Strange command histories in hacked shell history

Daniel Rudy dr2867 at pacbell.net
Tue Dec 21 22:39:02 PST 2004


At about the time of 12/20/2004 9:18 AM, Bill Vermillion stated the
following:

> While normally not able to pour water out of a boot with
> instructions on the heel, on Mon, Dec 20, 2004 at 10:56  
> our dear friend Gerhard Schmidt uttered this load of codswallop:
> 
> 
>>On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote:
> 
> 
> [much deleted - wjv]
> 
> 
> 
>>>Can anyone explain why  su   does not use the UID from the login
>>>instead of the EUID ?  It strikes me as a security hole, but I'm no
>>>security expert so explanations either way would be welcomed.
> 
> 
>>I'm not a security expert, but if someone has the
>>Username/Password for an Account that can su to root. Where is
>>the point of disallowing him to su to this user and than to su.
>>You can?t prevent him form directly logging in as this User
>>an than use su. Therefore there is no gain in security just a
>>drawback in usefulness. I use this often to get a rootshell on
>>an Xsession from an user who can't su to root.
> 
> 
> You can limit the access for the person who has wheel/su
> privledges by running sshd and then permitting connections only
> from certain IPs or IP blocks. So another person is severely
> restricited from logging in as this user even if they have cracker
> that persons password. But once the craccker is in the system they
> can attempt breaking the password on a local basis, and the attack
> the root system.
> 
> I think the comment one other person made about limiting the su
> stack to 1, so that you can not su to an account and then su to
> another account is a good approach.
> 
> Considering the HUGE abount of attempted SSH logins I see on my
> servers from all over the world, with most coming from Korea,
> China, and lately Brazil, to add to those from Germany and Russia
> [just some I recall from the whois queries] andthing we can do
> to improve the security is a step forward.
> 
> In server environments security far outweighs all other
> considerations IMO.  
> 
> Bill
> 
> 
> 

Hey Bill, I have to agree with this.  But, if you don't mind my asking,
why do you allow SSH access from all over the planet?  For a server, why
not restrict the source IP to at least the same country that you are in?
Or even to the IP address blocks of the few people who need access to it?


-- 
Daniel Rudy


More information about the freebsd-security mailing list