Any network/security admins feeling extra tired this week? (1 Viewer)

[John Stone]

I sure am. Remote root exploits have been announced within the last few weeks for several of the most widely used DMZ network services: Apache, OpenSSH, and now the resolver libraries used in the nearly ubiquitous ICS BIND (among other things). It's been crazy trying to get all the servers I'm responsible for updated without breaking anything or causing loss of service. Unfortunately I think we're going to see a lot of hacked systems over the next several months. I hope things calm down a little so I can take a well-deserved long weekend after the 4th.

 

[Shayne Lebrun]

Good. Maybe this'll reinvigorate the market for us sysadmins, and I'll get a job.

 

[Kolya]

For once, I was glad that we run Win2k/IIS.

 

[Ryan Wright]

John - I spent 3 hours last week updating OpenSSH on the servers I'm responsible for. Forgot to compile it with PAM support the first time around (doh!) and had to re-do it all. Not fun.

 

[John Stone]

Forgot to compile it with PAM support the first time around (doh!) and had to re-do it all. Not fun.

A similar thing happened to me during one of my OpenSSH upgrades. This particular one happens to live on a Slackware box, and I forgot that Slackware distros require the --with-md5-passwords ./configure flag when compiling OpenSSH. That drove me nuts for a while. It's a damn good thing I kept my old SSH session open until I -HUP'd its parent process and tested, or I would have been going for a long drive. The little things can save so much time.

 

[Charles Bober]

I'm with ya Kolya. Maybe the market will rebound so I can finall get a job. 2 months now being unemployed and I'm going freakin' nuts.

 

[Micah Lloyd]

One of my great fears is HUP'ing the new sshd on one of my remote systems and have it fail, locking me out (especially troubling in that many of the systems I administer are 7,500 miles away...). I've learned to temporarily open telnet (with OPIE) during these updates.

 

[DonRoeber]

I'm glad I purposely run an old version of ssh (the ssh1 series, the way we use it, we're not vulnerable to the attack). Having to fix all of the apache installs sucked though. Our bind is okay too, because of the way we use it.

zlib a few months ago -really- sucked.

There've been a bunch of unix exploits recently. For awhile, we weren't getting any, and all of the NT guys were working OT. Ah well. Maybe we'll get some new platform agnostic denial of service attack in a few months. Always good to have something like that around when the students come back.

 

[Ryan Wright]

One of my great fears is HUP'ing the new sshd on one of my remote systems and have it fail, locking me out (especially troubling in that many of the systems I administer are 7,500 miles away...). I've learned to temporarily open telnet (with OPIE) during these updates.

You don't have serial consoles setup?! ALL of our machines are attached to a hardware based serial port server. If SSH or networking dies, I can telnet into that and access the machine through it's serial port. And that's just to save me from a measly 15 minute drive.

 

[Micah Lloyd]

You don't have serial consoles setup?!

Not everywhere (yet). I'm getting PortMasters/Lantronix boxes with multiple serial connections to all our systems... Telnet to the box and pick your console!

 

[John Stone]

I use a few Livingston PortMaster 2E's for serial access to most of the routers, switches, servers and IDSUs at our central office. Those PM2Es work great even after all these years. I am thinking of deploying some old laptops to some of our more remote locations for the same purpose. Nothing worse than locking yourself out of something in the middle of the night. :frowning:

 

[Micah Lloyd]

It's amazing; those PortMasters can be picked up for under $100 on ebay... Remember what they went for new?!?