***root Exploit Caught In 10.2***-warning

I have just noticed this post on another Suse forum.

http://www.suseforums.net/index.php?showtopic=31358

There is probably no need to panic but just make sure that the usual good housekeeping is performed with strong passwords, active firewalls etc.
In addition do ensure that a rootkit hunter such as rkhunter is installed. It comes with the 10.2 OS but it is not enabled.
For those using another OS or who require further information please visit:

www.rootkit.nl

Quote:

I have just noticed this post on another Suse forum.
http://www.suseforums.net/index.php?showtopic=31358
There is probably no need to panic but just make sure that the usual good housekeeping is performed with strong passwords, active firewalls etc. In addition do ensure that a rootkit hunter such as rkhunter is installed. It comes with the 10.2 OS but it is not enabled. For those using another OS or who require further information please visit: www.rootkit.nl [/b]

Thanks for posting a link to that thread here. Normally we don't post links between forums, but in case like this, I think it a good idea. .... In fact, I took a keen interest in that thread (on our "sister" forum) from the start of the initial post. A lot of the information I posted there, I originally obtained from contributions/help from various members in threads on our own forum.

I find it useful/helpful to share information, such as this, between forums.

As for rkhunter, I played with it briefly, installed it some time back, but I don't use it on a regular basis. (maybe I should). I guess I find prevention (of a hack) is the best course of action, where possible.

IMHO, some of the lessons to be learned are:
a. do not use a root password that is easily hackable (ie don't use "god", nor "admin" nor "root1", nor "suse" nor passwords like that), and
b. do not select the SSH port open option (to open port 22 on the firewall) when first installing, but rather open the port later, after one has edited the appropriate ssh files on their PC, to block such hacks, and
c. consider firewall port mapping to reduce the risk of hacking.

oldcpu,
I very much appreciate your input on this and a vast number of other topics. You are a legend in your own lunchtime!
My main reason for putting this post under"General Questions" was that it would probably be seen by a greater number of people and hence help to minimise any potential security risk.

In my experience security is on a par with accountants, necessary but rather dull. Yes, I do apologise in advance to all those SuSe fans on this forum who happen to be accountants and who are very exciting people with a well-developed sense of humour!
I am afraid that the Monty Python sketch is too firmly embedded in my brain for me to alter my heinous views.

The Security Focus article you recommended made for very interesting reading.

http://www.securityfocus.com/infocus/1876

Would it not be possible to put a link to this post from "General Questions"? It's just a thought, to gain maximum exposure.
Best wishes.

for long time I was against setting up default ssh in suse. I have I asked devs, I was told that firewall will protect system. Never mind that not configured ssh (default) is useless and leaving root access is extra dangerous (up to 10.1 I don't know what is a status of ssh on default installation of 10.2). Particularly if known "practice" of new users is to disable suse firewall because of connectivity problems (most popular reason is samba).
I hope that this unfortunate accident will force suse devs to change their attitude and not only ssh but also all the rest useless (not configured) services will be closed on all new suse installation by default.

There is no reason to have any service running by default on fresh install. It is very, very wrong that during installation selecting "disable ssh" does absolutely nothing (and ssh is happily running). In fact this increases danger as someone inexperienced will assume that ssh is turned off.

Quote:

It is very, very wrong that during installation selecting "disable ssh" does absolutely nothing (and ssh is happily running). In fact this increases danger as someone inexperienced will assume that ssh is turned off.
[/b]

I believe SSH port #22 is closed by default during the install. I share your view about the openssh security weakness, and I am developing the view the the risk is magnified by it being possible to open port #22 (and install openssh) as a menu item during the install.

I do not think this installation option (to open port#22) should be provided during install. IMHO users should be forced to reconfigure this AFTER the install. This risky port#22 option means port-22 can be set to be open, during the many minutes (possibly more than an hour) as the user updates their SuSE to the latest downloadable applications from Novell/SuSE. It also means, while they are waiting for other activities to complete, they are not fixing their ssh config files to prevent root access, and during that installation time frame (while actively on the internet) their PC is vulnerable.

I think the default ssh config file in SuSE, should by default block root access.

Now one could make the case that the fault is still the users, due to a very weak root password selection, but I still think that one should do more than just rely on a password.

well in 10.1 even though I selected "disable ssh", after reboot and log in to desktop ssh was still running. For testing purpose I re-installed 10.1 on the screen with ssh option (default disabled) this time I first enabled ssh and then disabled again simply to run script again. Did not help. tcp 22 was still open and run level editor was showing that ssh is running.

Quote:

Now one could make the case that the fault is still the users, due to a very weak root password selection, but I still think that one should do more than just rely on a password.[/b]

This would be wrong argument: look at BSD's by default all is closed (or you have choice to configure during installation). Beside, one does not have any option to configure ssh on suse during installation, ssh is simply wide open.
It really does not mater if system will be used as server or not. Unless configured any service running poses a danger. Suse by default happily runs ssh, postfix, zeroconf, nfs and bunch of other services for no reason. On the other hand these services are treat for system security.

from any point of view, setting up default services running is wrong:
- security of default installation is low
- not configured services have no value
- system performance is low

SSH is not insecure in general, but the standard configuration in Suse is. The problem is
1. Suse allows password based login. This is a big problem, because it leaves the system open to dictionary attacks. Solution: switch off password based login and enable public key login instead.
2. Suse allows login with every user, esp. root, who is the first target on password guessing attacks. Solution: only allow login for special users, and not for standard system users.

There are some simple steps that would help make sshd more secure on any distro.

1. Do not permit root login.
2. Do not allow protocol 1. (I can't believe this is still turned on by default.)

I also agree with the point that sshd should simply be shut off in a default installation. If the user wants it on, force him to explicitly turn it on.

As for pubkey authentication, I think that this is important for keeping with defense in depth / layers. Wherever possible, a smart admin will turn on pubkey authentication and disallow all the rest. But by default, either password authentication or challenge-response authentication should probably be on (so that getting pubkeys in place is simpler).

Finally, this should not be a news flash to anyone, but via SFW2 only the subnets that really need access to the service should have it.