SSHowDowN

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SSHowDowN

Peter Janos
shouldn't the default be "no" for the AllowTcpForwarding? Why is an
insecure option "yes" by default?
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf
Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: SSHowDowN

Solene Rapenne
Le 2016-10-18 10:35, Peter Janos a écrit :
> shouldn't the default be "no" for the AllowTcpForwarding? Why is an
> insecure option "yes" by default?
> https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf
> Thanks.

from sshd_config(5)

      AllowTcpForwarding
              Specifies whether TCP forwarding is permitted.  The
available
              options are yes (the default) or all to allow TCP
forwarding, no
              to prevent all TCP forwarding, local to allow local (from
the
              perspective of ssh(1)) forwarding only or remote to allow
remote
              forwarding only.  Note that disabling TCP forwarding does
not
              improve security unless users are also denied shell access,
as
              they can always install their own forwarders.

Reply | Threaded
Open this post in threaded view
|

Re: SSHowDowN

Christian Gruhl
On 10/18/2016 10:41 AM, Solène Rapenne wrote:
> Le 2016-10-18 10:35, Peter Janos a écrit :
>> shouldn't the default be "no" for the AllowTcpForwarding? Why is an
>> insecure option "yes" by default?
>>
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshow
down-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pd
f

>>
>> Thanks.
>
> from sshd_config(5)
>
>      AllowTcpForwarding
>              Specifies whether TCP forwarding is permitted.  The available
>              options are yes (the default) or all to allow TCP
> forwarding, no
>              to prevent all TCP forwarding, local to allow local (from the
>              perspective of ssh(1)) forwarding only or remote to allow
> remote
>              forwarding only.  Note that disabling TCP forwarding does not
>              improve security unless users are also denied shell access, as
>              they can always install their own forwarders.
>

Also the article states that "We checked our factory-defaulted device
and noticed that the “admin:admin” credential pair allows
us to connect to the web-based configuration interface."

Using such a weak password is more likely the problem, than the enabled
TCP forward.

[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]

Reply | Threaded
Open this post in threaded view
|

Re: SSHowDowN

Peter Janos
sometimes I send mails in HTML format, sorry for that, mail.com has this by
default..

so the PDF also states that the "admin" user had /sbin/nologin for shell

------------------
http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5
 AllowTcpForwarding
    Specifies whether TCP forwarding is permitted. The available options are
yes (the default) or all to allow TCP forwarding, no to prevent all TCP
forwarding, local to allow local (from the perspective of ssh(1)) forwarding
only or remote to allow remote forwarding only. Note that disabling TCP
forwarding does not improve security unless users are also denied shell
access, as they can always install their own forwarders.
------------------
-->>
Note that disabling TCP forwarding does not improve security unless users are
also denied shell access

so having AllowTcpForwarding=NO would help.

Why is it yes by default? someone requested it to be yes? does anybody know?

Thanks.
 


Sent: Tuesday, October 18, 2016 at 10:46 AM
From: "Christian Gruhl" <[hidden email]>
To: [hidden email]
Subject: Re: SSHowDowN
On 10/18/2016 10:41 AM, Sol��ne Rapenne wrote:
> Le 2016-10-18 10:35, Peter Janos a ��crit :
>> shouldn't the default be "no" for the AllowTcpForwarding? Why is an
>> insecure option "yes" by default?
>>
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshow
down-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pd
f

>>
>> Thanks.
>
> from sshd_config(5)
>
> AllowTcpForwarding
> Specifies whether TCP forwarding is permitted. The available
> options are yes (the default) or all to allow TCP
> forwarding, no
> to prevent all TCP forwarding, local to allow local (from the
> perspective of ssh(1)) forwarding only or remote to allow
> remote
> forwarding only. Note that disabling TCP forwarding does not
> improve security unless users are also denied shell access, as
> they can always install their own forwarders.
>

Also the article states that "We checked our factory-defaulted device
and noticed that the ���admin:admin��� credential pair allows
us to connect to the web-based configuration interface."

Using such a weak password is more likely the problem, than the enabled
TCP forward.

[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
 

Reply | Threaded
Open this post in threaded view
|

Re: SSHowDowN

Christian Gruhl
On 10/18/2016 10:56 AM, Peter Janos wrote:
> sometimes I send mails in HTML format, sorry for that, mail.com has this by
> default..
>
> so the PDF also states that the "admin" user had /sbin/nologin for shell
>
> ------------------
> http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5
...
> Note that disabling TCP forwarding does not improve security unless users are
> also denied shell access
>
> so having AllowTcpForwarding=NO would help.
>
> Why is it yes by default? someone requested it to be yes? does anybody know?
>
> Thanks.

See the DenyUsers option for sshd_config:
http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5 That should
allow you to prevent
the forwarding as well.

Using tcp forwarding is allows to establish secure tunnels between
systems that are not directly reachable without the need for a full
blown vpn. But this is just my opinion.

Reply | Threaded
Open this post in threaded view
|

Re: SSHowDowN

Peter Janos
having the username for password is yes, almost the biggest retarded idiotism
in 2016, but disabling AllowTcpForwarding by default could help a little and a
little in this case is big.

I hope this admin user doesn't have permission to change shell, etc.. And in
this general case (iot) , they have /sbin/nologin, so hopefully not.

That's why AllowTcpForwarding=no by default could help in general.  

heck, it even has a CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1653



Sent: Tuesday, October 18, 2016 at 11:05 AM
From: "Christian Gruhl" <[hidden email]>
To: [hidden email]
Subject: Re: SSHowDowN
On 10/18/2016 10:56 AM, Peter Janos wrote:
> sometimes I send mails in HTML format, sorry for that, mail.com has this by
> default..
>
> so the PDF also states that the "admin" user had /sbin/nologin for shell
>
> ------------------
> http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5
...
> Note that disabling TCP forwarding does not improve security unless users
are
> also denied shell access
>
> so having AllowTcpForwarding=NO would help.
>
> Why is it yes by default? someone requested it to be yes? does anybody
know?
>
> Thanks.

See the DenyUsers option for sshd_config:
http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5[http://man.openbsd.
org/OpenBSD-current/man5/sshd_config.5] That should
allow you to prevent
the forwarding as well.

Using tcp forwarding is allows to establish secure tunnels between
systems that are not directly reachable without the need for a full
blown vpn. But this is just my opinion.
 

Reply | Threaded
Open this post in threaded view
|

Re: SSHowDowN

Theo de Raadt-2
In reply to this post by Peter Janos
> shouldn't the default be "no" for the AllowTcpForwarding? Why is an
> insecure option "yes" by default?
> https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf
> Thanks.
>

this comes up post-authentication

if someone is authenticated, they can do just about everything else also

frankly, I don't think you have got a clear picture of the problem, which
is that even if we disable this, vendors will simply renable it anyways
and nothing changes.

Reply | Threaded
Open this post in threaded view
|

Re: SSHowDowN

Christian Weisgerber
In reply to this post by Peter Janos
On 2016-10-18, "Peter Janos" <[hidden email]> wrote:

> so having AllowTcpForwarding=NO would help.
>
> Why is it yes by default? someone requested it to be yes? does anybody know?

It has always been like this.  OpenSSH inherited it from Ylønen-SSH.

In the beginning, OpenSSH didn't even have a configuration option
to disable port forwarding.  Sixteen years ago Markus committed the
diff I had submitted that added the AllowTcpForwarding option.

------------------->
CVSROOT:        /cvs
Module name:    src
Changes by:     [hidden email]  2000/10/14 06:12:09

Modified files:
        usr.bin/ssh    : servconf.c servconf.h serverloop.c session.c
                         sshd.8

Log message:
AllowTcpForwarding; from naddy@
<-------------------

At the time I was running an AnonCVS server and I had realized that
the anonymously connecting clients could use port forwarding to
bounce TCP connections off the server.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSHowDowN

Peter Janos
wow, thanks for the reply!


"At the time I was running an AnonCVS server and I had realized that
the anonymously connecting clients could use port forwarding to
bounce TCP connections off the server."


was this fixed meanwhile?

 

Sent: Tuesday, October 18, 2016 at 5:01 PM
From: "Christian Weisgerber" <[hidden email]>
To: [hidden email]
Subject: Re: SSHowDowN
On 2016-10-18, "Peter Janos" <[hidden email]> wrote:

> so having AllowTcpForwarding=NO would help.
>
> Why is it yes by default? someone requested it to be yes? does anybody
know?

It has always been like this. OpenSSH inherited it from Ylønen-SSH.

In the beginning, OpenSSH didn't even have a configuration option
to disable port forwarding. Sixteen years ago Markus committed the
diff I had submitted that added the AllowTcpForwarding option.

------------------->
CVSROOT: /cvs
Module name: src
Changes by: [hidden email] 2000/10/14 06:12:09

Modified files:
usr.bin/ssh : servconf.c servconf.h serverloop.c session.c
sshd.8

Log message:
AllowTcpForwarding; from naddy@
<-------------------

At the time I was running an AnonCVS server and I had realized that
the anonymously connecting clients could use port forwarding to
bounce TCP connections off the server.

--
Christian "naddy" Weisgerber [hidden email]