Vulnerabilities in Centos 4.4 version of SSH

Support for security such as Firewalls and securing linux
Post Reply
karlkatzke
Posts: 9
Joined: 2005/02/19 01:33:59
Contact:

Vulnerabilities in Centos 4.4 version of SSH

Post by karlkatzke » 2006/11/09 06:02:34

My network security team (I work for a major university) is telling me that I need to update sshd on all of my servers immediately to 4.4. Realistically, is CentOS/RHEL ever going to catch up with some of these important security updates? I'm really starting to lose faith in the 'Enterprise' nature of this operating system.

"Enterprise" should not equal crufty.

There's a whole host of vulnerabilities, patches, and updates to OpenSSH since the incredibly old and crufty sshd 3.9p1 that is included with CentOS. OpenSSH is now on version 4.4, and this and the previous version fix a whole ton of exploits. After getting pwnt twice now (once due to a man in the middle attack on SSH that we traced back to another compromised server, and once ... well, we don't know...), I'm really hoping that someone has a solution that does *not* include me trying to compile FC6 srpms on my CentOS box.

jasonxoxide
Posts: 80
Joined: 2006/09/11 14:35:48
Location: Exton, PA
Contact:

Re: Vulnerabilities in Centos 4.4 version of SSH

Post by jasonxoxide » 2006/11/13 13:59:16

RedHat backports bug-fix patches to older stable versions. If your server got hacked through SSH then you probably left some kind of security risk running (like SSH1) or, as you said, you had a second server compromised (probably via some other method, like a miserable user) and they got privileged access coming through that system. I have quite a few RHEL3, RHEL4, and CentOS4 servers that are exposed to the public internet and have never had any problems with a server being compromised or with failing a PCI Compliance IDS.

http://www.redhat.com/advice/speaks_backport.html

Oh, and as to using FC6 srpms, even FC6 comes with 4.3. If you absolutely must have 4.4 then you're going to have to build from source.

Post Reply

Return to “CentOS 4 - Security Support”