>>101226818
based on their docs, one could limit exposure by
- limiting number of SYN packets per min with iptables
- temporarily reduce maxstartups
- put ssh on a high port, eliminating all bot noise and only allowing target-ted attacks
- or simply dont expose sshd, use a vpn. tinc-vpn.org for an open source vpn that has dynamic user-space mesh routing.
- or use iptables recent module to enable a redneck poor persons port knocking
- or use port knocking.

plenty of ways to stop this until it is patched.

>>101226890
LINUX BTFO

>>101226818
kill [sshd-pid]
was it that hard?

but just in case:
firewalld disable ssh

>>101226959
I did that and disconnected. Now I can't connect to my server. Help???

>>101226818
>OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001.
There is something beautiful about controlling your entire OS software stack.

>>101226890
>- put ssh on a high port, eliminating all bot noise and only allowing target-ted attacks
this doesn't work for me
I do have ssh on a high port, 60001, and I still get like a 1000 requests a day
all of them blocked because I put geoip, really hope it's enough to stop it

File: 510.jpg (158 KB, 901x1201)

158 KB JPG

>>101226818
>on glibc-based Linux systems
so this doesn't affect openbsd?

>>101226966
ANOTHER LINUX LUSER FALLS VICTIM TO THE CLI

>>101226972
MISINFORMATION ABOUND IN THE LINUX COMMUNITY

>>101226976
see >>101226967
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
>OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.

what the fuck are those cringe quotes? what a bunch of masturbating monkeys

Dropbear chads rise up

>>101226818
musl keep on winning

>>101227171
also, would hardened_malloc with glibc be affected?

>>101227045
KEK

File: wow__it__s_fucking_nothin(...).jpg (11 KB, 245x252)

11 KB JPG

>>101226818
>This vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack.
so it's a nothingburger

in any case the only exposed server I have is running RHEL 8 which is not affected

people used to be able telnet into systems and no-one was interested

>>101226972
I have ssh on a high port and have not received a single packet other than my own in 25 years. Must be something special about 60001. I know how to break the bots but no idea if the comment system here will let me post it. Going to make covfefe first.

>>101226818
>Ubuntu 20 LTS - not vulnerable
LTS chads won again.
Updooters get the rope.

>>101228097
>>101228775
This.

Add this to sshd_config (test it first locally) to break some bots

VersionAddendum                " \/\      .:.:.:.:.:. ! Lick The RoodyPoo Butthole Sassy Mansy ! .:.:.      /\/  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ... .... ..... ...... .............  .. .. .. ..    "

>>101228828
Then add this to your iptables raw table section to break some more bots

-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] -m string --string "SSH-2.0-libssh" --algo bm --from 10 --to 60 -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] -m string --string "SSH-2.0-Go" --algo bm --from 10 --to 60 -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] -m string --string "SSH-2.0-JSCH" --algo bm --from 10 --to 60 -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] -m string --string "SSH-2.0-Gany" --algo bm --from 10 --to 60 -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] -m string --string "ZGrab" --algo bm --from 10 --to 60 -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] -m string --string "MGLNDD" --algo bm --from 10 --to 60 -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] -m string --string "amiko" --algo bm --from 10 --to 60 -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] -m string --string "OpenSSH_4" --algo bm --from 10 --to 60 -j DROP

>>101228855
Before all that in the raw table, insert

-A PREROUTING -d [your wan ip] -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m tcpmss ! --mss 1220:1460 -j DROP

do a tcpdump before you ssh and tighten up that mss range to something closer to what you use. 1460 alone is ideal, but if you ssh from your phone that will vary.

If you only ssh from a workstation using mac, bsd or linux you can also drop bots based on TTL.

-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -d [your wan ip] --syn -m ttl --ttl-gt 64 -j DROP

most bots are on wireless devices with a TTL greater than 200. Windows is 128. If you ssh from windows, change 64 to 128.

>>101228930
That breaks stream isolation.

>>101228937
that's a ghostbusters movie thing.

>>101228937
its 2024. crossing streams is not gay, and even if it were that'd be okay.

>>101226890
>- put ssh on a high port, eliminating all bot noise and only allowing target-ted attacks
lol, lmao even.

>>101229143
works on my 50k+ servers.

>>101229166
you only have 65535 ports available brohemoth, I'm hitting all of them.

File: DARPA_100025.png (530 KB, 641x636)

530 KB PNG

>>101229204
And that is called a targeted attack. You would be in the 0.00000000000000000001% thus, not part of the "noise". I can safely never see the noise. I can stroll on teh beach, zoink zoink.

>>101229228
that's not a targeted attack lmao, every internet connected device is being probed at every minute of every day. have you even checked your logs?

File: DARPA_100019.png (973 KB, 1024x1024)

973 KB PNG

>>101229269
>have you even checked your logs?
Yes, your scanning tools that scan the entire internet are 100% dropped by the raw table rules I pasted above. wamp wamp

>>101229301
no

>>101229309
>no
yes

>>101229314
oh ok then, carry on.

File: DARPA_100024.png (556 KB, 750x743)

556 KB PNG

>>101229326
carrying on and remaining calm

>>101226890
first post stupidest post

get patched or (if you absolutely can't update) change the LoginGraceTime to 0

>>101226890
>>101229959
btw, it took 15 minutes to patch the shitty embedded system I work on professionally, yall have no excuse

whilst people are at it, use ssh-audit.com to harden your shit. It speeds up ssh negotiation, useful for those old fags like me still using Ansible.

>>101230138
I hate hardening my shit

>>101226818
Just an accident that the one guard was removed :^)

File: DARPA_100022.png (807 KB, 842x634)

807 KB PNG

>>101230561
just take a laxative.

File: 1453063164710.jpg (96 KB, 523x929)

96 KB JPG

>>101226993
>2001

>>101230713
Same for musl. Someone scan me and see if I am "safe".

sftp scanme@scanme.nochan.net

There's no password.

 id
uid=0(root) gid=0(root) groups=0(root)

>>101231211
Stop, don't touch me there!

is the solution as simple as installing fail2ban?

>>101230772
I'm now in your house fucking your mom

rce? its a dos

>>101231536
>I'm now in your house flarvalbarbing your mom
She's been dust for many decades but I am enjoying the visual. =)

>>101226818
-1 to the NSA backdoors

>>101231581
I sincerely hope you're not in charge of any type of security for any type of internet facing devices.
You're exploiting a signal handler race condition to insert your own code into a non safe function.

>>101231947
Say what you will, they are still leaps and bounds ahead of those that regulate the internet. ... series of tubes and all.

So ... none of the bots can negotiate with my SFTP server and specifically there is one bot in China that has been stuck in a loop. I want to give it something funny and/or offensive in the banner message. What are the most funny, cringy and/or offensive Chinese characters I could give them?

>>101231426
From what I understand that doesn't technically fix it but does make it extremely unlikely for anyone to get in because it's a race condition with a very tiny chance of occurring.

>>101232795
bawts use LTE wireless cards that change IP every few minutes. The ultimate whack-a-mole. Easier to just block 0.0.0.0/0.

>>101232835
We're talking about servers, not laptops.

>>101233044
Yes, your servers are being probed by LTE cards. I found some chinese characters to give the Chinese LTE modem banks.

Does it show up for you?

sftp scanme@scanme.nochan.net

>>101233073
And how would I connect to my server it if it keeps changing IP address?

>>101233171
The LTE bot farms automagically change IP's. Why would you do that unless you were contributing to the chickity china farm?

Thank God for iptables. I got to do the same thing on the other server, here I thought there was a patch. The other one was end of life so I figured just firewall though is.

>>101226818
Muh glibc troon schizos

File: file.png (3 KB, 534x135)

3 KB PNG

it was patched before this post was even released. Even on debian sudo apt update fixes it lmao.

File: 1621489703667.jpg (160 KB, 676x698)

160 KB JPG

>>101228855
>iptables
>Not using nft

>>101235903
iptables is just a wrapper

>>101236068
So?

>>101236163
>So?
No idea what you are asking.

>>101236242
No idea how "iptables is just a wrapper" is a relevant statement

>>101236263
still no idea where you are going

>>101236281
iptables is obsolete. Use nft, nocoder.

>>101236291
iptables (the wrapper to nft) still works just fine and isn't going anywhere any time soon. both will be replaced by eBPF.

>>101226890
>based
It is.

>glibc
>It is also used (in an edited form) and named libroot.so in BeOS and Haiku.
Wait... is Haiku also affected by this?

>ssh in high port, geoip fenced
>ssh tarpit in port 80, connecting to that gives 48h ban
yeah i think i'm safe

>>101236728
I prefer to let in all the "attackers" to see what they will do. So far, nothing of interest.

>>101236728
>port 80
port 22i need some coffee

File: 1701555688002784.png (2.18 MB, 1657x2048)

2.18 MB PNG

My server is vulnerable to this with no way for me to fix it

>>101230138
>F
rip

>>101238151
I am confident you can fix it.

>>101238293
Followed the guide and got the maximum score for my system.
Well, I didn't truly do everything, I just changed the accepted ciphers for now, because it's unclear why I'd need to regenerate host keys (I know if I do so all my devices will yell at me) and I need to read up on what exactly DH moduli are and what I'm overwriting (not a cryptographer)

>>101237986
IP?

>>101226890
>simply don't expose sshd
Everyone not retarded is already doing this anyway.

File: 1718527942622767.webm (715 KB, 1024x1024)

715 KB WEBM

>>101226818
My server is too old for it to be vulnerable. Get fucked updooters.

>>101239181
NT4.0 server operators in a nutshell

File: Security_through_obscurit(...).jpg (132 KB, 807x959)

132 KB JPG

>>101239966
It's not the worst tactic, plus ancient systems likely don't have the most important data (unless they are banks) anyway nor are the machines as useful for your botnet fleet

>>101234184
rare unattended-upgrades win, for me.

>>101240163
Oh I know, a friend of mine runs several services on his NT4.0 Advanced Server box with every single port open to the internet, and no major attacks happened on it. At worst there were some attempts at implanting malware, but that only resulted in creation of empty folders. Can't say the same for 2000/XP. He tried the same on those and they got majorly pwned 5 minutes after port exposure.

File: tumblr_ppakts0yde1t2100k_1280.jpg (260 KB, 1280x1092)

260 KB JPG

>>101240243
>every single port open to the internet
>they got majorly pwned 5 minutes after port exposure
Fucking lmao the balls on that guy. I suppose that is the case because you can still find XP machines in public infrastructure/companies/etc and obviously China which is way more conservative with the updoots and a common target. But NT 4.0? Might as well be running a bbs on that thing. Tempted to try this shit out myself on a VM

>>101232667
>bot in China
Tiananmem copypasta duh

>>101240399
I actually do run my mail server on an NT4 Terminal Server system through Exchange 5.5's SMTP service (yes, even OWA with IIS 3.0). So far so good, no attacks on it, and I'm able to send and receive legitimate emails with it. Terminal services/RDP isn't publicly open on it, and I don't feel like finding out what happens when it is.

>>101240243
>every single port open to the internet
I don't think you understand how firewalls work.

File: ES-ES-ECH_100038.png (116 KB, 262x262)

116 KB PNG

So ... is everyone patched yet?

>>101241498
I haven't bothered because they can't penetrate my gibson the necessary amount of times to win the race condition, although there's always a chance.

>>101226818
Didn't seem particularly bad and already patched. Sucks that these happen but not terrible

so FreeBSD (as in pfSense) is not affected?

File: ES-ES-ECH_100034.png (280 KB, 474x384)

280 KB PNG

>>101241545
>can't penetrate my gibson
that needs a really strong hacker with a big hammer and most dont even lift. Guess yer safe.

>>101226818
>~$ ssh -V
>OpenSSH_8.4p1 Debian-5+deb11u3, OpenSSL 1.1.1w 11 Sep 2023
Safe.

>>101226890
or simply don't use ssh

>>101241776
True. I miss Ostiary. Nobody makes awesome programs like that any more.

>The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1
why do you make thread for this nothingburger just update it shitbrain

>>101229204
you need to hit my ports in the correct sequence
then you can scan