[BlueOnyx:15096] Re: Securing against invading spammers
Michael Stauber
mstauber at blueonyx.it
Sun Apr 6 12:24:27 -05 2014
Hi Maurice,
> I was particularly supprised by the (quote) "As it turns out, you also do
> not need a valid shell to use SSH tunnels."
Indeed, that is a nasty little bugger.
I've seen a variation of this attack in the last year, but that one
requires a valid shell, so that was rather a no-brainer compared to
this. Basically someone was using SSH remote command execution to
execute email sending on the server. But as said: That requires a
working shell and shows up in wtmp.
So I think it will be a wise idea to disallow "AllowTCPForwarding" in
sshd_config. I'll modify our base-ssh.mod in that regards.
It is possible to set certain SSH options on a per-user basis in
sshd_config - such as this:
Match User xyz
X11Forwarding no
AllowTcpForwarding no
But I don't want to go there and add these for all users that don't have
a valid shell. Let us turn off AllowTcpForwarding altogether.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list