Re: [PLUG] OT: SolarWinds

[Rich Freeman via plug <plug@lists.phillylinux.org>]

On Thu, Dec 31, 2020 at 11:54 AM Rich Kulawiec via plug
<plug@lists.phillylinux.org> wrote:
>
> On Sat, Dec 26, 2020 at 08:01:20AM -0500, Rich Freeman via plug wrote:
> > Only on an FOSS mailing list will you hear somebody just toss out that
> > using Office365 is "well-known" to be a worst practice.
>
> Yes, "well-known".

Ah, apparently "well-known" means well-known to you.  If you polled
95% of those in professional IT roles I suspect they would disagree
with you.

>
> It's a brute-force ssh attack.  "Myhost" is one of mine.
> "Theirhost" is inside Office365.

So, I didn't really need dozens of lines of redacted (and therefore
useless) logs to know what an ssh brute-force attack is.  I get them
24x7 on my hosts.

> Which means that there are two and only two possibilities here:
>
> 1. It was someone/something working for Microsoft.
> 2. It wasn't someone/something working for Microsoft.

You left out the far more likely #3 - that "theirhost" has nothing to
with Office 365.

Are you sure you aren't conflating Office 365 with Azure or something
else?  I wouldn't be surprised if they host Office 365 on Azure, in
which case you're just seeing people launching ssh attacks from Azure
hosts.  I imagine that MS probably shuts down these sorts of things
when they're detected, but that is probably playing whack-a-mole since
anybody with a credit card can start up a new one.

> (Also, in either case, this means that whoever's managing Microsoft's
> firewalls hasn't blocked outbound ssh from the Office365 infrastructure.
> That's a rather obvious security failure in and of itself.)

Well, if you're just looking at Azure they obviously can't block all
outbound ssh from all their VMs.  I'm sure many of them need it.

> If, on the other hand, you're not willing to do the work, then perhaps
> you could consider learning from those of us who have.

I really can't be bothered to try to trace every host that attempts an
ssh-brute-force scan - I'm sure they're all over the place.  If you
have some kind of evidence that these are coming from
Office365-dedicated IPs just post it.

> This isn't news -- well, not to anyone who's been paying attention.

Ie the sorts of people that hang out on FOSS mailing lists complaining
about MS taking over the world, and not the sorts of people who get
paid to manage IT infrastructure on a large scale.

Nothing wrong with hosting your own mail/etc, but I suspect that
Office365 is better-managed than what most companies are using
instead.  Suffice it to say they're not using
Ubuntu+LibreOffice+Postfix+Courier+Thunderbird or whatever, not that
this is magically immune to security issues.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug