check_by_ssh question
Peter Gutmann
peter.gutmann at db.com
Mon Mar 29 17:12:43 CEST 2004
Your assumption that I am simply reciting the opening paragraphs of a book
on the introduction to computer security is simply false. While I have no
idea of your experience level with UNIX, networks, and the basic security
concepts (and you obviously have absolutely no idea of my experience). The
most basic concept is knowing what you are protecting. If you understood
what the purpose of the ssh tools where (to build a encrypted channel
between machines http://www.openssh.com/goals.html ) that can then be used
to protect against snooping the user ID, passwords, and data from the
wire. So, if you are looking to do authentication or detect attack
profiles with ssh, you are looking in the wrong place.
While you are sure that I have been reading (and reciting) the platitudes
(http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=platitudes&x=19&y=13)
posted on the Bugtraq mailing lists. You seem to be missing the point of
what I was saying. The best way to prevent an attack from your Nagios
monitoring host on the hosts that you are monitoring is to prevent the
initial attack on the Nagios monitoring host in the first place. Because
once the bad guy has access to the box that battle you are trying to fight
is lost (unless you added a intention bit to the TCP header :-). So, you
are looking to fight the wrong battle (i.e. bringing a knife to a gun
fight).
You seem to be making a very common and very basic mistake. Not looking at
the whole problem. You seem to be looking at the piece of the puzzle
between that Nagios host and the hosts that you are watching. There is
simply no way to tell if the opening packets in a new TCP connection from
a machine (hosta) which is destined for the machine (hostb) are part of
your normal checks or the beginning of an attempted exploit of the machine
(ask the people from Network Flight Recorders www.nfr.com). You could
attempt to correlate the initiation of a TCP connection to the monitored
host, and the startup of the check_ssh executable. However that would
consume a huge amount of resources for a very limited result (the easiest
way to defeat this would be replace the check_ssh executable).
----
Peter Gutmann
Peter.Gutmann at db.com
Andreas Ericsson <ae at op5.se>
Sent by: nagios-users-admin at lists.sourceforge.net
03/27/2004 02:35 PM
To: nagios-users at lists.sourceforge.net
cc:
Subject: Re: [Nagios-users] check_by_ssh question
Peter Gutmann wrote:
> Why no I have not been following the thread from the beginning of time.
> Having just started getting Nagios setup here to watch some our trading
> applications. I joined the mailing list within the last few days to
learn
> a bit more about Nagios from other people that are using it.
>
You can read erlier postings on the thread in the archives.
> The security of a network is not obtained by any single action. However,
> it is obtained by understanding the needs of the applications and the
> environment that the applications live in, and when it is done best it
> looks a lot like an onion. The best way to look at it, is to have
defense
> in depth and not to rely on a single method of protecting yourself. This
> is where you have a number of different methods of protecting yourself
and
> watching what is going on. The goal would be to have all of the pieces
to
> work together to tell you when something goes wrong. While you are still
> in a position to do something about it.
>
Thank you for reciting the opening paragraph of the latest 'security
consciousness' lecture you went to. Seems like something a CEO would
like to hear the companys money was spent on, while none but the very
freshest administrators would learn anything form it.
> While I STILL don't know anything about what you are looking to protect
> (other than you are concerned about Nagios being open) or the
environment
> that it lives in. So, I am, to some extent just guessing about what you
> are looking to accomplish and how much you are willing to put into it.
If
> you are an ISP, that is a wholly different problem than protecting a
> trading floor, or protecting the network in the corner grocery. So,
there
> are a number of layers to this onion called trust.
>
More smoke from the bag. General security discussions are held on
bugtraq, vuln-dev et al.
> I am suggesting that you implement a screening routers that LOG unusual
> events as an ADDITION to all of the usual things for you environment.
> While I KNOW that this is not the whole answer, my reading of your
e-mail
> was that you were looking for an application (even if you cover it with
> SSL) that does no authentication to tell you about problems. Perhaps I
was
> wrong.
>
Yes, you were. We're discussing the specific dangers of running
check_by_ssh on a large number of hosts from the nagios server.
On a side-note; Suggest all you want, but please read the backlogs in
the mail-archives first.
> Snort or another NDIS tool can watch the number of packets per unit time
> between hosts and flag ABOVE and below the threshold. In addition,
> trapping and logging ALL connection attempts and failed logins.
Network intrusion detection systems have been brought up and quite
firmly put down (from this discussion, that is), seeing as all they can
really do is let you know what went wrong, and when. We're looking to
prevent it from happening in the first place.
> BTW: Have
> you looked at IP/SEC? that is a way of authenticating (at a hardware
> level) a level of trust between machines
>
IP/SEC faces the same problems as running SSH with public / private
keypairs (well, similar anyways). You can't allow one thing and disallow
another in a matter which is non-exploitable, seeing as the monitoring
process needs access rights enough to run applications on the remote host.
All it would really do is to add another layer of encryption, which
actually might lessen security rather than tighten it (consider CBC vs
CFB).
> Peter
> ----
> Peter Gutmann
> Peter.Gutmann at db.com
>
>
--
Mvh / Best Regards
Sourcerer / Andreas Ericsson
OP5 AB
+46 (0)733 709032
andreas.ericsson at op5.se
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when
reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list