Mailinglist Archive: opensuse (714 mails)

< Previous Next >
Re: [opensuse] Can I ask something...?
  • From: Greg Freemyer <greg.freemyer@xxxxxxxxx>
  • Date: Sat, 29 Oct 2011 09:26:51 -0400
  • Message-id: <CAGpXXZJzizvkeSpAso2dzXWNU3byew0=+uHagn+8AHUUX0ka-g@mail.gmail.com>
On Fri, Oct 28, 2011 at 6:01 PM, Brian K. White <brian@xxxxxxxxx> wrote:
On 10/28/2011 12:50 PM, Togan Muftuoglu wrote:

On 10/28/2011 06:42 PM, Linux Tyro wrote:

On Fri, Oct 28, 2011 at 9:09 PM, Robert Schweikert<rjschwei@xxxxxxxx>
 wrote:

ok. Well, I just wanted to ask if the new release period could be
increased (just a suggestion) from 8 months to something like a year,
so that we (not from technical side) can all have a good grasp at the
OS/distro, can know something about it before any new thing come into
picture... However, it's just a question of 'if' this is a possibility
or not...!

Upgrade is not obligatory, I am running versions back to 11.1 on a daily
basis and some of the are web and mail servers. So you do not have to
update to the new version every 8 months or so

life is endless possibilities and then there is the freedom of choosing

Togan


Then again I just spent a few days fighting with some hackers script that
somehow manages to get _ROOT ACCESS_ to a few of my opensuse 11.2 machines,
du apparently to a weakness in openssh.

I had done everything but shut off sshd entirely, sinec i need it myself,
but I had disallowed root access, I had deleted all ssh keys and changed the
password, and still they got in. Lucky for me it was just a script that only
wanted to do one thing, execute perl and suck down a perl script to generate
spam. It was running perl, as root, it could have done _anything_.

I captured forensic data by replacing the perl binary with a shell script
that copied the environment and stdin to unique files and then ran the real
perl binary and that's the only way I was able to see what perl script was
being run. It never used a temp file, just received everything from stdin.

I could have firewalled the IP, but there were multiple IP's and I know with
scripts like these, there would be many other possible IP's where the same
form of attack would come from.

My only way to save this server, and still have ssh, was to upgrade ssh to
the latest version, or at least whatever version fixed whatever weakness
this script was exploiting. I only know that upgrading to latest stopped him
cold.

You can only do that for just so long after the distro goes off the back end
of the support time frame.

Luckily this was a 11.2 box, and luckily in this case I already knew from
prior testing on other boxes that it would be ok to just change all the
zypper repos from 11.2 repos (I maintain my own mirrors indefinitely after
they disappear from suse's mirrors) to 11.3 repos, and add the current
openssh devel repo from OBS, and then update openssh from that, and it
pulled in a few other updates from the 11.3 repos and luckily doesn't screw
up the rest of the system.

If a box is connected to the internet, you can't actually afford to just let
it get old.

--
bkw

With Evergreen in copy:

Brian (and all),

11.2 does have evergreen support. Issues like the above would be very
appropriate to discuss on the Evergreen users mailing list.

And if 11.2 Evergreen doesn't have a secure version of openssh in it,
then it needs one. The same is true of 11.1 Evergreen.

http://en.opensuse.org/openSUSE:Evergreen

Greg
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >