On Wed, May 28, 2003 at 03:11:03PM +0000, Jason Lunz wrote: > Maybe he didn't use the same method for all of them. With the tty > sniffer, he could have sniffed passwords from the first box he cracked > if he was lucky enough to catch an admin su'ing. Do the timestamps > support that theory? (This is why ssh keys are good -- no secret of any > kind ever exists on the server, so even if it's compromised the attacker > can't sniff a password or secret key and use that to get into other > machines). That's occurred to me too. I think some password sniffing may be involved.
Question: Can one use a key *AND* a password? That would make me really happy. I just don't like getting ahold of a file or a password being enough... > Also, how many people ssh into these machines? He could have control of > the desktop machine of someone who has user access, and then use local > holes to gain root once logged in as that user. Server machines, no real desktop users. One of these was a firewall that pretty much only had SSH listening. *IF* it was hacked directly (rather than being compromised with a sniff'd password), then we've got something to target. The timestamps don't support much of anything, since we don't really have many logs left (he's stupid, but not st00p1d). Our logging infrastructure is . . . improving. Also, we're implementing grsecurity. I've been very impressed so far (and suspect 2.0 will be even better when it's stable). Jayson