[BlueOnyx:20933] Re: OpenSSH and PCI on 5208R

[Michael Stauber]

Hi Jim,

> Going out on a limb, is there a remote chance of getting openssh 7.4 on
> this server that is still running 5208R, or would the only way to get to
> that version be doing a full update to 5209R? I'm trying to avoid that.

Like Chris said: I'd rather not provide updated OpenSSH packages. There
is no compelling reason to do so. But once started, I would have to
continue providing updated OpenSSH PKGs until the EOL of the OS I offer
them for.

As it is right now neither security nor missing "must have" features
give a compelling incentive for that.

As for CVE-2016-10012: It's indeed such a non-issue that I can
understand that RedHat puts a fix for it on the back burner.
CVE-2016-10012 is only exploitable if the box is already hacked beyond
rescue and then why would someone bother with hacking OpenSSH from the
inside if he's already in?

Therefore the best advice would indeed be: Lock SSH down so that it's
unreachable for IP's other than the ones you're using to connect to the
box. Or turn it off and enable it via the GUI whenever you need it.

If you have APF installed you can easily do it this way:

In the list of open ports remove the SSH port from the list. It's
usually port 22 unless you changed it. Then via the GUI add this line to
the Allow Hosts rules:

tcp:in:d=22:s=<your-office-ip>

That will then allow TCP access to port 22 from <your-office-ip> and for
anyone else SSH will appear to be closed.

-- 
With best regards

Michael Stauber