Re: [Exim] Eximon vs. Exim Webapp security challenge

Pàgina inicial
Delete this message
Reply to this message
Autor: Blaine Simpson
Data:  
A: exim-users
Assumpte: Re: [Exim] Eximon vs. Exim Webapp security challenge
Try doing a web search engine for "ssh exploit" or "ssh advisory" or go
to any security advisory site like cvs.mitre.org.

If you apply security patches regularly and lock down with tcp wrappers or
some other form of ip filtering, it's excellent. Otherwise it's not. Both
ssh and http can be secure or insecure. The differentiation is that a
break in to sshd is generally a much more serious thing than a break in to
a web site.

First off, the purpose of sshd is to use some authentication mechanism to
give a login, including a root login. (Configuring sshd to prevent this
is safer, but the binary still has the capability to do so). Compare that
to Tomcat which can never be used to become root without also exploiting
an OS/Pam/etc. vulnerability at the same time-- I like those odds. I
would much rather have a hacker poking around my web pages looking for
vulnerabilities than poking around with an OS shell (whether root or not).

Using only static content and/or compiled active content (like C or Java)
makes things much more secure than shell scripts (or dreaded CGI scripts).
This is another reason why Tomcat is a very secure product. I've done
post breakin assessments for break-ins for all of these types for MCI and
(recently defunct) Cable & Wireless. The web server breakin that I've
seen most often is using http parameters to cause a bad script (php, perl
etc.) to execute a "system" command. With compiled programs, you can't
"system" a command unless the developer compiled the system command in.
(I am saying "system" to refer to the capability... it could be a back-tick
command, an "exec", etc., depending on the language).

You may notice that the normal procedure at nearly every large IT company
is as follows: The main firewalls from the Internet permit all incoming
traffic on http and https ports. This means that if you have a static IP
inside, you can run a web or web app server and access it from anywhere
on the Internet. We know that these servers are generally safe enough to
leave security up to the people running the individual servers. On the
other hand, ssh is usually prohibited from everywhere except specific IP
addresses and/or VPN. (Http/Https vs. ssh traffic is differentiated by
destination port or by checking high-level protocol packets. If the
former, then internal users can circumvent their company's security by
running sshd on port 80). Sshd access is not closed because it is not
desired, because it causes great inconvenience, for exampe, for
administrators to not have remote ssh access (as well as many other
things that can be done over an ssh pipe).


I won't be spending my time replying to further objections like these.
I hope that most people realize that, just like with Science, intuition
about IT security is very unreliable unless built upon serious study or
experience.



Marc Haber wrote:
> On Thu, 29 Jan 2004 11:16:27 -0500, Blaine Simpson
> <blaine.simpson@???> wrote:
>
>>(Seriously-- don't unless you know
>>that you have sshd patched and nailed down-- I won't take the time to
>>break in, but somebody else reading this may).
>
>
> Seriously, are there any current problems with openssh?
>
> Greetings
> Marc
>
> --
> -------------------------------------- !! No courtesy copies, please !! -----
> Marc Haber          |   " Questions are the         | Mailadresse im Header
> Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
> Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29

>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>


--
ICF:  703-934-3692       Cell:  703-944-9317