[BlueOnyx:20942] Re: OpenSSH and PCI on 5208R

Greg Kuhnert gkuhnert at compassnetworks.com.au
Fri Apr 21 17:14:13 -05 2017 

Even better, the new OpenVPN package availability is quite timely. I have not yet tried this, but it should be possible to use the new OpenVPN package, and lock down SSH from all sources except for the OpenVPN source IP’s… Possibly even going further and locking down 81, 444, ftp, and a few more. That should make it easier to pass a network based PCI scan. Port is not open = pass :)

GK

> On 21 Apr 2017, at 3:04 am, Michael Stauber <mstauber at blueonyx.it> wrote:
> 
> Hi Jim,
> 
>> Going out on a limb, is there a remote chance of getting openssh 7.4 on
>> this server that is still running 5208R, or would the only way to get to
>> that version be doing a full update to 5209R? I'm trying to avoid that.
> 
> Like Chris said: I'd rather not provide updated OpenSSH packages. There
> is no compelling reason to do so. But once started, I would have to
> continue providing updated OpenSSH PKGs until the EOL of the OS I offer
> them for.
> 
> As it is right now neither security nor missing "must have" features
> give a compelling incentive for that.
> 
> As for CVE-2016-10012: It's indeed such a non-issue that I can
> understand that RedHat puts a fix for it on the back burner.
> CVE-2016-10012 is only exploitable if the box is already hacked beyond
> rescue and then why would someone bother with hacking OpenSSH from the
> inside if he's already in?
> 
> Therefore the best advice would indeed be: Lock SSH down so that it's
> unreachable for IP's other than the ones you're using to connect to the
> box. Or turn it off and enable it via the GUI whenever you need it.
> 
> If you have APF installed you can easily do it this way:
> 
> In the list of open ports remove the SSH port from the list. It's
> usually port 22 unless you changed it. Then via the GUI add this line to
> the Allow Hosts rules:
> 
> tcp:in:d=22:s=<your-office-ip>
> 
> That will then allow TCP access to port 22 from <your-office-ip> and for
> anyone else SSH will appear to be closed.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list