Educause Security Discussion mailing list archives
Re: Previous Thread on Increased Probes
From: Robin Jacobsen <jacobsen () SWARTHMORE EDU>
Date: Fri, 23 Jul 2004 11:02:37 -0400
Yes, there was an intrusion into one of our Macs running 10.3.4 with all updates applied. The hacker attempted to use the machine in question for a DDOS attack outside the College. The path appears to have been the not-quite-up-to-date version of SSH that Apple shipped with these computers as well as a surprising omission in the configuration file that controls the SSH service. SSH service is through port 22. Fortunately, the Mac comes with Remote Login (SSH) turned off, so this will not affect most users. Approaches to address the problem (temporarily): 1.(Easy) If possible, turn off Remote Login (System Preferences, Sharing Pane) 2. (Moderate) If SSH must be enabled, edit the /etc/sshd_config file. The line "#Protocol 2,1" should be changed. It should read "Protocol 2" in order to limit connections to the newer SSH 2 version of that protocol. The machine should be rebooted once this change has been made and saved. To edit this file you will need to use a command line text editor in the Terminal with sudo priviledges. Thus you could type: 1. sudo pico /etc/sshd_config 2. provide the admin password 3. use the arrow keys to get to the line that contains "#Protocol 2,1" 4. delete the "#" and the ",1" to make the line read "Protocol 2" 5. use ctrl-x to Exit the program 6. type "y" to save, and return to accept the file name of "/etc/sshd_config" 7. Quit the Terminal Application and Reboot the Mac 3. (Harder) Update SSH and SSL yourself (generally difficult if you don't know what you're doing) We've been in contact with Apple about this and we're continuing to investigate the intrusion to look for any more clues about the means by which it was accomplished. The ultimate solution will be for Apple to issue an update that brings the installed version of OpenSSL and OpenSSH up to current standards. Yours, Robin At 10:40 AM 7/23/2004, you wrote:
Sorry to bring this up again but a colleague at another university has asked me if anyone has seen a recent flood of attacks on their address space similar to what he experienced a couple of weeks ago. I remember there was some talk, maybe on this list, about seeing incoming packets from many sources with numbers near a thousand. But in cleaning out my Inbox after a vacation, I must have deleted that information. Here is a sample of some of the traffic from one source found in his logs: Jul 9 21:21:54 gateway 1305838: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:54 gateway 1305839: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:54 gateway 1305841: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:55 gateway 1305842: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:55 gateway 1305843: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets Jul 9 21:21:55 gateway 1305845: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:55 gateway 1305846: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:55 gateway 1305848: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:55 gateway 1305849: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets Jul 9 21:21:55 gateway 1305850: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:56 gateway 1305852: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:56 gateway 1305853: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet Jul 9 21:21:56 gateway 1305856: 2d14h: %SEC-6-IPACCESSLOGP: list 120 permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets Is this what others were seeing, an attack on port 23? Has anyone determined the purpose of this flood? Thanks! Lois Lehman College Network Security Manager Physical Sciences Computer Support Manager College of Liberal Arts & Sciences Arizona State University 480-965-3139 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Previous Thread on Increased Probes Lois Lehman (Jul 23)
- <Possible follow-ups>
- Re: Previous Thread on Increased Probes Robin Jacobsen (Jul 23)