WARNING: SSH exploit - upgrade information

ProWebUK

Verified User
Joined
Jun 9, 2003
Messages
2,326
Location
UK
As with all howto guides i provide, i take no responsibility, any damages that may occur to your server are your own responsibility, if you are worried about running the upgrade i recommend you hire a server administrator :) .

latest open SSH exploit over the last 48 hours, more information regarding the exploit can be found here:

http://slashdot.org/articles/03/09/16/1327248.shtml?tid=126&tid=172

to upgrade:

login as admin
su - to root

# wget http://prowebuk.com/TEMP/DOWNLOADS/OpenSSH/openssh-3.7p1.tar.gz

BEFORE DOING ANY UPGRADES MAKE SURE YOU HAVE TELNET RUNNING, CONNECT AND KEEP A CONNECTION WHILST YOU PROCEED WITH THE UPGRADE.

for DirectAdmin you should be able to enable telnet by doing the following:

# pico -w /etc/xinetd.d/telnet
change the line 'disable = yes' to 'disable = no'
save the file and exit
# service xinetd restart
also make sure you have port 23 open in your firewall (if you have a firewall)


Ok, lets start proceed with the upgrade

# tar -zxvf openssh-3.7p1.tar.gz
# cd openssh-3.7p1
# ./configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --with-md5-passwords
# make
# make install

# service sshd restart

alternatively to restart use:

# /sbin/service sshd restart

open a new SSH window and make sure you can successfully connect to SSH... if everything is ok you will be able to disable telnet:

# pico -w /etc/xinetd.d/telnet
change the line 'disable = no' to 'disable = yes'
save the file and exit
# service xinetd restart

If you have a firewall make sure you block port 23 to stop telnet being acessed.

Post if you have any problems :)

Chris
 
Last edited:

The Prohacker

Verified User
Joined
May 23, 2003
Messages
142
You might want to condfigure OpenSSH with pam..

And people upgrading from older version of OpenSSH might needed add an sshd user..

adduser sshd -s /sbin/nologin
And then run make install again...
 

ProWebUK

Verified User
Joined
Jun 9, 2003
Messages
2,326
Location
UK
i had the ssh user problem with another box... i will add the pam information now :)
 

l0rdphi1

Verified User
Joined
Jun 22, 2003
Messages
1,471
I'm having a slight problem:
Code:
[root@server1 root]# `echo -e /etc/xinetd.d/telnet`
-bash: /etc/xinetd.d/telnet: No such file or directory

[root@server1 xinetd.d]# locate telnet
/usr/bin/telnet
/usr/lib/python2.2/telnetlib.py
/usr/lib/python2.2/telnetlib.pyc
/usr/lib/python2.2/telnetlib.pyo
/usr/lib/perl5/vendor_perl/5.8.0/URI/telnet.pm
/usr/share/man/man1/telnet.1.gz
/usr/share/terminfo/t/tgtelnet
/usr/include/arpa/telnet.h
 
Last edited:

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,959
Hello,

It doesn't appear as though you have telnet installed. (Don't see a telnetd file).

Just a guess, but try using up2date and see if it will install it for you:

up2date -r telnet

not sure, but just a guess.

****

Also, note about the configure line.. I *had* to add
Code:
--with-md5-passwords
to get logins working again (pam wasn't playing nice). I didn't use pam in the end, but I guess it would try both methods to login if one failed. Good thing I had a telnet window open ;)

John
 

l0rdphi1

Verified User
Joined
Jun 22, 2003
Messages
1,471
No luck here :(

Says -r isn't a valid option, and plain old up2date telnet says it's already updated.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,959
Says -r isn't a valid option
Sorry about that :) I got my FreeBSD pkg_add and up2date -u mixed up. Should be "up2date -u telnet" .. but since you already have it... maybe try
Code:
up2date -u telnetd
to see if the daemon comes seperately. (note the "d" at the end)

John
 

l0rdphi1

Verified User
Joined
Jun 22, 2003
Messages
1,471
DirectAdmin Support said:
Sorry about that :) I got my FreeBSD pkg_add and up2date -u mixed up.
I thought that might be the case.. hah. :)

Anyway, I'm having no luck with up2date -u telnetd either. :(

Tried to re-register and made sure the "telnet" box was checked. On RHN it is saying I have telnet-0.17-25:1.i386.rpm installed.

Hmm..
 

l0rdphi1

Verified User
Joined
Jun 22, 2003
Messages
1,471
I got it :D

Had to install telnet-server-0.17-25:1.i386.rpm



*sigh*




[edit]I too had to cut the --with-pam bit out to get this to configure right.[/edit]
 
Last edited:

FeBox

Verified User
Joined
Dec 30, 2003
Messages
26
l0rdphi1,

You need to run the following command:

up2date -i pam-devel


Whenever you get those kinds of messages when you are sure that the object is installed, you are most likely missing the devel package.


Also, you could have ran:

up2date -i telnet-server

to get the telnet server on your box.
 

RTKS

Verified User
Joined
Nov 25, 2003
Messages
48
Would those who've had DA installed after October need to upgrade SSHD? Does DA install the latest by default? How can I check which version I have running?
 

Icheb

Verified User
Joined
Sep 15, 2003
Messages
556
Location
The Netherlands
RTKS said:
Would those who've had DA installed after October need to upgrade SSHD? Does DA install the latest by default? How can I check which version I have running?
yes, you should
no, it doesn't
sshd -v or sshd -V, keep forgetting, otherwise just try sshd --help :D
(When you are using RH 9.0 you can still use up2date, other versions will need a source compile :D)
 
Top