[CentOS] defense-in-depth possible for sshd?
yinyang at eburg.com
Sat Jan 14 00:59:34 UTC 2012
On 01/10/2012 01:12 AM, Bennett Haselton wrote:
> What about sshd -- assuming that the attacker can connect to sshd at all
> (i.e. not prevented by a firewall), if they find an exploit to let them
> take control of sshd, would that imply immediate total control of the
Yes, but the question itself ignores the extensive security that
OpenSSH's server already features defense-in-depth.
OpenSSH's server features privilege separation, a mechanism in which the
network connections and encryption are handled by a process which is
unprivileged. Attacks against connection handling or encryption won't
get you root access.
OpenSSH's server code has been thoroughly audited for security.
Red Hat's build of OpenSSH's server features an SELinux policy. Attacks
which require system access not granted by the policy won't work.
All of Red Hat's systems feature shared lib address randomization, to
protect against stack attacks.
Your hypothetical attack that takes control of sshd would have to defeat
a number of levels of defense. You compared sshd to httpd, which runs
as a non-root user, but ignore that its *purpose* is to grant shell
access to the system. No matter what additional layers you add to sshd,
a successful attack is going to grant shell access, because that's the
purpose of the daemon. You can't lower the privilege level of sshd to
the point that an attacker can't get a shell (which is what was done to
httpd) without making the service useless.
More information about the CentOS