"Shellshock" bash bug

Colin Law clanlaw at gmail.com
Sat Sep 27 15:29:21 UTC 2014 

On 27 September 2014 14:08, Gene Heskett <gheskett at wdtv.com> wrote:
> On Saturday 27 September 2014 08:53:10 Colin Law did opine
> And Gene did reply:
>> On 27 September 2014 13:45, Gene Heskett <gheskett at wdtv.com> wrote:
>> > On Saturday 27 September 2014 02:45:50 Colin Law did opine
>> >
>> > And Gene did reply:
>> >> On 27 September 2014 01:33, Gene Heskett <gheskett at wdtv.com> wrote:
>> >> > On Friday 26 September 2014 17:50:25 Colin Law did opine
>> >> >
>> >> >> ...
>> >> >> It seems however that my initial assumption is correct, that if
>> >> >> they cannot login as they do not have the key then they cannot
>> >> >> exploit the vulnerability.
>> >> >
>> >> > We are being told by the finders that no login is needed.
>> >>
>> >> True, it seems that web server and dhcp can also be attacked,
>> >> however since only port 22 is open and dhcp is from my router then
>> >> it seems I am safe, provided the router is clean.
>> >>
>> >> Cheers
>> >>
>> >> Colin
>> >
>> > A second point in the good routers is that you can and should,
>> > disable access to port 22 from the outside world, making that only
>> > accessible from your local 192.168.nnn/24.  But that has little to
>> > do with its dhcp which could still be hackable.
>>
>> If I disable access to port 22 from the outside world, how do you
>> suggest I get access to the machine from the outside world?
>>
>> Colin
>
> The "outside world" is by definition, any address NOT in the 192.168.xx.
> range.  Those addresses are not transmitted across the router from inside
> to outside.  Or vice-versa.  I only have one port open to the outside, and
> you can easily guess which one that is.  If you can see my web page, its
> working. :)

Not sure that answers the question about how I get access to my
machine from the outside world without opening port 22 (or using VPN).
I need to control it, it is a weather station, not a web server.  Also
I suspect there have been many more vulnerabilities found that can
attack via an http connection than via ssh, though I have no direct
evidence to support that.

Cheers

Colin

More information about the ubuntu-users mailing list