Re: Security newbie?
Art Edwards wrote: I've been running debian @ home and @ work, for years, had no indication of attacks. Over the last few days, my iptables firewall seemed simply to stop. I checked my auth log file to find many, many attempts to break in. My firewall was very simple. I have since added rules to drop packets from offending IP addresses. So, I have a couple of very basic questions: 1. Are there repositories of offending IP addresses to block? Can/should one contribute to these? 2. The attacks never use the same user name more than once. Is there a way to block access, even temporarily, from an IP address after a set number of attempts, even if the attempts use different user names? 3. Are there other obvious things I should be doing? ssh, by it's design is insecure. It SHOULD incorporate some means of limiting password attempts. It does not! Using alternate ports can be a pain in the butt as some programs (like webmin filesystem backup) do not support alternate ports. I suggest 2 methods, fail2ban and a firewall if you must allow password logins. You can set the firewall to allow only certain ip's or ip ranges. But do not get to comfortable with a firewall ONLY solution. The first time the local firewall goes down, or is taken down and forgotten to re-enable, you'll get compromised. Again, the best solution would be for ssh to incorporate a solution, thus if ssh is started, the solution is started... -- This message has been scanned for viruses and dangerous content by RCRnet, and is believed to be clean.
Re: Security newbie?
On Fri, Aug 03, 2007 at 08:15:38AM -0500, Rodney Richison wrote: Art Edwards wrote: I've been running debian @ home and @ work, for years, had no indication of attacks. Over the last few days, my iptables firewall seemed simply to stop. I checked my auth log file to find many, many attempts to break in. My firewall was very simple. I have since added rules to drop packets from offending IP addresses. So, I have a couple of very basic questions: 1. Are there repositories of offending IP addresses to block? Can/should one contribute to these? First ask if you need to ssh into your box from the internet, if not then limit the interfaces to which ssh listens. 2. The attacks never use the same user name more than once. Is there a way to block access, even temporarily, from an IP address after a set number of attempts, even if the attempts use different user names? If you are using good strong passwords then it shouldn't matter how many times someone tries. However, you should consider using public-key ssh logins where you can totally disable password logins. 3. Are there other obvious things I should be doing? ssh, by it's design is insecure. This seems a little harsh. It SHOULD incorporate some means of limiting password attempts. It does not! Using alternate ports can be a pain in the butt as some programs (like webmin filesystem backup) do not support alternate ports. I suggest 2 methods, fail2ban and a firewall if you must allow password logins. You can set the firewall to allow only certain ip's or ip ranges. But do not get to comfortable with a firewall ONLY solution. The first time the local firewall goes down, or is taken down and forgotten to re-enable, you'll get compromised. Yes, a firewall is the first line of defence in that it blocks things before they reach your daemons but the last line of defence in that everything else should be relied on first. You can use the firewall to limit the rate of connection attempts that go to ssh. Also, if you know the range of IPs from which you need to connect, you could limit attempts to that range. You can also look at the sshd_config options of MaxAuthTries and MaxStartups. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security newbie?
On Wed, 18 Jul 2007 19:10:14 +0200 Art Edwards wrote: I've been running debian @ home and @ work, for years, had no indication of attacks. Over the last few days, my iptables firewall seemed simply to stop. I checked my auth log file to find many, many attempts to break in. [...] 3. Are there other obvious things I should be doing? Keep your system updated. Choose strong passwords. For more info about security I can recommend the Securing Debian Manual: http://www.debian.org/doc/user-manuals#securing Cheers, Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security newbie?
I've been running debian @ home and @ work, for years, had no indication of attacks. Over the last few days, my iptables firewall seemed simply to stop. I checked my auth log file to find many, many attempts to break in. My firewall was very simple. I have since added rules to drop packets from offending IP addresses. So, I have a couple of very basic questions: 1. Are there repositories of offending IP addresses to block? Can/should one contribute to these? 2. The attacks never use the same user name more than once. Is there a way to block access, even temporarily, from an IP address after a set number of attempts, even if the attempts use different user names? 3. Are there other obvious things I should be doing? Art Edwards -- Arthur H. Edwards Senior Research Physicist Air Force Research Laboratory AFRL/VSSE Bldg. 914 3550 Aberdeen Ave. SE KAFB, NM 87117-5776 (505) 853-6042 (O) (505) 463-6722 (C) (505) 846-2290 (F) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security newbie?
On Wed, Jul 18, 2007 at 11:09:21AM -0600, Art Edwards wrote: I've been running debian @ home and @ work, for years, had no indication of attacks. Over the last few days, my iptables firewall seemed simply to stop. I checked my auth log file to find many, many attempts to break in. My firewall was very simple. I have since added rules to drop packets from offending IP addresses. So, I have a couple of very basic questions: 1. Are there repositories of offending IP addresses to block? Can/should one contribute to these? 2. The attacks never use the same user name more than once. Is there a way to block access, even temporarily, from an IP address after a set number of attempts, even if the attempts use different user names? fail2ban automatically bans ip's after a specified number of failures. The ban only last 30minutes or so, but that should be enough to deter most... and still let you in if you make a mistake. 3. Are there other obvious things I should be doing? make sure you aren't running any services you don't need and keep your firewall up-to-date. and make sure your services have sensible configs in place, too... I'm guessing your looking at ssh attempts -- switch to pubkey authentication if you can and turn off password/challenge-response. A signature.asc Description: Digital signature
Re: Security newbie?
On 7/18/07, Art Edwards [EMAIL PROTECTED] wrote: 1. Are there repositories of offending IP addresses to block? Can/should one contribute to these? denyhosts does that for you also have a look at fail2ban which can drop IPs for a certain amount of time after a certain amount of certain logmessages, which are certainly configurable and certainly i haven't written a sentence yet that matches the substring you know which one that often. 2. The attacks never use the same user name more than once. Is there a way to block access, even temporarily, from an IP address after a set number of attempts, even if the attempts use different user names? fail2ban 3. Are there other obvious things I should be doing? if it's ssh - it just obscurity but I found that 90% of the script kiddies won't hit you if you move your port elsewhere hth martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]