WARNING: SSH exploit - upgrade information

[ProWebUK]

As with all howto guides i provide, i take no responsibility, any damages that may occur to your server are your own responsibility, if you are worried about running the upgrade i recommend you hire a server administrator .

latest open SSH exploit over the last 48 hours, more information regarding the exploit can be found here:

http://slashdot.org/articles/03/09/16/1327248.shtml?tid=126&tid=172

to upgrade:

login as admin
su - to root

# wget http://prowebuk.com/TEMP/DOWNLOADS/OpenSSH/openssh-3.7p1.tar.gz

BEFORE DOING ANY UPGRADES MAKE SURE YOU HAVE TELNET RUNNING, CONNECT AND KEEP A CONNECTION WHILST YOU PROCEED WITH THE UPGRADE.

for DirectAdmin you should be able to enable telnet by doing the following:

# pico -w /etc/xinetd.d/telnet
change the line 'disable = yes' to 'disable = no'
save the file and exit
# service xinetd restart
also make sure you have port 23 open in your firewall (if you have a firewall)


Ok, lets start proceed with the upgrade

# tar -zxvf openssh-3.7p1.tar.gz
# cd openssh-3.7p1
# ./configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --with-md5-passwords
# make
# make install

# service sshd restart

alternatively to restart use:

# /sbin/service sshd restart

open a new SSH window and make sure you can successfully connect to SSH... if everything is ok you will be able to disable telnet:

# pico -w /etc/xinetd.d/telnet
change the line 'disable = no' to 'disable = yes'
save the file and exit
# service xinetd restart

If you have a firewall make sure you block port 23 to stop telnet being acessed.

Post if you have any problems

Chris

 

[The Prohacker]

You might want to condfigure OpenSSH with pam..

And people upgrading from older version of OpenSSH might needed add an sshd user..

adduser sshd -s /sbin/nologin
And then run make install again...

 

[ProWebUK]

i had the ssh user problem with another box... i will add the pam information now

 

[l0rdphi1]

I'm having a slight problem:

[root@server1 root]# `echo -e /etc/xinetd.d/telnet`
-bash: /etc/xinetd.d/telnet: No such file or directory

[root@server1 xinetd.d]# locate telnet
/usr/bin/telnet
/usr/lib/python2.2/telnetlib.py
/usr/lib/python2.2/telnetlib.pyc
/usr/lib/python2.2/telnetlib.pyo
/usr/lib/perl5/vendor_perl/5.8.0/URI/telnet.pm
/usr/share/man/man1/telnet.1.gz
/usr/share/terminfo/t/tgtelnet
/usr/include/arpa/telnet.h

 

[DirectAdmin Support]

Hello,

It doesn't appear as though you have telnet installed. (Don't see a telnetd file).

Just a guess, but try using up2date and see if it will install it for you:

up2date -r telnet

not sure, but just a guess.

****

Also, note about the configure line.. I *had* to add

--with-md5-passwords

to get logins working again (pam wasn't playing nice). I didn't use pam in the end, but I guess it would try both methods to login if one failed. Good thing I had a telnet window open

John

 

[ProWebUK]

--with-md5-passwords now added to the configure line

 

[l0rdphi1]

No luck here

Says -r isn't a valid option, and plain old up2date telnet says it's already updated.

 

[DirectAdmin Support]

Says -r isn't a valid option

Sorry about that I got my FreeBSD pkg_add and up2date -u mixed up. Should be "up2date -u telnet" .. but since you already have it... maybe try

up2date -u telnetd

to see if the daemon comes seperately. (note the "d" at the end)

John

 

[l0rdphi1]

Sorry about that I got my FreeBSD pkg_add and up2date -u mixed up.

I thought that might be the case.. hah.

Anyway, I'm having no luck with up2date -u telnetd either.

Tried to re-register and made sure the "telnet" box was checked. On RHN it is saying I have telnet-0.17-25:1.i386.rpm installed.

Hmm..

 

[l0rdphi1]

I got it

Had to install telnet-server-0.17-25:1.i386.rpm



*sigh*




[edit]I too had to cut the --with-pam bit out to get this to configure right.[/edit]

 

[FeBox]

l0rdphi1,

You need to run the following command:

up2date -i pam-devel


Whenever you get those kinds of messages when you are sure that the object is installed, you are most likely missing the devel package.


Also, you could have ran:

up2date -i telnet-server

to get the telnet server on your box.

 

[RTKS]

Would those who've had DA installed after October need to upgrade SSHD? Does DA install the latest by default? How can I check which version I have running?

 

[Icheb]

Would those who've had DA installed after October need to upgrade SSHD? Does DA install the latest by default? How can I check which version I have running?

yes, you should
no, it doesn't
sshd -v or sshd -V, keep forgetting, otherwise just try sshd --help
(When you are using RH 9.0 you can still use up2date, other versions will need a source compile )

 

[l0rdphi1]

OpenSSH 3.8 was released today by the way

 

[hail]

what is the new ssh and ist the same step to upgrade?

 

[Icheb]

what is the new ssh and ist the same step to upgrade?

You should know how/where to find these packages yourself

Take a peek at http://www.openssh.org/.
Ya can't miss it.