rootninja

I just saw a recent article describing some simple ssh attacks that looked a little funny to me. So I figured I’ll test them out. The one that smelled funny was using local and remote port forwarding on itself, localhost. It just doesn’t work on modern linux hosts. I tried it on a fresh gentoo install, a new fedora 10 install, and an old fedora 8 workhorse. You just can’t open more than 1024 descriptors by default in all cases, hmm except maybe as root, but that’s not the point here. Linux says “Sign’s point to ye…yeah NO.” But this article was from January 2009. So wtf? Banging away on old FreeBSD servers long forgotten in someones closet or something?

I was originally poking around at getting by /bin/false or /bin/nologin because I was wondering what happened if you just replaced the bin file with a copy of a working shell and then set a password for the account. Some good accounts that came to mind would be ldap, sshd, and postmaster :) But it looks like there’s already group restrictions set up BY DEFAULT.

cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
ssh -N -L9000:localhost:4141 192.168.123.321 &
ssh -N -L9000:localhost:9000 192.168.123.321 &
telnet localhost 9000

no dice…

debug1: Connection to port 9000 forwarding to localhost port 9000 requested.
accept: Too many open files