|
sshFlipper
|
- Problem
- There's a new ssh exploit in the wild. A patch is currently unavailable for Mac OS X.
- Undesirable Solution #1
- Disable ssh. Nogo, services fall over, and I need to be able to update data remotely.
- Undesirable Solution #2
- Whitelist incoming ssh connections. I already have this set up on most machines, but that's only because I keep my personal 'gateway' server open to all addresses.
- Abstract Workable Solution
- Lessen risk by using a currently unexploited service to remotely turn on exploited service for short periods of time.
- Concrete Workable Solution
- Write an Apache CGI that "flips"
sshd. That is, if sshd is running, stop it. Otherwise, start sshd.
- Implementation of Workable Solution
- sshFlipper (12K, Mac OS X only)
- Implementation Installation
- Double-click on the included install.command. It should open Terminal.app and will ask for an admin password. A copy should be installed in
/Library/WebServer/CGI-Executables/. If you don't trust my binary, the source code is included and you're free to build and install your own.
- Implementation Use
- Once installed, hit
http://example.com/cgi-bin/USER.sshFlipper where USER the name of the installer's account. For example, if your user account is joebob, hit http://example.com/cgi-bin/joebob.sshFlipper
Properly called, you should be treated to an elegantly spartan page that reads:
sshd NOT running
sshd turned ON
-or-
sshd IS running
sshd turned OFF
- Implementation Warning
- This is a remotely executed binary. It is written in C. It is suid. As root. By now, all alarms should be going off in your head: Danger Will Robinson!
This is because you need to be root in order to launch sshd. The only saving grace is that the code doesn't read any remote input. Otherwise this would be pure suicide.
You should rename /Library/WebServer/CGI-Executables/USER.sshFlipper after installing it to something obscure that only you would know. For example, I'd might rename wolf.sshFlipper to something random like sfbGasMqcgL5Fmyn.
The installation script uses your account name just to give some randomness to the CGI's name, so script kiddies don't add /cgi-bin/sshFlipper to their standard list of exploit probes. Remember, once installed, anyone on the Internet can turn on and off ssh access to your box. You're relying on security through obscurity here.
You may wonder why I didn't write this as a shell script. The initial version was just that. However, I had to move it C for a very-good-but-can't-be-publicly-disclosed reason. NDAs make baby Jesus cry.
- Implementation Bugs
- The "Sharing" System Preference pane loses track whether
sshd (Apple calls it "Remote Login") is on or not. I don't know how to fix this, since I don't know how Apple tracks this.
Ed Silva alerts me building the latest OpenSSH release is really easy, something like:
./configure --prefix=/usr --sysconfdir=/etc
He's got a point, and I may end up building the new release myself. However, I really like the idea of having ssh turned off most of the time. That lowers my open port count to four (25, 53, 80, 110).
Wednesday, September 17, 2003
12:00 AM
|
Focus of this site
Contact Me
Topics
RSS Feed
Linkblog
Twitter
Andy Finnell
Bill Bumgarner
Brent Simmons
Daniel Jalkut
Dave Dribin
Eric Albert
Eric Rescorla
Eric Sink
Greg Miller
Gus Mueller
Jeremy Zawodny
John Gruber
Mark Dalrymple
Michael Tsai
Peter Ammon
Raymond Chen
Ryan Wilcox
Scott Stevenson
Steven Frank
The Daily WTF
we hates software
Wil Shipley
|
