HECnet January 2014

hecnet@lists.dfupdate.se

33 participants
257 discussions

Re: [DECtec] NTP vulnerability in VMS 8.3

by system＠TMESIS.COM

Sampsa Laine <sampsa at mac.com> writes: On 8 Jan 2014, at 22:30, Bob Armstrong <bob at jfcl.com> wrote: I've seen idiots attacking ... via the SSH connection,=20 =20 FWIW, I've put all my public SSH ports on non-standard port numbers. = It's pretty much eliminated all the attacks. =20 I think most of these attackers are bots and script kiddies, and they = only try the well known ports. =20 Bob =20 =20 =20 I personally run sshd in pubkey auth mode only, and when I see login = attempts, I bombard the source IP with packets using nmap. Tends to stop = them in about 30-90 secs. You'd still be beter off running it on a non-standard port. Also, doing onto others as they do on to you should be reserved only for good tasks; bombing the source is a good way to get them to really go after you and your systems. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG Well I speak to machines with the voice of humanity.

10 years, 10 months

Re: [DECtec] NTP vulnerability in VMS 8.3

by bob＠jfcl.com

I personally run sshd in pubkey auth mode only, Oh - I forgot, I do that too. No keyboard authentication allowed. Bob

10 years, 10 months

Re: [DECtec] NTP vulnerability in VMS 8.3

by sampsa＠mac.com

On 8 Jan 2014, at 22:30, Bob Armstrong <bob at jfcl.com> wrote: I've seen idiots attacking ... via the SSH connection, FWIW, I've put all my public SSH ports on non-standard port numbers. It's pretty much eliminated all the attacks. I think most of these attackers are bots and script kiddies, and they only try the well known ports. Bob I personally run sshd in pubkey auth mode only, and when I see login attempts, I bombard the source IP with packets using nmap. Tends to stop them in about 30-90 secs.

10 years, 10 months

Re: [DECtec] NTP vulnerability in VMS 8.3

by bob＠jfcl.com

I've seen idiots attacking ... via the SSH connection, FWIW, I've put all my public SSH ports on non-standard port numbers. It's pretty much eliminated all the attacks. I think most of these attackers are bots and script kiddies, and they only try the well known ports. Bob

10 years, 10 months

Re: [DECtec] NTP vulnerability in VMS 8.3

by gregg.drwho8＠gmail.com

Hello! The few times I've seen idiots attacking (or even trying to attack) my (What else?) Linux setup via the SSH connection, I imagine them being forced to walk across a desert, with limited supplies. It definitely should be legal. I'm thinking defenestration. ----- Gregg C Levine gregg.drwho8 at gmail.com "This signature fought the Time Wars, time and again." On Wed, Jan 8, 2014 at 1:52 PM, Brian Schenkenberger, VAXman- <system at tmesis.com> wrote: Dave McGuire <mcguire at neurotica.com> writes: Yep...some little fucker hosed my network with exactly that bug yesterday, but against a UNIX box. It should be legal to kill these people. ... slow and painfully too! -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG Well I speak to machines with the voice of humanity.

10 years, 10 months

Re: [DECtec] NTP vulnerability in VMS 8.3

by system＠TMESIS.COM

Dave McGuire <mcguire at neurotica.com> writes: Yep...some little fucker hosed my network with exactly that bug yesterday, but against a UNIX box. It should be legal to kill these people. ... slow and painfully too! -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG Well I speak to machines with the voice of humanity.

10 years, 10 months

Re: [DECtec] NTP vulnerability in VMS 8.3

by mcguire＠neurotica.com

Yep...some little fucker hosed my network with exactly that bug yesterday, but against a UNIX box. It should be legal to kill these people. Anyway, just build ntpd v4.2.7 to replace whatever version you're running. -Dave On 01/08/2014 01:29 PM, Ian McLaughlin wrote: Hello all, Just got an interesting report of a machine of mine with a public IP address that has a vulnerability in NTP that can be used for amplification attacks. I've attached a snippet of the report I was given at the end of this email. If this was Linux, then I'd have no problems dealing with this. However, for VMS I have no idea. Anyone else run in to this? Is there a patch available? I'm running OpenVMS 8.3 with no patches. Thanks in advance for any assistance, and anyone else running public-facing might want to see if this affects them. Ian (snippet follows) In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. CCIRC has received a report indicating a NTP server(s) from your organization could be potentially used in distributed denial of service attacks. In this case, the NTP server is likely open to 'get monlist' requests, which can be leveraged by malicious actors in reflected distributed denial of service attacks. Organizations should consider testing and deploying the latest version of NTP, which does not use the "monlist" command, at the earliest opportunity. If upgrading to the latest version is not immediately feasible, access to the "monlist" command should be disabled. CCIRC recommends organizations review common best practices to harden NTP servers or disable the service if it is not required. Additional guidance on NTP hardening can be found at the following reference: http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html For more information on this method of attack, please review the following references: https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300 CVE-2013-5211 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211 -- Dave McGuire, AK4HZ New Kensington, PA

10 years, 10 months

NTP vulnerability in VMS 8.3

by ian＠platinum.net

Hello all, Just got an interesting report of a machine of mine with a public IP address that has a vulnerability in NTP that can be used for amplification attacks. I've attached a snippet of the report I was given at the end of this email. If this was Linux, then I'd have no problems dealing with this. However, for VMS I have no idea. Anyone else run in to this? Is there a patch available? I'm running OpenVMS 8.3 with no patches. Thanks in advance for any assistance, and anyone else running public-facing might want to see if this affects them. Ian (snippet follows) In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. CCIRC has received a report indicating a NTP server(s) from your organization could be potentially used in distributed denial of service attacks. In this case, the NTP server is likely open to 'get monlist' requests, which can be leveraged by malicious actors in reflected distributed denial of service attacks. Organizations should consider testing and deploying the latest version of NTP, which does not use the "monlist" command, at the earliest opportunity. If upgrading to the latest version is not immediately feasible, access to the "monlist" command should be disabled. CCIRC recommends organizations review common best practices to harden NTP servers or disable the service if it is not required. Additional guidance on NTP hardening can be found at the following reference: http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html For more information on this method of attack, please review the following references: https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300 CVE-2013-5211 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211

10 years, 10 months

CREATE/TERM gives strange error messages about protocol versions...

by hawk＠hawk.ro

On Jan 7, 2014, at 16:30, Brian Schenkenberger, VAXman- wrote: Johnny Billquist <bqt at softjar.se> writes: On 2014-01-07 14:09, Brian Schenkenberger, VAXman- wrote: Sampsa Laine <sampsa at mac.com> writes: Before this, I did an "xhost +" and ssh'd into RHESUS with X forwarding on. {RHESUS$} create/term X11 connection rejected because of wrong authentication. X connection to _WSA48: broken (explicit kill or server shutdown). X Error of failed request: BadConnection (fatal error on display connection) Major opcode of failed request: 1 (X_CreateWindow) Serial number of failed request: 0 Current serial number in output stream: 0 %XLIB-E-ERROREVENT, error event received from server Xlib: client uses different protocol version (11) than server (0)! %DECW-E-CANT_OPEN_DISPL, Can't open display Any idea what is causing this? Server and version? (Assuming you're using your Mac? OSX ???) VMS Arch/Versions? (Assuming a VAX? VMS V?.? TCPIP???)

10 years, 10 months

CREATE/TERM gives strange error messages about protocol versions...

by system＠TMESIS.COM

Johnny Billquist <bqt at softjar.se> writes: On 2014-01-07 14:09, Brian Schenkenberger, VAXman- wrote: Sampsa Laine <sampsa at mac.com> writes: Before this, I did an "xhost +" and ssh'd into RHESUS with X forwarding on. {RHESUS$} create/term X11 connection rejected because of wrong authentication. X connection to _WSA48: broken (explicit kill or server shutdown). X Error of failed request: BadConnection (fatal error on display connection) Major opcode of failed request: 1 (X_CreateWindow) Serial number of failed request: 0 Current serial number in output stream: 0 %XLIB-E-ERROREVENT, error event received from server Xlib: client uses different protocol version (11) than server (0)! %DECW-E-CANT_OPEN_DISPL, Can't open display Any idea what is causing this? Server and version? (Assuming you're using your Mac? OSX ???) VMS Arch/Versions? (Assuming a VAX? VMS V?.? TCPIP???)

10 years, 10 months

← Newer
1
...
16
17
18
19
20
21
22
...
26
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

HECnet January 2014