Have you installed SSH? Change the passwords!

[lavrishevo]

No I do not use SSH. I transfer files via USB

 

[DeuceDeuce]

Thanks, I just did this! I love these forums, you guys and gals are so very helpful!

 

[iphonegeek786]

That does sound convenient! But personallly, not enough to go out of my way to install and set up SSH -- not such a hassle if you have a Mac, I suppose, but it's terribly confusing and complex if you are on a Windows system!

^^^^
this

 

[Gix1k]

A malicious worm attack on JB phones. I guess we'll see a lot now.

http://news.bbc.co.uk/1/hi/technology/8373739.stm

This is how to change the password:

1. Download Mobile Terminal through Cydia.

2. Launch Terminal, type in: 'su root', it'll prompt you for your current password next, so type in 'alpine'. (Don't use quotations obviously).

Doing the above logs you in as 'root', because by default if you launch terminal and just use the 'passwd' command, it doesn't actually change it per se as you are logged in as 'mobile', which doesn't have sufficient permissions to change the password.

3. Type in 'passwd', and it should prompt you to enter a new password and then ask you to verify it again.

4. Type in passwd mobile (this is to set a new one for user "mobile" as well). Once again, enter a new password twice

So I did these steps and changed my password. Now what password did I change. When I use Putty to connect. When I entered "root" then "alpline"....did I change the "alpine"?

 

[ViViDboarder]

So I did these steps and changed my password. Now what password did I change. When I use Putty to connect. When I entered "root" then "alpline"....did I change the "alpine"?

If you connected with root as the user then alpine as the password you are logged in as root.

If you did passwd it asks for old password... alpine
Then you type the new one in twice. Then you're done and the password is updated.

If that's not what you did. You need to do it

 

[thelatinist]

Personally, I haven't used SSH in some time and am thinking about uninstalling it. I can do anything I did with SSH using the combination of iFile and MobileTerminal on my iPhone. And for most things I don't even need MobileTerminal and can completely avoid the command prompt.

 

[Moi un Mouton]

So I did these steps and changed my password. Now what password did I change. When I use Putty to connect. When I entered "root" then "alpline"....did I change the "alpine"?

Yes, you now need to enter root then the new password in place of alpine

 

[ckong]

I've been watching this thread so I just wanted to suggest to people to add the "AllowUsers <user>@<ip range/address>" parameter into /etc/ssh/sshd_config.

I've added this to effectively block out any workstations except my own on my 192.168.1.0/24 private network at home (and since AT&T uses the private 10.0.0.0/8, this should help protect against attacks over the AT&T 3G network).

For example:

AllowUsers root@192.168.1.150 root@192.168.1.151

...effectively allows only the two listed workstations into your phone. You'd probably want to set static IPs on your home workstation(s), or use DHCP reservations to guarantee the addresses.

I've tested this at home and it seems to work fine on my local network. You do get a login prompt, but never can get in if not listed (now wouldn't that frustrate Mr. Hacker trying to guess your password).

Also Google "sshd allowusers" to read more on this.

 

[ViViDboarder]

I've been watching this thread so I just wanted to suggest to people to add the "AllowUsers <user>@<ip range/address>" parameter into /etc/ssh/sshd_config.

I've added this to effectively block out any workstations except my own on my 192.168.1.0/24 private network at home (and since AT&T uses the private 10.0.0.0/8, this should help protect against attacks over the AT&T 3G network).

For example:

AllowUsers root@192.168.1.150 root@192.168.1.151

...effectively allows only the two listed workstations into your phone. You'd probably want to set static IPs on your home workstation(s), or use DHCP reservations to guarantee the addresses.

I've tested this at home and it seems to work fine on my local network. You do get a login prompt, but never can get in if not listed (now wouldn't that frustrate Mr. Hacker trying to guess your password).

Also Google "sshd allowusers" to read more on this.

SSH doesn't work over the 3G connection... I've tried. I wanted to be able to remote into my phone over SSH using DynDNS so that I could remotely locate it without paying for mobile me.

 

[mciarlo]

A summary of 'hardening' your iPhone's security.

1. Edit passwd
2. Edit passwd mobile
3. Turn 'Accept cookies' in Safari preferences to 'Never'
4. Turn off Autofill in Safari/do not save passwords
5. Use SBSettings to turn off SSH when not in use
6. You may edit your SSH config to allow only your IP.
7. A general good rule of thumb is to not use unprotected, untrusted, or public Wifi networks.


What do people think about this:

"It turns out, at least on older iPhones, that code signing is enforced via memory protections so that turning off code signing turns off features of DEP [data execution prevention] too—there goes [the iPhone's non-executable memory]," Miller said. "Many of the apps, such as sshd, or even the installer Cydia run as root with no sandbox, there goes [least privileges and sandboxing]."

Source: http://www.eweek.com/c/a/Security/How-Secure-is-Your-Jailbroken-iPhone-271546/

 

[phillipjfry]

More or less, I'm disappointed in the amount of time it took the cracker community to come up with a worm that exploited unchanged passwords

 

[ckong]

SSH doesn't work over the 3G connection... I've tried. I wanted to be able to remote into my phone over SSH using DynDNS so that I could remotely locate it without paying for mobile me.

Hmmm....

To be truthful, I haven't tested it on 3G as I didn't know anybody with another iPhone to test it with. Conceptually, all you'd need is an iPhone on the same subnet range. That way, you'd bypass AT&T's router and probably any rule/ACL that blocks SSH/port 22 (as the network traffic at that point is bridged not routed...and ACLs only work on routed traffic). It also might work on the same 10.0.0.0/8 routed network if they don't filter at all.

So...it should work. Otherwise...how does did the Rick-Roll Worm work? (That guy did us all a favor btw imho, with a harmless prank that raised awareness of an obvious security issue.)

It'd be interesting if someone out there could let us know for sure. Remember, to test you'd need to be on the same subnet or network as AT&T's private 10-net address are blocked by other ISPs as a standard (RFC 1814 or 1597 or something) so testing from one ISP to another is a no-go.

I'm pretty sure the "AllowUsers" will help as it stopped my local 192.168.1.x workstation from connecting directly. Not foolproof I know, but another layer of protection that's easy to impliment and free.