Rob, w00w00 was planning on addressing this issue, but I just can't control the urge to speak... So if I understand correctly, F5 has made many improvements to the security of BigIP. Now was adding a second account with uid 0 without the knowlede of the user part of that plan? support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User Support:/root:/bin/bash This is blatently bad security practice, every BigIP box I have come across has this account. Not only did you add a shell account, but you did the same for the browser configuration tool: bigip1:~# cat /var/f5/httpd/basicauth/users admin:MdA00w00w support:_J9..1fnHY9nqgjRyOV2 bigip1:~# Now, I know what your going to say. "It doesn't matter because of restrictions in sshd_config" BUT! Remember this is a unix machine with a unix user, I have a few people in the office who would rather allow ANY location to connect to every box on the network, do you see where I'm going with this? It isn't that far fetched. I place load balancers in the router catagory, and anything in that bigip1:~# ls -la /usr/bin/rlogin -r-sr-xr-x 1 root wheel 212992 Apr 6 1999 /usr/bin/rlogin* bigip1:~# catagory should be stripped down, to only core tools. I say this in closing -r-sr-xr-x 1 root wheel 212992 Apr 6 1999 /usr/bin/rlogin* support:_J9..1fnHY9nqgjRyOV2 support:_J9..1fnHY9nqgjRyOV2:0:0:daemon:0:0:F5 Labs User Support:/root:/bin/bash w00giving : w00w00 pronounced wu-wu : ADM joewee. PS: BigIP is by far the best load balancer in the industry. I love it. > Guy is discussing an issue that affects older versions of BIG/ip. > As he points out, the risk is from internal users. In older versions > of BIG/ip, there is effectively only one user and that user has root > privileges. That user could execute commands as root through a shell > escape in our web-based user interface. > > As of Version 2.1, this is no longer possible. The current version > of BIG/ip is 2.1.2. The software update is available for free over > the net to all customers with support contracts. > > In Version 2.1, in response to customer feedback, we removed the shell > > escape capability and also changed to multiple user levels in the > web-based user interface. > > BIG/ip is a default-deny device, both for administrative traffic to > it, > and for traffic passing through it. The product uses SSH for command > line access and SSL for web access. We welcome any feedback on how we > > can make the product more secure. > > Thanks! > > Rob Gilde > Product Development Manager > voice: 206-505-0857 > email: robat_private > > F5 Networks, Inc. > 200 First Avenue West, Suite 500 > Seattle, WA 98119 > http://www.f5.com > 1-888-88BIGIP ---------------------------- Ejovi Nuwere [www.ejovi.net] In God we trust. The rest we monitor. ----------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:58 PDT