10 Apr
2025
10 Apr
'25
5:42 p.m.
Gary you are retired. Don’t let technology bring you down. Go outside and
enjoy the nife day. Everything is still green. I would run a firewall and
put ssh on port 5150.
Kevin
On Thu, Apr 10, 2025 at 10:37 AM Gary <saclug(a)garymcglinn.com> wrote:
And, unlike with rsyslogd, you can't natively set
up journalctl to
generate an alert, as in generate an email based on log entries. How nice.
I'm not in a good mood LOL.
I've closed down my ISP's firewall. I have the luxury of being able to do
that. I'll have something back up by the weekend, when I need the service.
By then, I should have something figured out.
On Thu, Apr 10, 2025 at 09:49:42AM -0700, Gary wrote:
Today I received, via email, a security warning
from my ISP, who is
ATT. They were advising me that my system was being attacked
and that the
attack was based on an OpenSSH vulnerability.
After reading some CVE and Red Hat pages, it turns out I'm at risk
because I
updated my bastion server. My other systems, which the bastion
server front ends for, aren't affected because the version of OpenSSH is
too OLD.
What a pain.
This happens all the time, whether I get notified or not. Newer
versions of
software are NOT more secure. In fact, they become LESS secure
as developers try to incorporate more functionalty and edge uses. And, in
this case, because someone made a mistake.
The whole world is on this upgrade/update treadmill and it gets you
nothing. IMHO
you are delusional if you think it does.
I have to get on it because I HAVE to upgrade browsers. You can only do
this
independently from an OS upgrade for so long.
Fortunately the exploit is very difficut to exploit beyond causing a
"system
crash". It takes a lot of "resources" and thousands of attempts.
Which is probably how ATT noticed it.
I can't determine if, or ask ATT, to just block the attack. I can't
respond to the email. It seems like blocking the attack would be nice.
Fortunately, my network is on the slow side and the exploit probably can't
be feasibly involked.
This is why I resist upgrading/updating. It is a waste of A LOT OF
TIME. Better
to have a version and just patch vulnerabilities that apply
to you and forget the rest.
The recommended fix is to set the logingracetime=0 for the sshd server.
I'm
trying to determine how this will affect password based authentication
with long passwords over slow/bad networks, my situation. It seems like it
might.
I'm seriously considering just downreving the OS on the bastion server.
It
doesn't really need that much functionality and never runs a browser.
And, although I wouldn't like it, I'm not sure what they could do by
executing arbitrary code there. They would have to be able to ssh
somewhere useful.
I can see from the logs that I'm being hit every 3 sec or so. All
different
IP's, must be a botnet.
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com