[svlug] botnets

[Rick Moen]

Just an afterthought:

Quoting Joe Buck (Joe.Buck at synopsys.COM):

> back in the Red Hat 6 days (I think), there was a hole in ssh that was
> widely exploited, and one of my colleagues had a home machine that was
> taken over; evidently the bad guy was using my colleague's box to
> attack other sites.
[...]
> The colleague in question was a highly capable developer, who tracked
> the issue down in detail.

The reason I raised the point is that it's often non-trivial to
determine the path of root compromise after the fact, and easy to fool
one's self. 

That one other path of compromise I spoke of is interesting, and the
point's a little subtle, having to do with which end of an ssh tunnel
you expose your security tokens on:  If you ssh into your hosts from
machines you don't personally control, then you're using an ssh client
of unknown trustworthiness, which is bad.  Many people in that situation
(where you're in control of the far end, but the near end is someone
else's) will just use the client, and not dwell on the matter -- but
there's a better alternative:  initiate ssh/scp proceseses _only_ from
the end you control, never (if avoidable) from the one you don't.

The sysadmin I spoke of avoidably violated that rule, sshing or scping
back into the corporate network from the external, non-trustworthy
public shell server to which he'd ssh'd out.