The so called anti-sec movement confuses me a lot. They seem to hate script kiddies, but these people are no better, if anything they are more dangerous because they have a false set of ideals they believe they are promoting. I wish I could slap them with a trout.
In my personal experience, public discloser has legitimate uses in strong arming companies into dealing with security issues that they would rather ignore.
People seem to agree that it is 'too good to be true' so that is must be a hoax. I'm still a little worried and I think it is good to have some IP based access lists ready when things become more clear in the coming days.
Not just a hoax, they're out to discredit anti-sec. Anti-sec doesn't use gmail, they always sign their posts, and they certainly do not issue warnings.
Anti-sec with a ssh 0-day would've tripped over itself rm'ing boxes left and right. It's like Bin Laden warning people he is in California and would be causing great mayhem, Real Soon Now.
1) The more we talk about anti-sec the bigger anti-sec gets.
2) These guys are not exactly teen pop idols, ever ready to dispute a rumor or a tabloid story; there is a good bounty on their necks and they seem to have "better" things to do.
3) The more security mailinglists and other communication venues get trolled and haoxed, the more the security industry looks like the joke it is, and that would make anti-sec kinda happy.
Interesting that this group's manifesto of 10 days ago railed against full disclosure, and now they're employing an extreme example of it. Smells like something with more bark than bite, to me, but I guess I'll leave single packet authentication enabled on my box.
1) iptables! I always implement a default drop on INPUT, OUTPUT, FORWARD. I then only allow known services to have open ports.
2) Only allow specific IP's to connect to ssh. If you are an admin on the road, use port knocking to open that ssh port up for a limited time from where you are at.
3) Last but not least, change the default port of SSH from 22 to something your company runs. You can do this in /etc/services or in /etc/ssh/sshd_config
A lot of preventative maintenance helps you secure a system running an ssh daemon. I do these same things on our Cisco routers-- they are just called something else (access lists, etc.)
What's with this "move SSH to another port" stuff? Don't even the most simplistic bots perform port scans to discover your services anyway? Seems a bit too much like security by obscurity to me.
Don't even the most simplistic bots perform port scans to discover your services anyway?
err...sortof. They're just looking at port numbers and cross referencing that to services that are known to live on those ports.
Changing the port that SSH listens on isn't going to stop somebody from performing this exploit against one of your machines, it IS going to prevent you from getting auto-rooted by a bot that goes around looking for machines that ack on port 22.
Think of it like a hidden door, but on the front of your house. To the casual observer driving through the neighborhood, they won't see it. To somebody actively trying to find a way into your house...you're going to need more.
The most simplistic bots just scan specific known ports.
Also, security by obscurity does sometimes work. It's dangerous because you can't depend on it, and often it makes it harder to analyze your security in general. Sometimes, badly implemented security by obscurity can compromise security. In fact, badly implemented security often compromises security, because it is hard to do this stuff. Non-obscure security mechanisms have a distinct advantage -- more eyeballs are looking at them.
So the best policy? I think you should use standard security tools, and then layer simple obscurity over top of that. Keep it minimal so you can make sure it won't mess up some other aspect of your security. It's worth it, just to keep from being the lowest hanging fruit on the tree.
I can't outrun the bear, but I don't have to, because I can outrun you!
1) Register 'Anti-Sec ' with Free Mail Provider 2) Claims to Full Disclosure 3) ???? 4) PROFIT.
brilliant