[CentOS] defense-in-depth possible for sshd?

Tue Jan 10 09:12:15 UTC 2012
Bennett Haselton <bennett at peacefire.org>

If an attacker finds an exploit to take control of httpd, they're still 
blocked in part by the fact that httpd runs as the unprivileged apache 
user and hence can't write any root-owned files on the system, unless 
the attacker also knows of a second attack that lets apache escalate its 
privilege.  Basically correct?

What about sshd -- assuming that the attacker can connect to sshd at all 
(i.e. not prevented by a firewall), if they find an exploit to let them 
take control of sshd, would that imply immediate total control of the 
machine?  Because if they can control sshd they can tell sshd, "Allow 
root login (even if prohibited in sshd.conf) and accept 'foo' as the 
password", then the attacker can log in as root.  Is it possible, even 
in theory, to provide a second layer of defense behind sshd to prevent 
the attacker from controlling the machine, if the attacker controls 
sshd?  The "log me in as root" attack would appear to imply that an 
extra layer is not possible.

(Note I'm not talking about extra layers of security *in front* of sshd, 
like a firewall that only permits logins from known locations.  I'm also 
not talking about detection after the fact -- obviously you can detect 
unexpected root logins from the /var/log/secure* files if the attacker 
doesn't erase them -- only whether you could use extra layers to 
*prevent* the attacker from owning the machine if they take control of 
sshd.)