check_by_ssh question

Peter Gutmann peter.gutmann at db.com
Mon Mar 29 17:12:43 CEST 2004


Your assumption that I am simply reciting the opening paragraphs of a book 
on the introduction to computer security is simply false. While I have no 
idea of your experience level with UNIX, networks, and the basic security 
concepts (and you obviously have absolutely no idea of my experience). The 
most basic concept is knowing what you are protecting. If you understood 
what the purpose of  the ssh tools where (to build a encrypted channel 
between machines http://www.openssh.com/goals.html ) that can then be used 
to protect against snooping the user ID, passwords, and data from the 
wire.  So, if you are looking to do authentication or detect attack 
profiles with ssh, you are looking in the wrong place.

While you are sure that I have been reading (and reciting)  the platitudes 
(http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=platitudes&x=19&y=13) 
 posted on the Bugtraq mailing lists. You seem to be missing the point of 
what I was saying. The best way to prevent an attack from your Nagios 
monitoring host on the hosts that you are monitoring is to prevent the 
initial attack on the Nagios monitoring host in the first place. Because 
once the bad guy has access to the box that battle you are trying to fight 
is lost (unless you added a intention bit to the TCP header :-).  So, you 
are looking to fight the wrong battle (i.e. bringing a knife to a gun 
fight).

You seem to be making a very common and very basic mistake. Not looking at 
the whole problem. You seem to be looking at the piece of the puzzle 
between that Nagios host and the hosts that you are watching. There is 
simply no way to tell if the opening packets in a new TCP connection from 
a machine (hosta) which is destined for the machine (hostb) are part of 
your normal checks or the beginning of an attempted exploit of the machine 
(ask the people from Network Flight Recorders www.nfr.com). You could 
attempt to correlate the initiation of a TCP connection to the monitored 
host, and the startup of the check_ssh executable. However that would 
consume a huge amount of resources for a very limited result (the easiest 
way to defeat this would be replace the check_ssh executable). 

----
Peter Gutmann
Peter.Gutmann at db.com





Andreas Ericsson <ae at op5.se>
Sent by: nagios-users-admin at lists.sourceforge.net
03/27/2004 02:35 PM

 
        To:     nagios-users at lists.sourceforge.net
        cc: 
        Subject:        Re: [Nagios-users] check_by_ssh question


Peter Gutmann wrote:
> Why no I have not been following the thread from the beginning of time. 
> Having just started getting Nagios setup here to watch some our trading 
> applications. I joined the mailing list within the last few days to 
learn 
> a bit more about Nagios from other people that are using it.
> 
You can read erlier postings on the thread in the archives.

> The security of a network is not obtained by any single action. However, 

> it is obtained by understanding the needs of the applications and the 
> environment that the applications live in, and when it is done best it 
> looks a lot like an onion. The best way to look at it, is to have 
defense 
> in depth and not to rely on a single method of protecting yourself. This 

> is where you have a number of different methods of protecting yourself 
and 
> watching what is going on. The goal would be to have all of the pieces 
to 
> work together to tell you when something goes wrong. While you are still 

> in a position to do something about it.
> 
Thank you for reciting the opening paragraph of the latest 'security 
consciousness' lecture you went to. Seems like something a CEO would 
like to hear the companys money was spent on, while none but the very 
freshest administrators would learn anything form it.

> While I STILL don't know anything about what you are looking to protect 
> (other than you are concerned about Nagios being open) or the 
environment 
> that it lives in. So, I am, to some extent just guessing about what you 
> are looking to accomplish and how much you are willing to put into it. 
If 
> you are an ISP, that is a wholly different problem than protecting a 
> trading floor, or protecting the network in the corner grocery. So, 
there 
> are a number of layers to this onion called trust.
> 
More smoke from the bag. General security discussions are held on 
bugtraq, vuln-dev et al.

> I am suggesting that you implement a screening routers that LOG unusual 
> events as an ADDITION to all of the usual things for you environment. 
> While I KNOW that this is not the whole answer, my reading of your 
e-mail 
> was that you were looking for an application (even if you cover it with 
> SSL) that does no authentication to tell you about problems. Perhaps I 
was 
> wrong. 
> 
Yes, you were. We're discussing the specific dangers of running 
check_by_ssh on a large number of hosts from the nagios server.
On a side-note; Suggest all you want, but please read the backlogs in 
the mail-archives first.

> Snort or another NDIS tool can watch the number of packets per unit time 

> between hosts and flag ABOVE and below the threshold. In addition, 
> trapping and logging ALL connection attempts and failed logins. 

Network intrusion detection systems have been brought up and quite 
firmly put down (from this discussion, that is), seeing as all they can 
really do is let you know what went wrong, and when. We're looking to 
prevent it from happening in the first place.

> BTW: Have 
> you looked at IP/SEC? that is a way of authenticating (at a hardware 
> level) a level of trust between machines
> 
IP/SEC faces the same problems as running SSH with public / private 
keypairs (well, similar anyways). You can't allow one thing and disallow 
another in a matter which is non-exploitable, seeing as the monitoring 
process needs access rights enough to run applications on the remote host.
All it would really do is to add another layer of encryption, which 
actually might lessen security rather than tighten it (consider CBC vs 
CFB).

> Peter
> ----
> Peter Gutmann
> Peter.Gutmann at db.com
> 
> 
-- 
Mvh / Best Regards
Sourcerer / Andreas Ericsson
OP5 AB
+46 (0)733 709032
andreas.ericsson at op5.se


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when 
reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list