[BlueOnyx:12270] Re: Kernel 0-day vulnerability + SSHd Spam Exploit (libkeyutils.so.1.9)

[David Hahn]

On 2/20/2013 9:34 PM, Chris Gebhardt - VIRTBIZ Internet wrote:
> On 2/20/2013 8:17 AM, Michael Stauber wrote:
>> ### A WHOLE LOT OF HELPFUL INFORMATION ###
> Hi Michael & Dan,
> Thanks for the research and sharing of the information.  I think that
> it's helpful.
>
> What I have done for our hosting network is created an ACL at the
> gateway router that restricts access to port 22 to only a couple of our
> IPs (our office LAN and one remote system).   Note that works best when
> you've got a static IP that you access your server(s) from.
>
> Any VIRTBIZ dedicated server or colocation customers that would like to
> discuss adding some similar restrictions at the gateway level, please
> touch base with me or Darryl off-list.  There are a couple of
> considerations that we'll want to cover before just rolling it in for you.
>
> Blocking with an ACL at a routing level is one of a handful of
> techniques that can be leveraged effectively.  I don't present it as the
> "only" or "best" option, since the "best" option will be the one that
> works most cleanly and efficiently for your particular purposes and set
> of circumstances.   In the case of our hosting network, it seems to be a
> pretty sensible option.
>
Not everyone has local access to the routers..
How about controlling access with the hosts files.? We have always used 
them and install
a small program that runs every 5 mins. on the users site that registers 
only their IP address. Any
shell login sends the system admin a email too. Working on a simple 
script to alert the admin
if it sees the libkeyutils.so.1.9... If we find this what should we do 
with it?
David