" - thus bad advice.

No, it doesn't. Everyone with half a brain regarding SSH should know what 'not using passwords' with SSH means - and it doesn't mean *not* using a pass 'phrase' for your SSH key. He never said that. I'm afraid your splitting hairs here to have something to say.

No - that is called reading between the lines, adding something that is not there and making an assumption that somebody that doesn't know better will not make - thus it doesn't change that the post above is bad advice.

No. You have totally misunderstood the post, and please don't tie yourself in knots like that. It was very clear what he wrote and you were the one who added in 'I think a password is a very good idea if combined with a key'. It's also not called a 'password' but a 'passphrase'. It is not his fault that you or others don't know what he's talking about.

Re:Bad advice because ...

[quannah]

No, the poster wrote "don't use passwords for ssh", not "don't use passwords [in general]" nor "don't use passwords for your private keys".

that is called reading between the lines

No, it's called adhering to Gricean maximes, which you are apparently not doing.

Re:Bad advice because ...

[smash]

Passphrases on SSH keys are not the same as SSH passwords. They don't go over the wire.

Re:Bad advice because ...

[DarwinSurvivor]

As others have suggested, I will confirm. Do not use username/password as the authentication method for your ssh server. If you want 2-factor encrypt the private keys or go hardcore with PAM and have them enter one-time codes from a pad or separate comm channel (sms, etc) after the key is verified.

Re:Bad advice because ...

[dbIII]

The private keys can be considered part of ssh, so at face value it does come out as "don't use passwords for your private keys" - thus very bad advice. I don't know why you are trying to complicate this.

Re:Bad advice because ...

[dbIII]

Just put a password/passphrase on the key as designed and it all works as intended for general use.
Single factor authentication with a stealable key can be even worse than single factor authentication with a password in some cases.

Re:Bad advice because ...

[dbIII]

To a non-sysadmin what they see during the ssh login process is a request for a password even when it is really the key phrase for the key. They'll take that "don't use a password" advice above as logging in with keys that have no passphrase.
What I wrote above should be obvious but I seem to have attracted five people that have decided I'm a pedant so want to get pedantic about me using "password" to make the my post easier to read.

Re:Bad advice because ...

[dbIII]

Please read his second post. He's describing single factor authentication using a key alone instead of single factor authentication using a password alone. That's why I called it bad advice and gave an example to demonstrate why the first can be just as bad an idea as the second.

Re:Bad advice because ...

[DarwinSurvivor]

Um, that's exactly what I just said...

Re:Bad advice because ...

[Antique+Geekmeister]

There is no way to enforce this, except to scan people's home directories for unsecured keys. It's also awkward if they are using "ssh-agent" or other passprase unlocking tools on a shared host, such as a server where I have administrative access or when someone has set up software to use passphrase-free keys as part of a regularly scheduled task, such as a backup system for databases. I've used these approaches to borrow other user's SSH keys when needed, not always with their advance knowledge. (I always let them know I borrowed their keys, and tried to help guide them to practices that would protect their keys.)

Re:Bad advice because ...

[dbIII]

There is no way to enforce this, except to scan people's home directories for unsecured keys

And it doesn't help when we get so many people writing "don't use passwords" - so they take that advice to mean not securing their keys :(

Gather passwords with ssh? Hah!

[Omnifarious]

I never use passwords with ssh. If ssh asks me for a password, I know something is wrong. I made this policy decision because of the endless attempts to log into my machine from all over the world. It was either something like a yubikey, or only using public key authentication. I went for the public key authentication.

Re:Gather passwords with ssh? Hah!

[maxwell+demon]

So you don't password-protect your private key?

Re:Gather passwords with ssh? Hah!

[segedunum]

That would be using a pass phrase, not a password. ;-)

Re:Gather passwords with ssh? Hah!

[segedunum]

.....and since when does a server ask you for your SSH key phrase?

Re:Gather passwords with ssh? Hah!

[maxwell+demon]

Who said that it has to be the server which asks for it?

Re:Gather passwords with ssh? Hah!

[Omnifarious]

Depends on my informal feeling about the 'risk level' of the machine. Some of them I do, but I also generally use an agent and don't type my key in unless I've explicitly run the program to load the key into the agent. In order to trojan that process, they have to break into my system. And if they succeed at that, I have far, far more to worry about than the compromised ssh keys.

Re:Gather passwords with ssh? Hah!

[segedunum]

Because what you wrote has nothing to do with not using passwords with SSH.

Re:Gather passwords with ssh? Hah!

Those are not called "passwords" for precisely this reason. They are called "passphrases", to refer to their use witth SSH keys.

It's possible to require both an SSH key and a password: The "NX" software does something like this, requiring an authorized private key for hte NX service, then passing through the login request through that service to the local user login services. It's also possible to manipulate SSH configurations to require SSH keys for individual users, such as "root", or for all users.

Sadly, the tools in OpenSSH for managing such access control and for managing the public keys are quite poor: they're basically left to the cleverness of the local user or the local systems administrator. The "rssh" tool can be helpful for managing some such uses, but rssh iitself is also easy to misconfigure.

At least one guy is angry...

[metamarmoset]

Obligatory.

Compromised system

[phorm]

Except how will you know it's compromised unless you're scanning from a clean system/media?
You *could* have another machine pop in and compare md5's or whatever, but that assumes that "md5sum" and a bunch of others machine being tested isn't compromised.
You *could* also run the SSH'able machine inside a VM and check from the VM host, but the host could still be compromised or other issues.

Another option is to routinely check by booting from secure media, but that involves downtime.

Investigating a compromised system is one thing. I believe the GP was more about discovering that the system is compromised in the first place.

Re:Compromised system

[smash]

You do network inspection and verify what the machine is doing over the wire matches what it SHOULD be doing over the wire.

Re:Compromised system

[smash]

To clarify - you should be continually monitoring all your machines for unusual traffic. By unusual, i mean for example any traffic from a port that shouldn't be open. This is a good example of why it is safer to be fucking paranoid with your firewall rules on your edge, and do egress filtering as well as ingress - and be very specific with regards to what you open up and the source/destination as well as what ports you allow. If some daemon is running on a port that it shouldn't be running on, or connections are hitting your machine from unusual sources, you should be getting alarm bells going off.

Re:Compromised system

[detritus.]

Investigating a compromised system is one thing. I believe the GP was more about discovering that the system is compromised in the first place.

Precisely -- the system was immediately shut down, contents imaged and further investigation was done outside of that environment. I simply lucked out. This individual was sloppy and I found the rootkit later.

Re:Compromised system

[phorm]

And who exactly does this? Do you have any idea of the horsepower and work that would be needed to inspect a few hundred machines traffic (and not have false-positives up the ying-yang?)

fail2ban

fail2ban solves the remote login attempts.

Re:fail2ban

[robsku]

I use denyhosts - fail2ban is good too, the basic idea is the same.

Re:fail2ban

[causality]

I use denyhosts - fail2ban is good too, the basic idea is the same.

I use SSHGuard here. I'd rather block all IP traffic from them entirely.

Re:fail2ban

[robsku]

Denyhosts can be set to block all, not just ssh, if wanted. I decided not to because some might have ISP NAT and that would block many people from my webserver... Maybe unlikely though, and leaving them an option to find an exploit in apache or wordpress might not be that good idea...

Re:fail2ban

[causality]

Denyhosts can be set to block all, not just ssh, if wanted. I decided not to because some might have ISP NAT and that would block many people from my webserver... Maybe unlikely though, and leaving them an option to find an exploit in apache or wordpress might not be that good idea...

Sorry it took a while to get back to you.

My point is I would rather have all traffic from an offending IP address be DROPped at the kernel by an iptables rule, than have the machine continue to receive packets only to have connections rejected by TCP Wrappers and the hosts.deny file.

Of course with TCP Wrappers you do have more fine-grained control. You can, as in your example, decide to block one service and not another. In my own use-case there is no scenario where I would want to deny SSH access to an attacker while still wanting them to have access to something else. For me, the more secure option of just having iptables DROP all packets from the offending host is a feature. Then I'm not accepting non-TCP packets from them, and like in your example they can't look for some unblocked service to screw with. The IPs around the world that want to hammer my little server and fill up its logfiles with failed login attempts (usually dumb shit like Username: root Password: root) have no redeeming value to me.

My own server is small-scale so ISP NAT concerns also don't apply to me. If I were running a commercial site with many potential customers, then I would have to think about that. Still, I really consider that the problem of the ISP in question, something they should have thought of when adopting that approach. Perhaps their customers should demand cheaper rates compared to ISPs that more freely assign unique IP addresses to offset this risk. Or maybe their customers don't care. Either way, my primary responsibility is to secure my own systems so they don't become spam-spewing zombie platforms used to attack others; compared with that, I can't be concerned with things beyond my control such as how certain ISPs do business.

Re:fail2ban

[robsku]

...yeah, I totally hear what you're saying...

Gotta hand it to you for really putting in the effort to explain all this :) Many would have done with a small percentage of words - and would have written a much more boring reply at that >:) So congrats.

Re:I use Gentoo

[miknix]

I only install from sources you insensitive clod!

Re:I use Gentoo

[cheekyboy]

Or you could source two binaries from two diff repo servers in two diff countries, and only accept the install if they both are identical.

they should have installed a java version of ssh

[cheekyboy]

If they installed a java version of SSH, it would be ultra secure, but you need 750meg of ram for each ssh session.

Go Oracle, Larry is elite.

Duh, run md5sum from external machine

[cheekyboy]

Man, you would run md5sum on the actual compromised box??

Why not do it from a ISO booted linux, and nfs share the whole box , so you can sum it from the outside.

What you really need is all binaryies libs running of a partition that is read only. Kind of like android.

Re:Duh, run md5sum from external machine

[maxwell+demon]

Man, you would run md5sum on the actual compromised box??

I would use my own checksumming binary (using its own, statically linked copy of the hash algorithm), with a name not revealing its purpose. Still not 100% protection, but only targeted attacks from someone with insider knowledge or possibly someone who did a very thorough analysis of the systems could defeat that one.

Why not do it from a ISO booted linux, and nfs share the whole box , so you can sum it from the outside.

The nfs could be hacked to give the original binaries to your outside server.

Re:Duh, run md5sum from external machine

[detritus.]

I got lucky, and I know the inherent risks of doing such.

Re:Duh, run md5sum from external machine

[jcdr]

The nfs could be hacked to give the original binaries to your outside server.

Absolutely impossible because the hacked file will have his checksum changed from the NFS server point of view. As long as the NFS server is not compromised, this is very safe. I personally use NFS root internet servers since more than 12 years now and I can say that's a very efficient way to detect and recover from external attacks. In addition, it very reliable, comfortable to manage, and easy to backup.

Re:Duh, run md5sum from external machine

[maxwell+demon]

If you hacked the box, you can certainly also modify the NFS server running on that box.

Re:Duh, run md5sum from external machine

[jcdr]

If you hacked the box, you can certainly also modify the NFS server running on that box.

The NFS server is NOT the same box as the internet server that use NFS root as a client. Here is a simple schema:

RAID array NFS server box Firewall Internet server boxes (NFS root client) Firewall Internet

To archive a permanent modification of one of the internet server box, a file must be modified on the NFS root mounted filesystem. This modification is very easy to detect from the NFS server point of view. I personally use a simple script that parse the rsync log while it backup the internet servers root directories. This setup is very safe as long as the NFS server is not compromised witch require way more advanced hacking if you use a strong firewall between the boxes.

Using NFS root on the internet server make intervention easy: in case of a doubt, just halt the involved internet server. Then you can safely inspect his filesystem root directory on the NFS server, and eventually restore some files before rebooting the internet server. This is very comfortable to do. I add to this that the internet servers are very reliable because there don't have disks on it.

Someone pointed out that the internet server BIOS can still be permanently hacked. If you worry about that, then you can fix the "write protection" signal of the BIOS memory on the motherboard.

Re:Duh, run md5sum from external machine

[jcdr]

Arrg! Missed to see that the formatting removed chars on the graph. Below is a correct one:

RAID array ==== NFS server box ==== Firewall ==== Internet server boxes (NFS root client) ==== Firewall ==== Internet

Re:Duh, run md5sum from external machine

[maxwell+demon]

OK, so it's a language issue. "nfs share the whole box" to me implies that the box contains the files and shares them (with the checking machine) via nfs. Your setup I would describe as "store the files on external nfs".

use a PPC mac.

[cheekyboy]

No hacker can find the binaries to a PPC mac os 10.5

Duh, you can boot OSX from a DVD, if you are really that paranoid.

Re:I use Gentoo

woooosh!

Re:Giggle

[EzInKy]

They have thousand of eyes looking at the source and working on ways to improve things. What are the Window's folks doing?

Which Distro?

[Lawrence_Bird]

I may have missed it but was this a binary package for a specific distro (on their own servers) or a binary on an untrusted server not attached to any specific distro?

Re:I use Gentoo

[smash]

Unless you're auditing said sources, you're no better off than installing binaries.

Re:I use Gentoo

[smash]

Because the source server that feeds both could NEVER be compromised.

Re:I use Gentoo

[miknix]

Unless you're auditing said sources, you're no better off than installing binaries.

You know that Gentoo checks the SHA256 SHA512 and WHIRLPOOL digests of the downloaded sources before compiling right? You also know that the digests stored in Gentoo's repository are signed using a PGP key of the package maintainer, right?

So can you please explain me again why I need to audit such sources? Sure sources can be compromised at upstream's servers and Gentoo maintainers can also make mistakes but this is not what TFA is about.

Re:Giggle

[smash]

You'd like to think so, but when things like this happen, you can see that having thousands of unqualified people looking at code and sometimes modifying it is not really any benefit to security at all.

That's why SSH - most compromised by the trojan

[raymorris]

That's why ssh is trojaned - it's how they got in. Once they get into one box some other way, the trojan gets them into every box a user connects to via ssh. So it spreads like a virus. At some point, an admin with access to a lot of machines, like a hosting company admin, uses ssh to rsync / scp to their main machine. Then the bad guys get access to every machine hosted there.

Re:they should have installed a java version of ss

[g0bshiTe]

Yes cause we all know how secure and well coded java apps are.

Re:I use Gentoo

If binaries are signed the same way, then there is no security advantage in compiling from source.

How?

All the machines I cleaned up got hacked due to some wise guys who thought that using 4 letter passwords were kewl.

Machines? Multiple?

My real question is; how was it determined that they were compromised and what made you look for the compromise in the first place?

You Failed It.

That's all well and good, if your attackers are lazy. But with the advent of SSL VPNs and call-out or reverse connection technology like GoToMyPC, all you see on the wire is an HTTP or HTTPS session. Nothing suspicious, except that it's a tunnel into your network from Latvia.

I think the days of just looking for an IRC connection or non-standard port are gone.

Re:You Failed It.

[smash]

If your machine isn't supposed to be doing http or https, then this is a warning sign. And yes, running firewalls internally is required in case one of your machines inside is compromised.

Re:You Failed It.

Sure, if it shouldn't then there must be something up. But, my point was that with so many services and applications today using HTTP and HTTPS, specifically for ease of use through firewalls, it has become perfectly normal for nearly all systems, including embedded, to have this type of traffic. Check for updates, download updates, phone home apps, cloudy web services...

When I look at a Linux server's traffic and see HTTPS and SSH traffic, that is not a red flag for me. Though it certainly could be illegitimate traffic, chances are high that it is perfectly normal and legitimate traffic.

Re:You Failed It.

[DarwinSurvivor]

HTTP/HTTPS sessions will have a limited lifetime (the exception being some HORRIBLE streaming technologies you shouldn't be using anyways) and SSH should only have incoming connections from KNOWN sources with very few exceptions. If you can't block a "hacker" (read: script kiddy) using GoToMyPC, you need to find another profession.

Re:they should have installed a java version of ss

[JWSmythe]

Aw, I don't know why you were modded troll. That's funny. :)

And only ultra secure because it would work for a few days, and then hang, refusing all access. :)

Quick Question.

Hands up for everyone that has a prerooted md5sum of their /bin and /sbin directory files for everyone of their machines. How about for just supercritical machines? How about for all files and dirs?

I'll wager that 0.001% have any such listing. I've yet to see anyone even claim to have such a listing. So, I'm regarding all this expert talk in this thread as 100% BS.

Re:I use Gentoo

How is trusting the signature on source files different from trusting signed binaries?

All binaries in Debian are cryptographically signed, and the package manager will not install a package that doesn't match the correct signature unless you override the checks.

You can audit your system at any time with debsums to find any binaries and config files that differ from the official versions.

I think the level of trust is pretty close to the same, so unless you are auditing the sources, you are in pretty much the same position as trusting the hashes in binary packages. You could be worse off if it is your compiler that has been trojaned ;)

Re:I use Gentoo

[miknix]

Everyone replying here seems to be obsessed in comparing binary vs source and totally miss the point. The point is that
Gentoo users do not have the habit of installing binary packages at all, for that reason this trojanized sshd BINARY does not concern us.
Wooooooosh!

it is revolution in information security:

[bilbobugginz]

if you have your servers compromised, the data on them, and login attempt into them may be keylogged, WOW! Is this the level of articles we want on slashdot ?

Re:I use Gentoo

You are completely missing the point. The point is that there is no difference between running untrusted binaries and compiling and running from untrusted source.
Since Debian (and most other distributions) check the digests of binaries this trojan doesn't concern us. Gentoo doesn't really have a special position in this case.
Wooooooosh!

Still bad advice because ...

[dbIII]

and it doesn't mean *not* using a pass 'phrase' for your SSH key. He never said that. I'm afraid your splitting hairs here to have something to say.

I'm not splitting hairs because ssh login with a key and no pass phrase is a frequent shortcut.

It is not his fault that you or others don't know what he's talking about.

You don't know what he's talking about either - you are just adding things you think should be there but are not.. I'm making a comment on something that should be there if it's going to be good advice but is not, even if it was intended - neither of us know do we?

You are missing the point. Install doesn't matter

[raymorris]

The trojaned ssh isn't the one installed from the repo, it's installed later by the bad guy, so it doesn't matter how you installed . Again, the trojaned ssh isn't the one you installed. The ONLY difference between source vs. binary packages in this case is that people who installed binaries could be alerted that the hash of the existing file doesn't match the correct binary. So binary installs are SAFER as far as this trojan.

How does the bad guy get the trojan on your system, if not from the repo, you ask? He gets access when someone else who is infected logs into your machine - your sysadmin, your hosting company, a vendor, etc.

Knowing someone who is infected is the condition

[raymorris]

The bad guys only had to compromise one machine, then the trojan spreads. Say for example my co-worker Jeff has him home machine infected. He uses ssh to connect from home to his office. The bad guys now haveaccess to infect his office machine. Jeff is a sysadmin at the office, so from his office desktop he logs into various servers. That spreads the infection to the servers. I then use scp (ssh file copy) to pull some files on to a server from my work desktop. Now my desktop is infected. Later, I ssh from work to my home office. Now my home office is infected.

For this reason, we have a rule. Always ssh FROM the more trusted machine TO the less trusted one, never the other way around. For scp and rsync, that means always PUSH files to a client's machine or any server on the public internet, never PULL to a less trusted machine from a more trusted one.

Re:You are missing the point. Install doesn't matt

[miknix]

How does the bad guy get the trojan on your system, if not from the repo, you ask? He gets access when someone else who is infected logs into your machine - your sysadmin, your hosting company, a vendor, etc.

Dude, this does not make any sense at all!
If person X logs into my machine (which is not infected) and that X is infected with the trojanized daemon. Then the attacker will not be able to find out the X's account password in my machine because the connection was made to my uninfected daemon and not to X's infected daemon. Get it?

Re:Knowing someone who is infected is the conditio

[Etrahkad]

For this reason, we have a rule. Always ssh FROM the more trusted machine TO the less trusted one, never the other way around. For scp and rsync, that means always PUSH files to a client's machine or any server on the public internet, never PULL to a less trusted machine from a more trusted one.

How would that work? Honestly I don't know so don't troll me ;P. How would I connect to my local ssh server from a work resource (that uses rsa key concatination), from my house?

Re:Knowing someone who is infected is the conditio

[lindi]

It would be nice if ssh could enforce this and refuse to connect if you try to break the policy.

Re:I use Gentoo

[smash]

Yeah, and other operating systems do hashes for their binaries, too.

Re:I use Gentoo

[smash]

Also, even compiling from trusted source is no good if your compiler is compromised.

Re:I use Gentoo

[DirtyLiar]

You know that Gentoo checks the SHA256 SHA512 and WHIRLPOOL digests of the downloaded sources before compiling right? You also know that the digests stored in Gentoo's repository are signed using a PGP key of the package maintainer, right?

Yes, but if you are hosting the sources, you also control whatever checksum also appears on your website.

Besides, hosting precompiled Windows binaries is a great way to trick lazy admins. First, a lot of open-source hosts / projects do not provide easy access to Windows binaries, and many admins don't have compilers (they don't program and so consider compiling out of their job description), and finally since there really is no automated way to check the checksums they avoid doing it. (Though automating checking MD5's etc. would obviate using them in the first place) So it's just easier to trust a host with their binaries.

Of course all this could be avoided by using only trusted sources. But I said they were lazy, not smart.

Re:You are missing the point. Install doesn't matt

[DirtyLiar]

He's saying the guy uses some zero-day exploit to penitrate your system, then installs the trojan as admin, edits the logs, and disappears from your system. Vala! Infectecado!

Hopefully your AV will catch it in a few days as the exploit is discovered elseware on the net. Though it could take longer if he is only installing them by hand.

Re:You are missing the point. Install doesn't matt

[zap42hod]

Get it?

No.
If you replace the daemon binary then wouldn't it make sense to replace a few client binaries as well? :)