RE: can't figure out ssh, read lots of docs...
On Fri, 2005-06-03 at 10:03 -0400, fbsd_user wrote: > The abuse-reporting-system scripts can be downloaded from > > http://www.unixguide.net/freebsd/fbsd_installguide/index.phpor > http://freebsd.packards-home.net/index.php > > It was submitted to FreeBSD as a port but not accepted yet. > Until it is you can use this one: # cd /usr/ports && make search name=ppars Port: ppars-1.0 Path: /usr/ports/security/ppars Info: Proactive Probing Abuse Reporting System Maint: [EMAIL PROTECTED] B-deps: perl-5.8.6_2 R-deps: p5-Net-Netmask-1.9012 perl-5.8.6_2 WWW:http://www.dshield.org/linux_clients.php#freebsd ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: can't figure out ssh, read lots of docs...
All the talk so far has been about how to stop attacks at your front door. This does nothing to really get back at the attacker to stop them from sending out their attacks. I use the abuse-reporting-system scripts. I have my ipfilter firewall log all these attacks/probes and then when the /var/log/security file rolls over the log is passed through the scripts that does whois on sending IP address to find ISP owner's abuse reporting email address and then sends the firewall log records to the ISP. Before I started running this abuse-reporting system I was getting over 1200 attacks/probes packets a day. Now after 6 months of running it I get less than 60 per day which are first time packets hitting me. If you really want to stop this trash form running up your bandwidth charges this is the way to get back at the attackers. The owning ISP just turns off their accounts. There is still some udp spoofing happening but that is small compared to the rest of the trash hitting your front door. The abuse-reporting-system scripts can be downloaded from http://www.unixguide.net/freebsd/fbsd_installguide/index.phpor http://freebsd.packards-home.net/index.php It was submitted to FreeBSD as a port but not accepted yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Preston Sent: Wednesday, June 01, 2005 6:44 PM To: Steven Friedrich Cc: freebsd-questions@freebsd.org Subject: Re: can't figure out ssh, read lots of docs... I just want to add a little about allowing root login over ssh and using common user names as login names if I may. I just left an admin job where we were running a live server and I used to read the log files everyday. The number of brute force attempts to login in to sshd was staggering sometimes over 700 attempts in a day from many different locations.(usually script kiddies) I had the only user account so it wasn't my users making mistakes. 90%+ of the attempts were for the root account. The other 10% were for common names like steven, rick, and paul the list goes on. So I would recommend that you keep root login disabled and don't use common names for login names. Most people where setting up scripts to block the offending attacker. Not to mention every security document or site I have ever read has said "Don't allow remote root login" Thanks for letting me spew, Rick On 6/1/05, Steven Friedrich <[EMAIL PROTECTED]> wrote: > Thanks to Nathan Kinkade, Roland Smith, Greg Barniskis, and Rick Preston for > the replies. Each gave me quite a bit of info and I'm still digesting it. > > I've been successful using ssh-agent, though I have to enter the passphrase > each time I run my script. That's really only an annoyance now because I'm > developing the script and have to enter it often. That goes away when the > script is stable. > > I've been using ssh to login to my local machines for quite some time and > never realized I didn't have it set up quite right, because it was asking for > a passwd, which means all other means failed. > > What I did notice though, is that I can't login as root using ssh. I haven't > found this mentioned in the man pages. > > Anybody know where it's documented, whether it can be changed, and would that > be a colossal mistake? > > I mean, hey, it's a secure shell, why can't I login as root? > > The reason I want to use root is because I'm trying to scp /etc/master.passwd > from each of my four machines so I can write them to a CD for backup. > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
Giorgos Keramidas <[EMAIL PROTECTED]> writes: > On 2005-06-02 18:01, Lowell Gilbert <[EMAIL PROTECTED]> wrote: > >Giorgos Keramidas <[EMAIL PROTECTED]> writes: > >>On 2005-06-02 10:38, Lowell Gilbert <[EMAIL PROTECTED]> wrote: > >>> The original poster wanted to do automated backups via scp. This > >>> kind of application *requires* empty passphrases > >> > >> Nope. scp works fine with a pass-phrase too, if one uses ssh-agent > >> properly, regardless of the remote user being root or not. > > > > You're recommending leaving an ssh-agent instance running unattended > > instead of having a passphrase-less key? > > Not really. In fact, this was exactly what I said is a "bad idea" in a > previous post. Okay, so how *do* you apply the agent approach to automated operation? The "automated" process only works when the operator is present? > > That just means you have to protect the agent's socket as carefully as > > you would have to protect the unencrypted key file. > > For only as long as the agent process is alive. Which is usually a lot > less than "forever" -- the time for which an unencrypted key which also > exists in authorized_keys works. > > > You are right: there *are* ways to give access to the key other than > > empty passphrases. The only real disadvantage of the agent approach > > is that the key becomes inaccessible when the system reboots. > > Exactly (or when I issue `pkill ssh-agent'). That can be a *huge* disadvantage. For my home network, I'm willing to have operator intervention required to do a backup. But I wouldn't recommend that approach for a commercial operation. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
On 2005-06-02 18:01, Lowell Gilbert <[EMAIL PROTECTED]> wrote: >Giorgos Keramidas <[EMAIL PROTECTED]> writes: >>On 2005-06-02 10:38, Lowell Gilbert <[EMAIL PROTECTED]> wrote: >>> The original poster wanted to do automated backups via scp. This >>> kind of application *requires* empty passphrases >> >> Nope. scp works fine with a pass-phrase too, if one uses ssh-agent >> properly, regardless of the remote user being root or not. > > You're recommending leaving an ssh-agent instance running unattended > instead of having a passphrase-less key? Not really. In fact, this was exactly what I said is a "bad idea" in a previous post. > That just means you have to protect the agent's socket as carefully as > you would have to protect the unencrypted key file. For only as long as the agent process is alive. Which is usually a lot less than "forever" -- the time for which an unencrypted key which also exists in authorized_keys works. > You are right: there *are* ways to give access to the key other than > empty passphrases. The only real disadvantage of the agent approach > is that the key becomes inaccessible when the system reboots. Exactly (or when I issue `pkill ssh-agent'). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
Giorgos Keramidas <[EMAIL PROTECTED]> writes: > On 2005-06-02 10:38, Lowell Gilbert <[EMAIL PROTECTED]> wrote: > > The original poster wanted to do automated backups via scp. This kind > > of application *requires* empty passphrases > > Nope. scp works fine with a pass-phrase too, if one uses ssh-agent > properly, regardless of the remote user being root or not. You're recommending leaving an ssh-agent instance running unattended instead of having a passphrase-less key? That just means you have to protect the agent's socket as carefully as you would have to protect the unencrypted key file. I guess what I should have said was that such an application requires an unencrypted key sitting around. You are right: there *are* ways to give access to the key other than empty passphrases. The only real disadvantage of the agent approach is that the key becomes inaccessible when the system reboots. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
On 2005-06-02 10:38, Lowell Gilbert <[EMAIL PROTECTED]> wrote: > Giorgos Keramidas <[EMAIL PROTECTED]> writes: > > On 2005-06-01 14:38, Nathan Kinkade <[EMAIL PROTECTED]> wrote: > > > The poster is correct in that what you probably what to do is setup > > > public-key authentication using ssh, however, I would highly recommend > > > that you NOT use a blank passphrase for your private key. ssh-agent, > > > a utility that I think comes standard with the openssh package [...] > > > > My strong agreement about *NOT* using empty passphrases. Indeed, > > ssh-agent comes with OpenSSH and it is a _MUCH_ better way of using > > SSH keys with non-empty passphrases. > > The original poster wanted to do automated backups via scp. This kind > of application *requires* empty passphrases Nope. scp works fine with a pass-phrase too, if one uses ssh-agent properly, regardless of the remote user being root or not. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
Giorgos Keramidas <[EMAIL PROTECTED]> writes: > On 2005-06-01 14:38, Nathan Kinkade <[EMAIL PROTECTED]> wrote: > > The poster is correct in that what you probably what to do is setup > > public-key authentication using ssh, however, I would highly recommend > > that you NOT use a blank passphrase for your private key. ssh-agent, > > a utility that I think comes standard with the openssh package [...] > > My strong agreement about *NOT* using empty passphrases. Indeed, > ssh-agent comes with OpenSSH and it is a _MUCH_ better way of using > SSH keys with non-empty passphrases. The original poster wanted to do automated backups via scp. This kind of application *requires* empty passphrases (and is discussed as such in the manual for sshd's configuration). However, it doesn't necessarily require remote root access. I do something kind of similar, but I have the privileged operations conducted from a local cron job, when then pushes the results out to an unprivileged, tightly constrained account on the other machine. So the actual remote access is not to root, but to an account that is not capable of doing much. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
On Jun 01 05 05:57PM, Steven Friedrich wrote: > What I did notice though, is that I can't login as root using ssh. I > haven't > found this mentioned in the man pages. > > Anybody know where it's documented, whether it can be changed, and would > that > be a colossal mistake? Again, if I may reiterate, it is highly dangerous to allow root login. Although if you _must_ know, you want to add: PermitRootLogin = Yes to your sshd_config file and then restart sshd. Beware! > > I mean, hey, it's a secure shell, why can't I login as root? > > The reason I want to use root is because I'm trying to scp > /etc/master.passwd > from each of my four machines so I can write them to a CD for backup. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" - j pgpIunnbzgcu3.pgp Description: PGP signature
Re: can't figure out ssh, read lots of docs...
On 2005-06-01 17:57, Steven Friedrich <[EMAIL PROTECTED]> wrote: > Thanks to Nathan Kinkade, Roland Smith, Greg Barniskis, and Rick Preston for > the replies. Each gave me quite a bit of info and I'm still digesting it. > > I've been successful using ssh-agent, though I have to enter the passphrase > each time I run my script. That's really only an annoyance now because I'm > developing the script and have to enter it often. That goes away when the > script is stable. Save the output of ssh-agent's invocation somewhere, say in ~/.ssh/rc.agent: $ ssh-agent > .ssh/rc.agent $ . .ssh/rc.agent Then, use ssh-add to load the keys to the background agent: $ ssh-add .ssh/id_dsa Other shells, even ones that are started from different sessions, much later, can source the ~/.ssh/rc.agent script and use the already loaded keys. Make sure you don't leave an ssh-agent running and leave for vacations or something though, because that defeats the entire non-empty password thing :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
On 2005-06-01 14:38, Nathan Kinkade <[EMAIL PROTECTED]> wrote: > The poster is correct in that what you probably what to do is setup > public-key authentication using ssh, however, I would highly recommend > that you NOT use a blank passphrase for your private key. ssh-agent, > a utility that I think comes standard with the openssh package [...] My strong agreement about *NOT* using empty passphrases. Indeed, ssh-agent comes with OpenSSH and it is a _MUCH_ better way of using SSH keys with non-empty passphrases. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
I just want to add a little about allowing root login over ssh and using common user names as login names if I may. I just left an admin job where we were running a live server and I used to read the log files everyday. The number of brute force attempts to login in to sshd was staggering sometimes over 700 attempts in a day from many different locations.(usually script kiddies) I had the only user account so it wasn't my users making mistakes. 90%+ of the attempts were for the root account. The other 10% were for common names like steven, rick, and paul the list goes on. So I would recommend that you keep root login disabled and don't use common names for login names. Most people where setting up scripts to block the offending attacker. Not to mention every security document or site I have ever read has said "Don't allow remote root login" Thanks for letting me spew, Rick On 6/1/05, Steven Friedrich <[EMAIL PROTECTED]> wrote: > Thanks to Nathan Kinkade, Roland Smith, Greg Barniskis, and Rick Preston for > the replies. Each gave me quite a bit of info and I'm still digesting it. > > I've been successful using ssh-agent, though I have to enter the passphrase > each time I run my script. That's really only an annoyance now because I'm > developing the script and have to enter it often. That goes away when the > script is stable. > > I've been using ssh to login to my local machines for quite some time and > never realized I didn't have it set up quite right, because it was asking for > a passwd, which means all other means failed. > > What I did notice though, is that I can't login as root using ssh. I haven't > found this mentioned in the man pages. > > Anybody know where it's documented, whether it can be changed, and would that > be a colossal mistake? > > I mean, hey, it's a secure shell, why can't I login as root? > > The reason I want to use root is because I'm trying to scp /etc/master.passwd > from each of my four machines so I can write them to a CD for backup. > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
Steven Friedrich <[EMAIL PROTECTED]> writes: > What I did notice though, is that I can't login as root using ssh. I haven't > found this mentioned in the man pages. > > Anybody know where it's documented, whether it can be changed, and would that > be a colossal mistake? Try the sshd_config(5) manual. > I mean, hey, it's a secure shell, why can't I login as root? Accountability. > The reason I want to use root is because I'm trying to scp /etc/master.passwd > from each of my four machines so I can write them to a CD for backup. You can do that without allowing root to get a shell from a remote system. Again, see the manual for the options available. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
--On Wednesday, June 01, 2005 17:57:56 -0400 Steven Friedrich <[EMAIL PROTECTED]> wrote: I've been successful using ssh-agent, though I have to enter the passphrase each time I run my script. That's really only an annoyance now because I'm developing the script and have to enter it often. That goes away when the script is stable. First you run ssh-agent screen. Then you run ssh-add, and, when prompted, type in your passphrase. What I did notice though, is that I can't login as root using ssh. I haven't found this mentioned in the man pages. You should *never* allow remote logins for root. You don't need it. Login using your own account and then use sudo or su - to perform functions that only root can perform. Anybody know where it's documented, whether it can be changed, and would that be a colossal mistake? You change it in the ssh config file, but don't. I mean, hey, it's a secure shell, why can't I login as root? The reason I want to use root is because I'm trying to scp /etc/master.passwd from each of my four machines so I can write them to a CD for backup. ___ scp the file to your home directory, then move it whereever you want to by using sudo or su -. Don't allow remote root logins. It's unwise. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
Thanks to Nathan Kinkade, Roland Smith, Greg Barniskis, and Rick Preston for the replies. Each gave me quite a bit of info and I'm still digesting it. I've been successful using ssh-agent, though I have to enter the passphrase each time I run my script. That's really only an annoyance now because I'm developing the script and have to enter it often. That goes away when the script is stable. I've been using ssh to login to my local machines for quite some time and never realized I didn't have it set up quite right, because it was asking for a passwd, which means all other means failed. What I did notice though, is that I can't login as root using ssh. I haven't found this mentioned in the man pages. Anybody know where it's documented, whether it can be changed, and would that be a colossal mistake? I mean, hey, it's a secure shell, why can't I login as root? The reason I want to use root is because I'm trying to scp /etc/master.passwd from each of my four machines so I can write them to a CD for backup. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
On Wed, Jun 01, 2005 at 02:24:07PM -0500, Greg Barniskis wrote: > Steven Friedrich wrote: > >I'm trying to use scp and I get prompted for a password or passphrase for > >each invocation. > > > >I figure I need to figure out how to get ssh to connect without prompting, > >but I just can't get it. I've read all the man pages and my head is > >swirling. I went to the OpenSSH web site and got no further. I've been > >in the business for 28 years and can usually figure things out from man > >pages, but ssh doesn't seem to be clear enough. I've been unemployed for > >over a year and can't afford the OReilly book right now (which I'm > >offering as my defense for asking here). > > > > (the sshd server). Since what you say you want is real transparency > (no prompts), don't assign a passphrase when generating the keys. > > Greg Barniskis, Computer Systems Integrator The poster is correct in that what you probably what to do is setup public-key authentication using ssh, however, I would highly recommend that you NOT use a blank passphrase for your private key. ssh-agent, a utility that I think comes standard with the openssh package will store your passphrase for a given login session and automatically supply it for you so that you don't have to type the passphrase each time. Check the manpage for ssh-agent(1). To make it even more convenient there is nice little shell script program called keychain that will manage your passphrases for all login sessions at once. With keychain you will only have to supply your passphrase(s) once when you first login or boot your system and that's it. I don't think leaving a private key around on your system without a passphrase is a good idea, and especially if you are using it to automatically authenticate to a remote machine. Keychain is in the ports collection. http://www.gentoo.org/proj/en/keychain/ Nathan pgpMdhcrnvbN5.pgp Description: PGP signature
Re: can't figure out ssh, read lots of docs...
On Wed, Jun 01, 2005 at 02:49:45PM -0400, Steven Friedrich wrote: > I'm trying to use scp and I get prompted for a password or passphrase > for each invocation. > > I figure I need to figure out how to get ssh to connect without > prompting, but I just can't get it. I've read all the man pages and > my head is swirling. I went to the OpenSSH web site and got no > further. I've been in the business for 28 years and can usually > figure things out from man pages, but ssh doesn't seem to be clear > enough. Try invoking ssh with the -v option, to see what goes wrong. > I've used ssh-keygen and I'm trying to login to the localhost (using it's > hostname). Have you copied $HOME/.ssh/identity.pub to $HOME/.ssh/authorized_keys on the target machine? > Anybody know of a short tutorial that just works? I'm using the ssh1 protocol. I've set the following in ~/.ssh/config: PasswordAuthentication = no RhostsAuthentication = no RhostsRSAAuthentication = no RSAAuthentication = yes That works for me. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpW3BSfn7DxT.pgp Description: PGP signature
Re: can't figure out ssh, read lots of docs...
Steven Friedrich wrote: I'm trying to use scp and I get prompted for a password or passphrase for each invocation. I figure I need to figure out how to get ssh to connect without prompting, but I just can't get it. I've read all the man pages and my head is swirling. I went to the OpenSSH web site and got no further. I've been in the business for 28 years and can usually figure things out from man pages, but ssh doesn't seem to be clear enough. I've been unemployed for over a year and can't afford the OReilly book right now (which I'm offering as my defense for asking here). I've got two free chapters from the OReilly book, but they don't help. I've used ssh-keygen and I'm trying to login to the localhost (using it's hostname). Anybody know of a short tutorial that just works? I too had to read a lot of pages before getting the requisite "aha!" moment for this feature, but what you need is here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssh.html Section 14.11.6 is awfully short, but it does summarize the relevant information. Basically, you take the public key generated for "username" on one machine (the ssh client) and append it to the authorized_keys file for the same "username" on the other machine (the sshd server). Since what you say you want is real transparency (no prompts), don't assign a passphrase when generating the keys. If you've already gotten that far, using ssh -v[vv] can help you isolate where things are going wrong. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) , (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: can't figure out ssh, read lots of docs...
You should be able to find everything you need here. http://www-106.ibm.com/developerworks/library/l-keyc.html I set it up in the lab (on 4.7) and it worked great. Good luck, Rick PS. sorry you got it twice Steven, I forgot to click reply all. On 6/1/05, Steven Friedrich <[EMAIL PROTECTED]> wrote: > I'm trying to use scp and I get prompted for a password or passphrase for each > invocation. > > I figure I need to figure out how to get ssh to connect without prompting, but > I just can't get it. I've read all the man pages and my head is swirling. I > went to the OpenSSH web site and got no further. I've been in the business > for 28 years and can usually figure things out from man pages, but ssh > doesn't seem to be clear enough. I've been unemployed for over a year and > can't afford the OReilly book right now (which I'm offering as my defense for > asking here). > > I've got two free chapters from the OReilly book, but they don't help. > > I've used ssh-keygen and I'm trying to login to the localhost (using it's > hostname). > > Anybody know of a short tutorial that just works? > > -- > i386 FreeBSD 4.11-STABLE > There are 10 types of people in this world. Ones that understand binary and > then, the others. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"