[Fwd: [netops] Fwd: [Full-disclosure] [FIXED] Remote Denial of Service for SSH service at Dell DRAC4 (maybe Mocana SSH)]
Aaron
dell at microchp.org
Sun Jan 20 17:51:17 CST 2008
One of the simple solutions in a hosted environment is to have a couple
of jump boxes that have hardened access (insert best practices here).
You can then tunnel your connections to the DRAC's through that.
Whether that is your firewall, a vpn device, a pseudo vpn device such as
a hardened linux server, it does not matter really. The poor-person's
method might be to have a linux jump box running a port knocker and use
two-way keys after that. SSH can be locked down via numerous methods
(disabling all but one cipher type, disable announcing supported
methods, AllowUsers/DenyUsers/DenyGroups someperson at 198.81.129.148,
require specific host keys, iptables, port knockers, etc...) Unless all
your servers crash at the same time, you should have SSH access to at
least one of them.
I would never consider putting a DRAC or any other remote access vendor
device on the net directly for reasons that would take too much typing.
I am lazy, my coffee is getting cold and my hunter is about to level...
Drew Weaver wrote:
> In a regular IT environment you may be correct. In a hosted or distributed environment there is no one size fits all solution. Everything is a cost/performance/security/redundancy balance.
>
> >From a crappy $69 celeron with ssh right on the net to a cluster of 2X load balanced quad xeons at multiple pops with vpns/firewalls between them for $50k/month.
>
> The market wants what the market wants.
>
> On a side note: on our network (our it side) you can't get to anything without at least authenticating through the firewall.
>
> -Drew
> -----Original Message-----
>
> From: "vadim" <vadim at ovguide.com>
> Subj: Re: [Fwd: [netops] Fwd: [Full-disclosure] [FIXED] Remote Denial of Service for SSH service at Dell DRAC4 (maybe Mocana SSH)]
> Date: Sun Jan 20, 2008 5:16 pm
> Size: 1K
> To: "bseklecki at collaborativefusion.com" <bseklecki at collaborativefusion.com>
> cc: "Drew Weaver" <drew.weaver at thenap.com>; "linux-poweredge" <linux-poweredge at lists.us.dell.com>
>
> I concur - console is sensitive enough to be only accessible via
> internal net, no exceptions. Even if DRAC was secure, a risk of someone
> getting a password (old employee) and having a full reign of your
> servers is too crazy to fathom.
> -V
>
> Brian A. Seklecki (Mobile) wrote:
>
>> You'd have to be crazy to put the DRAC card on a public IP. Do you
>> really trust Dell embedded Linux? >:}
>>
>> Actually I would never run sshd(8) of any vendor on a public IP --
>> always behind an IPSec stateful firewall with some kind of IDS
>> inspection between end users(*) and something I care about.
>>
>> I pity all of these web services providers who have to run sshd(8)
>> public. DenySSH + OpenBSD pf(4) baby!
>>
>> ~BAS
>>
>> (*) End users may be running Windows, which means keystroke loggers and
>> other malware.
>>
>> On Sat, 2008-01-19 at 19:00 -0500, Drew Weaver wrote:
>>
>>> I think we have actually seen this happening on at least two PE1900 /w DRAC 5.
>>>
>>> -Drew
>>>
>>>
>> _______________________________________________
>> Linux-PowerEdge mailing list
>> Linux-PowerEdge at dell.com
>> http://lists.us.dell.com/mailman/listinfo/linux-poweredge
>> Please read the FAQ at http://lists.us.dell.com/faq
>>
>
>
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> http://lists.us.dell.com/mailman/listinfo/linux-poweredge
> Please read the FAQ at http://lists.us.dell.com/faq
>
More information about the Linux-PowerEdge
mailing list