Re: [gentoo-user] SSH authentication attempts - serious issue
2006/6/5, Jeremy Olexa <[EMAIL PROTECTED]>: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leandro Melo de Sales wrote: > How can I recompiler openssh to support tcpwrapper? I can't find > /etc/hosts.allow neither /etc/hosts.deny. Is there something missing? > Is there a way to put tcpwrapper as a turned on option for all > programs that supports it? You have to create those files yourself. Check the man pages for details. > Specifically for openssh I edit /etc/portage/package.use file and put: > > net-misc/openssh tcpwrapper, but I got this: > > # emerge --pretend openssh > > These are the packages that I would merge, in order: > > Calculating dependencies ...done! > [ebuild R ] net-misc/openssh-4.3_p2-r1 emerge -pv openssh to see the use flags > I want to see +tcpwrapper... > > Leandro > - -- Jeremy Olexa ([EMAIL PROTECTED]) Office: EE/CS 1-201 CS/IT Systems Staff University of Minnesota -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEhK5QFN7pD9kMi/URAjUOAJ9R8k2MFroPIARt416uCTYVBYKg+wCfdETZ 12tlmhjYe7G2FkI0lJvw/lI= =KafU -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list OK. Thanks all, now it is working. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leandro Melo de Sales wrote: > How can I recompiler openssh to support tcpwrapper? I can't find > /etc/hosts.allow neither /etc/hosts.deny. Is there something missing? > Is there a way to put tcpwrapper as a turned on option for all > programs that supports it? You have to create those files yourself. Check the man pages for details. > Specifically for openssh I edit /etc/portage/package.use file and put: > > net-misc/openssh tcpwrapper, but I got this: > > # emerge --pretend openssh > > These are the packages that I would merge, in order: > > Calculating dependencies ...done! > [ebuild R ] net-misc/openssh-4.3_p2-r1 emerge -pv openssh to see the use flags > I want to see +tcpwrapper... > > Leandro > - -- Jeremy Olexa ([EMAIL PROTECTED]) Office: EE/CS 1-201 CS/IT Systems Staff University of Minnesota -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEhK5QFN7pD9kMi/URAjUOAJ9R8k2MFroPIARt416uCTYVBYKg+wCfdETZ 12tlmhjYe7G2FkI0lJvw/lI= =KafU -END PGP SIGNATURE- -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
Yes, Petr is right. On my system I have port knocking running on a firewall FreeSCO. Freesco has a port-knocking module that you load. That is the best setup. -- #Joseph > > this should help you : http://gentoo-wiki.com/HOWTO_Port_Knocking > Works well > > Petr -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
On Mon, 5 Jun 2006, Oliver Schmidt wrote: > > Hi, > > > >today when I was checking the server log I got many external > > attempts to connect to my sshd service: > > > > ... > > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > > ... > > > > this seems to be a brute force attack, but one thing that worried me > > is why sshd didn't disconnect the remote host after 3 unsuccessful > > attemps? If we see in the log, there are many attemps with time > > interval between attemps of 2 or 3 seconds meaning that the sshd > > didn't disconnect the remote host after 3 attempts. > > So, first, Am I thinking correct about the sshd attempts? > > Second, how can I setup sshd or the entire system to permit just 2 or > > 3 attempts of authentication? I was checking the /etc/login.defs file > > and I see the following option: > > > > Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts > add the IP of the attacker to the /etc/hosts.deny file. > Install it with: > ACCEPT_KEYWORDS="~x86" emerge denyhosts > and add to your /etc/crontab > */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf > > Use it now for more then a year... its perfect to block bruteforce attacks. > > cheers > Oli > > > Agreed, DenyHosts works great, even sends me an email when it adds an address. DenyHosts can also be configured to watch ftp server logs. You don't need to run it from a cron script (though you certainly can), there is an init script created on install that works just fine too. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
Dne pondělí 05 červen 2006 19:12 Leandro Melo de Sales napsal(a): > 2006/6/5, Leandro Melo de Sales <[EMAIL PROTECTED]>: > > Yes, but how can I do it? > > > > 2006/6/5, Joseph <[EMAIL PROTECTED]>: > > > Try port knocking. It is very effective. > > > Your ssh port will be closed until you successfully hit certain number > > > of ports and even though the ssh port will be open only to the IP > > > address that successfully opened the port all others will see ssh port > > > as closed. > > > > > > -- > > > #Joseph > > > > > > On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote: > > > > Hi, > > > > > > > >today when I was checking the server log I got many external > > > > attempts to connect to my sshd service: > > > > > > > > ... > > > > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from > > > > x.y.w.z Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from > > > > x.y.w.z Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from > > > > x.y.w.z Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from > > > > x.y.w.z Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from > > > > x.y.w.z Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from > > > > x.y.w.z ... > > > > > > -- > > > gentoo-user@gentoo.org mailing list > > I mean, setup it! Hi, this should help you : http://gentoo-wiki.com/HOWTO_Port_Knocking Works well Petr pgph9XjZD7dRU.pgp Description: PGP signature
Re: [gentoo-user] SSH authentication attempts - serious issue
On Mon, Jun 05, 2006 at 02:15:34PM -0300, Leandro Melo de Sales wrote: > How can I recompiler openssh to support tcpwrapper? I can't find > /etc/hosts.allow neither /etc/hosts.deny. Is there something missing? > Is there a way to put tcpwrapper as a turned on option for all > programs that supports it? I'm pretty sure if you have neither a hosts.allow nor a hosts.deny then there is no special restrictions/allowances made against any remote hosts, see the man pages for hosts.allow, hosts.deny. > Specifically for openssh I edit /etc/portage/package.use file and put: > > net-misc/openssh tcpwrapper, but I got this: > > # emerge --pretend openssh > > I want to see +tcpwrapper... you should try: # emerge --pretend --verbose openssh These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] net-misc/openssh-4.3_p2-r1 USE="ipv6 pam tcpd -X509 -chroot -hpn -kerberos -ldap -libedit -sftplogging -skey -smartcard -static" 0 kB and it looks like the tcpwrapper flag is 'tcpd', not 'tcpwrapper'. Justin -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
How can I recompiler openssh to support tcpwrapper? I can't find /etc/hosts.allow neither /etc/hosts.deny. Is there something missing? Is there a way to put tcpwrapper as a turned on option for all programs that supports it? Specifically for openssh I edit /etc/portage/package.use file and put: net-misc/openssh tcpwrapper, but I got this: # emerge --pretend openssh These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] net-misc/openssh-4.3_p2-r1 I want to see +tcpwrapper... Leandro 2006/6/5, Oliver Schmidt <[EMAIL PROTECTED]>: > Hi, > >today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... > > this seems to be a brute force attack, but one thing that worried me > is why sshd didn't disconnect the remote host after 3 unsuccessful > attemps? If we see in the log, there are many attemps with time > interval between attemps of 2 or 3 seconds meaning that the sshd > didn't disconnect the remote host after 3 attempts. > So, first, Am I thinking correct about the sshd attempts? > Second, how can I setup sshd or the entire system to permit just 2 or > 3 attempts of authentication? I was checking the /etc/login.defs file > and I see the following option: > Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts add the IP of the attacker to the /etc/hosts.deny file. Install it with: ACCEPT_KEYWORDS="~x86" emerge denyhosts and add to your /etc/crontab */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf Use it now for more then a year... its perfect to block bruteforce attacks. cheers Oli -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
2006/6/5, Leandro Melo de Sales <[EMAIL PROTECTED]>: Yes, but how can I do it? 2006/6/5, Joseph <[EMAIL PROTECTED]>: > Try port knocking. It is very effective. > Your ssh port will be closed until you successfully hit certain number > of ports and even though the ssh port will be open only to the IP > address that successfully opened the port all others will see ssh port > as closed. > > -- > #Joseph > > On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote: > > Hi, > > > >today when I was checking the server log I got many external > > attempts to connect to my sshd service: > > > > ... > > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > > ... > > -- > gentoo-user@gentoo.org mailing list > > I mean, setup it! -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
Yes, but how can I do it? 2006/6/5, Joseph <[EMAIL PROTECTED]>: Try port knocking. It is very effective. Your ssh port will be closed until you successfully hit certain number of ports and even though the ssh port will be open only to the IP address that successfully opened the port all others will see ssh port as closed. -- #Joseph On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote: > Hi, > >today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... -- gentoo-user@gentoo.org mailing list -- Leandro Melo de Sales. Computer Science Student Laboratório de Sistemas Distribuídos - www.lsd.ufcg.edu.br Laboratório de Sistemas Embarcados e Computação Pervasiva - www.embeddedacademy.org Universidade Federal de Campina Grande - UFCG Campina Grande - PB - Brasil "Sometimes people fall in love, but a little bit of them really love or find a truth love. Or sometimes they find it but for some reason they let love pass without live it intensely. This is the free-well." -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] SSH authentication attempts - serious issue
Do Programs like denyhosts work with other protocols? Such as POP or FTP? -Original Message- From: Joseph [mailto:[EMAIL PROTECTED] Sent: Monday, June 05, 2006 11:32 AM To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] SSH authentication attempts - serious issue Try port knocking. It is very effective. Your ssh port will be closed until you successfully hit certain number of ports and even though the ssh port will be open only to the IP address that successfully opened the port all others will see ssh port as closed. -- #Joseph On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote: > Hi, > >today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... -- gentoo-user@gentoo.org mailing list This message contains information from SourceLink - Madison which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution, or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by email [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
Try port knocking. It is very effective. Your ssh port will be closed until you successfully hit certain number of ports and even though the ssh port will be open only to the IP address that successfully opened the port all others will see ssh port as closed. -- #Joseph On Mon, 2006-06-05 at 12:06 -0300, Leandro Melo de Sales wrote: > Hi, > >today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
On Mon, Jun 05, 2006 at 05:27:24PM +0200, Oliver Schmidt wrote: > > this seems to be a brute force attack, but one thing that worried me > > is why sshd didn't disconnect the remote host after 3 unsuccessful > > attemps? If we see in the log, there are many attemps with time > > interval between attemps of 2 or 3 seconds meaning that the sshd > > didn't disconnect the remote host after 3 attempts. > > So, first, Am I thinking correct about the sshd attempts? > > Second, how can I setup sshd or the entire system to permit just 2 or > > 3 attempts of authentication? I was checking the /etc/login.defs file > > and I see the following option: Please tell me if I am wrong, but IIRC, each connection attempt to sshd calls one instance of login, so altough the LOGIN_RETRIES option sets 3 attempts before the program exits, an ip address is free to initiate another connection. There has been many discussions on this list in the past 18 months regarding this very issue (blocking brute-force ssh attempts). A search on gmane should give you some ideas about how to use iptables to filter out the offending ip addresses but limiting number of connections allowed per time period. > Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts > add the IP of the attacker to the /etc/hosts.deny file. > Install it with: > ACCEPT_KEYWORDS="~x86" emerge denyhosts > and add to your /etc/crontab > */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf > > Use it now for more then a year... its perfect to block bruteforce attacks. > Hey, this is a great program. If it were in portage earlier I wouldn't have needed to write my own solution to the problem. (I use a perl script to parse /var/log/pwdfail and drop the connection at the firewall.) According to the homepage of denyhosts, it should be able to run in daemon mode, by following the log file. Is there any reason you prefer running it in crontab instead of as a daemon? I am asking because judging from my past experiences, the attackers often send out multiple attempts per second, so a */10 would let in upwards of 30 attempts before denyhosts picks up. Best, W -- Willie W. Wong [EMAIL PROTECTED] brought to you by the Roman letter i, the Hebrew letter \aleph, the Greek letter \pi, and the non-letter \hbar -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
On 05 June 2006 16:06, Leandro Melo de Sales wrote: > Hi, > >today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... > > this seems to be a brute force attack, but one thing that worried me > is why sshd didn't disconnect the remote host after 3 unsuccessful > attemps? If we see in the log, there are many attemps with time > interval between attemps of 2 or 3 seconds meaning that the sshd > didn't disconnect the remote host after 3 attempts. > So, first, Am I thinking correct about the sshd attempts? > Second, how can I setup sshd or the entire system to permit just 2 or > 3 attempts of authentication? I was checking the /etc/login.defs file > and I see the following option: > > # > # Max number of login retries if password is bad > # > LOGIN_RETRIES 3 > > but why this didn't work for the above connection attempts? Because it wasn't a bad password. It never got to that stage. ;-) Uwe -- Mark Twain: I rather decline two drinks than a German adjective. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
On Monday 5 June 2006 17:06, Leandro Melo de Sales wrote: > Hi, > >today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... > > this seems to be a brute force attack, but one thing that worried me > is why sshd didn't disconnect the remote host after 3 unsuccessful > attemps? If we see in the log, there are many attemps with time > interval between attemps of 2 or 3 seconds meaning that the sshd > didn't disconnect the remote host after 3 attempts. AFAIK, sshd disconnects when 3 incorrect passwords are tried _for the same account_. > So, first, Am I thinking correct about the sshd attempts? > Second, how can I setup sshd or the entire system to permit just 2 or > 3 attempts of authentication? I was checking the /etc/login.defs file > and I see the following option: > > # > # Max number of login retries if password is bad > # > LOGIN_RETRIES 3 > > but why this didn't work for the above connection attempts? See above. At the very least, you should not permit root login from ssh and choose very strong passwords for the users that are allowed to login or (better) set up public key authentication, although that is not very practical if the same users may log in from random hosts. In this case, one-time passwords could be useful (google for opie or otpw). After that, there are many things you can (and should) do. Some examples include: changing the port on which the ssh daemon listens (not a very effective solution though), using port knocking, using iptables to limit the attemps to no more than two or three per minute, use one of the many denyhosts/fail2ban/captcha modules out there, and so on. Google is your friend here. HTH -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
> Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts > add the IP of the attacker to the /etc/hosts.deny file. > Install it with: > ACCEPT_KEYWORDS="~x86" emerge denyhosts > and add to your /etc/crontab > */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf > > Use it now for more then a year... its perfect to block bruteforce attacks. Also, you can edit your denyhost conf file to report affending IP to their denyhosts server and also download an updated list of affending IP that other community members have reported. Using this feature, you wont give "crackers" a first chance at getting to your server. Regards, Richard Broersma -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] SSH authentication attempts - serious issue
> Hi, > >today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... > > this seems to be a brute force attack, but one thing that worried me > is why sshd didn't disconnect the remote host after 3 unsuccessful > attemps? If we see in the log, there are many attemps with time > interval between attemps of 2 or 3 seconds meaning that the sshd > didn't disconnect the remote host after 3 attempts. > So, first, Am I thinking correct about the sshd attempts? > Second, how can I setup sshd or the entire system to permit just 2 or > 3 attempts of authentication? I was checking the /etc/login.defs file > and I see the following option: > Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts add the IP of the attacker to the /etc/hosts.deny file. Install it with: ACCEPT_KEYWORDS="~x86" emerge denyhosts and add to your /etc/crontab */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf Use it now for more then a year... its perfect to block bruteforce attacks. cheers Oli -- gentoo-user@gentoo.org mailing list