Re: The Dark Side of the ForSSHe - OpenSSH malwares

Thu, 13 Dec 2018 01:57:40 -0800 

On Thu, Dec 13, 2018 at 09:25:25AM +0100, Kollar Arpad wrote:
> https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/
> 
> ESET researchers discovered a set of previously undocumented Linux malware 
> families based on OpenSSH. In the white paper, “The Dark Side of the 
> ForSSHe”, they release analysis of 21 malware families to improve the 
> prevention, detection and remediation of such threats

Yes, researchers have found these things in the wild. The thing that irritates 
me no end
is that the way this is written, one could be lead to believe that the malware 
just
magically appears on your box.

> Any creative hints to defend against these kind of threats? 

Creative hints? No. The best defence is as always,

        PATCH YOUR SHIT!

(As in, install all relevant updates that come from trusted sources.)

Keep your systems up to date, do not install new, improved versions of anything
from sources other than the trusted repositories, do not muck around with config
options you don't understand, and oh

        PATCH YOUR SHIT!

(Again as in, install all relevant updates that come from trusted sources.)

I could go on about not allowing root logins, going to keys-only logins, 
various other
things, my meta-rant wrapped around several articles on the "Hail Mary Cloud" 
password
guessing episodes is at 
https://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-lessons-learned.html
(TL;DR: it all started with a dodgy binary off a Debian system) has a few other 
points 
in the summary pieces.

The other suggestions you have are mostly not relevant in an OpenBSD 
environment and
to my mind at least just adds complexity for no real gain. If you for some 
reason want
to stick to passwords, longer ones *are* better, but AFAIK code changes to 
passwd 
are not necessary just to accommodate that as long as you can live with a max 
length 
of 128 characters (which is the current limit if I read 
http://man.openbsd.org/passwd 
correctly). 

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply via email to