10 Apr
2025
10 Apr
'25
6:33 p.m.
I'm already on another non-standard ssh port. So, I'm moving again :).
And, I am enjoying life to extent possible.
But, I "enjoy" using useful tools than involve technology. It makes my life
easier, overall. And, it is interesting.
I don't feel like I have to accept poor design, quality and implementation of the
things I find useful, just because I am retired. I have long had an issue with the upgrade
treadmill. I'm going back to the way I used to do things: buy hardward, load
software. Never upgrade. Apply a security patch if necessary. I could see that was the
way to go back when I was working, but no one else agreed.
You take a big risk every time someone touches the code, especially if it is complicated.
So, don't touch it. Fix it. Hopefully, if the fixes are carefully done, you'll
end up touching the code less and less often. It will be vetted through time. That leads
to the most secure result IMHO. And, attackers can never be sure of which version of
things is out there, because not everyone of interest has the same version.
Having said that, when the vendors were using this approach the patches were so bad, and
apparently the original code too, that more vulnerabilites and bugs were generated than
were actually fixed. To get out of the swamp, you had to upgrade. When open source
became more prevalent and we didn't have to rely on the vendor to fix things, it was
an improvement. A big improvement. But, in fairness, I guess you can pick your poision.
IMHO the goal to produce functional and bug free code should be emphasized, not
deemphasized. Patches and upgrades should be less frequent, so they can be tested and
verified by the consumer. But everyone has drunk the Kool-Aid and here we are.
Separately, but somehow in my mind, emblematically, I'm building a new kernel. The
process has really taken a step backwards. Things that used to be automatic, now have to
be done manually, like tool version verification. The documentation on the process is
really bad, in the wrong place, and fragmented. It's been 10 years since I built a
kernal. but I have done it before. The change is mind blowing.
5150? Rush?
On Thu, Apr 10, 2025 at 10:42:12AM -0700, Kevin Brisson wrote:
Gary you are retired. Don’t let technology bring you
down. Go outside and
enjoy the nife day. Everything is still green. I would run a firewall and
put ssh on port 5150.
Kevin
On Thu, Apr 10, 2025 at 10:37 AM Gary <saclug(a)garymcglinn.com> wrote:
> And, unlike with rsyslogd, you can't natively set up journalctl to
> generate an alert, as in generate an email based on log entries. How nice.
>
> I'm not in a good mood LOL.
>
> I've closed down my ISP's firewall. I have the luxury of being able to do
> that. I'll have something back up by the weekend, when I need the service.
> By then, I should have something figured out.
>
>
> On Thu, Apr 10, 2025 at 09:49:42AM -0700, Gary wrote:
> > Today I received, via email, a security warning from my ISP, who is
> ATT. They were advising me that my system was being attacked and that the
> attack was based on an OpenSSH vulnerability.
> >
> > After reading some CVE and Red Hat pages, it turns out I'm at risk
> because I updated my bastion server. My other systems, which the bastion
> server front ends for, aren't affected because the version of OpenSSH is
> too OLD.
> >
> > What a pain.
> >
> > This happens all the time, whether I get notified or not. Newer
> versions of software are NOT more secure. In fact, they become LESS secure
> as developers try to incorporate more functionalty and edge uses. And, in
> this case, because someone made a mistake.
> >
> > The whole world is on this upgrade/update treadmill and it gets you
> nothing. IMHO you are delusional if you think it does.
> >
> > I have to get on it because I HAVE to upgrade browsers. You can only do
> this independently from an OS upgrade for so long.
> >
> > Fortunately the exploit is very difficut to exploit beyond causing a
> "system crash". It takes a lot of "resources" and thousands of
attempts.
> Which is probably how ATT noticed it.
> >
> > I can't determine if, or ask ATT, to just block the attack. I can't
> respond to the email. It seems like blocking the attack would be nice.
> Fortunately, my network is on the slow side and the exploit probably can't
> be feasibly involked.
> >
> > This is why I resist upgrading/updating. It is a waste of A LOT OF
> TIME. Better to have a version and just patch vulnerabilities that apply
> to you and forget the rest.
> >
> > The recommended fix is to set the logingracetime=0 for the sshd server.
> I'm trying to determine how this will affect password based authentication
> with long passwords over slow/bad networks, my situation. It seems like it
> might.
> >
> > I'm seriously considering just downreving the OS on the bastion server.
> It doesn't really need that much functionality and never runs a browser.
> And, although I wouldn't like it, I'm not sure what they could do by
> executing arbitrary code there. They would have to be able to ssh
> somewhere useful.
> >
> > I can see from the logs that I'm being hit every 3 sec or so. All
> different IP's, must be a botnet.
> > _______________________________________________
> > Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
> > To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com
> _______________________________________________
> Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
> To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com
>
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com