Thursday, July 16, 2009
Monday, July 6, 2009
Possible SSH 0-day vulnerability? And a couple of semi-helpful iptables tips.
Update 07/08/2009: This is starting to sound less and less like a 0-day and more like a single administrative error or lapse. Either way it's a warning; don't be lax with your SSH access. SSH is for the most part secure, but there's always the chance that it can be exploited.
Update 07/07/2009: SANS is also as vexed with the lack of info on this issue as everyone else I've contacted. They're a great place to watch for more data as it becomes available. If anything new happens I'll also update here, but I'll probably get it from SANS myself.

I'm sorta loathe to report this, since I don't have anything to substantiate it other than rumors flying on web hosting bulliten boards and Twitter, but there is word of a 0-day SSH vulnerability floating around.
Translated Rumor
Translated Rumor Source
I have no more information on this than that, other than hearing that several hosts are locking down SSH also.
So I've been running around tonight locking down my visible servers.
This is actually good practice for the most part. SSH is a powerful service, so any vulnerability to it tends to get magnified in importance very quickly, and also as information on the vulnerability spreads attacks multiply quickly.
The fix is simple; block SSH access to untrusted IPs. At this juncture even if it upsets your clients, you might want to until more information trickles out about the status of this vulnerability.
If you want an easy way to create and test some new iptables rules, you can do what I do (no warranties, etc).
If things have gone horribly wrong, and I have led you down a terrible path, cutting off your SSH access, you can either console in and re-do that same process, but taking out the SSH rules, or you can have your service provider console in, or reboot the box. The nifty thing about this method is that it's not a permanent change to your server. It will only last until your next reboot, unless you have some process that automatically saves any iptables rules you put into place.
Update 07/07/2009: SANS is also as vexed with the lack of info on this issue as everyone else I've contacted. They're a great place to watch for more data as it becomes available. If anything new happens I'll also update here, but I'll probably get it from SANS myself.

I'm sorta loathe to report this, since I don't have anything to substantiate it other than rumors flying on web hosting bulliten boards and Twitter, but there is word of a 0-day SSH vulnerability floating around.
Translated Rumor
Translated Rumor Source
I have no more information on this than that, other than hearing that several hosts are locking down SSH also.
So I've been running around tonight locking down my visible servers.
This is actually good practice for the most part. SSH is a powerful service, so any vulnerability to it tends to get magnified in importance very quickly, and also as information on the vulnerability spreads attacks multiply quickly.
The fix is simple; block SSH access to untrusted IPs. At this juncture even if it upsets your clients, you might want to until more information trickles out about the status of this vulnerability.
If you want an easy way to create and test some new iptables rules, you can do what I do (no warranties, etc).
- do an '
iptables-save > ~root/tmp_iptables
' - edit ~root/tmp_iptables and add the following lines before the line that says COMMIT. Substituting the IPs and hostnames I have added for your own of course.
-A INPUT -s 10.0.0.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s my.devlab.ca -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP - do a '
cat ~root/tmp_iptables | iptables-restore
' and cross your fingers
If things have gone horribly wrong, and I have led you down a terrible path, cutting off your SSH access, you can either console in and re-do that same process, but taking out the SSH rules, or you can have your service provider console in, or reboot the box. The nifty thing about this method is that it's not a permanent change to your server. It will only last until your next reboot, unless you have some process that automatically saves any iptables rules you put into place.
The Round-Up: May 26, 2008 #green
Link: The Round-Up: May 26, 2008
From the article:
From the article:
Oil shock: China and Mexico, not Exxon, stupid
Prices are soaring, in part, because oil is denominated in U.S. dollars and the d...
[MORE]--The Round-Up: May 26, 2008
Sunday, July 5, 2009
Lunar Probe Sends First High-Res Images
Link: Lunar Probe Sends First High-Res Images
From the article:
From the article:
NASA's Lunar Reconnaissance Orbiter has begun producing high-resolution and wide-angle images of the moon's surface.
...
[MORE]--Lunar Probe Sends First High-Res Images
Saturday, July 4, 2009
Happy 4th of July!, (Fri, Jul 3rd)
Link:
Happy 4th of July!, (Fri, Jul 3rd)
From the article:
Happy 4th of July!, (Fri, Jul 3rd)
From the article:
Celebrate, watch fireworks, but don't click on links in emails or surf to sites with Fourth of July, ...(more)... ...
[MORE]--
Happy 4th of July!, (Fri, Jul 3rd)
Thursday, July 2, 2009
Bicycle Licensing in #Toronto: Why revisit this idea, Councillor Michael Walker?
Update 07/16/2009: Via Ross, Copenhagenize has a posting on this subject also and they've included a PDF of his motion. You can also follow this discussion at the BikingToronto Forums.
Also I noted that I'm wrong below when I say that 5,907 tickets were issued to cyclists during the Toronto Police 'Safe Cycling' campaign, it was actually 1,373 tickets directly to cyclists. 5,907 is the total over all!
Update 07/07/2009: City Caucus also has a posting about this issue.
Also I noted that I'm wrong below when I say that 5,907 tickets were issued to cyclists during the Toronto Police 'Safe Cycling' campaign, it was actually 1,373 tickets directly to cyclists. 5,907 is the total over all!
Update 07/07/2009: City Caucus also has a posting about this issue.
Labels:
advocacy,
bicycle,
Bicycles,
bike lanes,
Environment,
Lifestyle,
Media Filter,
Toronto,
Transportation
Welcome #green
Wednesday, July 1, 2009
Blog about quick-n-dirty repairs
Link: Blog about quick-n-dirty repairs
From the article:
From the article:
Human ingenuity (and a touch of foolishness) on parade at thereifixedit.com (Thanks, Coop!)...
...
[MORE]--Blog about quick-n-dirty repairs
Subscribe to:
Posts (Atom)