Of course if this is the case then the exploit is likely to be used aggressively sometime in the near future...

However, after it's done that repeatedly (presumably doing some sort of sniffing to work out exactly which version of sshd is running), it then attempts to login. Here's the interesting bit: when it tries to login with a user than doesn't exist, instead of just generating the

  "Invalid user test from xx.xx.xx.xx" log entry,

  "input_userauth_request: invalid user test"

(All the above is speculation, however: I'm no expert on SSH)

However, that wouldn't work in this case anyway because if there's a working exploit in sshd then an auth/username failure would never even be logged. It'd be straight in first try.

This still does not solve the problem but it is a smallish roadblock.

I would also set MaxStartups to 1 if you are the only person to login. This limits the number of unauthenticated people trying to concurrently log in.

I compromised on some of my boxes and made a non-published/non-linked URL that if you hit it, your source IP will end up on the SSH-allowed list. That plus a non-standard SSH port seems to keep 99.9999% of the risk out of the way without being too overly cumbersome to knock-through when needed.

[EDIT] You could always just set up iptables to accept traffic from your ISPs subnet and deny the rest.

Only one knock is needed to keep the port open for my current IP address indefinitely, or it can be closed immediately without losing my ssh connection.

It also precludes the necessity of filling up iptables with boatloads of DROPs to keep out the riff-raff.

I'm only at OpenSSH_3.9p1 yet up2date says everything is up to date.

Our forums see tons of questions about this, with folks assuming that because they have an "old" version of PHP or Apache or whatever, that it has known security vulnerabilities. When, in reality, an RHEL released package is probably at least as well-vetted for security as the latest release from upstream.

But, in this case, since there is no known exploit (and it is possibly fictional), there's nothing vendors can possibly do about the problem. I suppose vendors could have been quietly notified of the problem, and we'd start seeing new releases rolling out; but you'd see errata on the relevant vendors website. Asking random folks on HN wouldn't be the best course of action for reliable answers.

Anyway, OpenSSH.org has nothing on the subject.

Second, it would apparently only concerns old versions of OpenSSH. Quoting the link: "It is against an older version of OpenSSH" (OpenSSH_4.3).

The submitted link seems to copy/paste most of its content from this article, but it didn't include the version information.

Can someone tell me what the anti-sec movement is?

It is a loose movement that kind of fights against the traditional for-profit computer security industry. they think that publicizing security holes and those hole's exploits causes more pain than it helps. They also seem to be kind of anti-capitalist. A bunch of docs have been written about their goals and ideas. They aren't really script kiddies, some of them are very talented security researchers.

google around for the el8 magazine, also 'phrack high council' or just antisec in general

Just clarifying the term.

Anti-sec doesn't go after civilians, by the way.

Let me guess, if I have a job and a computer I'm not a civilian, right?

It's a very specific feud between two specific groups of people.

If you're not in the know, why not lurk in the scene a bit and see what's going on? I did just that; I was curious about security and I saw both sides of the issue. One group publishes exploits and carries out mayhem for fun, while the other group repeats what the former said in legit, paid publications and calls the former names.

Even the train-robbers vs bounty-hunters analogy fails in this case; there are way too many Joe Sixpacks fancying themselves a town sherrif and speaking ill of Jesse James. Very soon, some faces are bound to get smashed at the local Saloon :-P

That's the most bizarre definition of "not a civilian" I've ever heard.

Furthermore, I don't trust anyone's definition of "fun" if it means "mayhem" on my boxes, and I don't trust any hackers to tell the difference between funmeisters and for-profit thugs when, for example, having a jolly fun chat about vulnerabilities. The idea that I could lurk in the scene doesn't exactly make me feel better about it.

One group publishes exploits and carries out mayhem for fun

I thought dtf and utnick said they want to keep exploits secret? So do they share the exploits in "the underground" and try to keep them secret from stodgy, above-ground types? Again, I don't trust them to distinguish between "cool" people and (e.g.) botnet operators who send v1@gr@!!! email for spammers.

http://secer.org/hacktools/0day-openssh-remote-exploit.html

     sshd: IP1 IP2 .domain.com

I ran:

      grep Accepted /var/log/secure*|grep ssh2|perl -lne '/for (\S+) from (\S+)/ && print "$1 $2"'|sort -u

This may give you trouble if you SSH from e.g. some mobile connection or from random wifis around the world.

  $ lsb_release -d
  Description: Ubuntu 9.04
  $ ssh -v
  OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007

The newest releases use 5.1

  $ cat /etc/debian_version
  5.0.2
  $ ssh -v
  OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007

SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1

However, the default version on RHEL, Fedora are vulnerable. So, it is a big issue if there is no patch from your distribution (unless you use ssh from source which is not common).

better check those firewall settings.