Re: Ruminations on an SSH attack
Agreed with your settings, and adding a Port setting of other than the default port 22 eliminates the log bloat from script kiddies. Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com On Dec 18, 2005, at 8:48 PM, Bill McGonigle wrote: On Dec 18, 2005, at 14:46, Bill Sconce wrote: It didn't succeed, so far as I've been able to tell)... I sleep better at night knowing my servers have these lines in them: Protocol 2 PermitRootLogin no IgnoreRhosts yes PasswordAuthentication no AllowUsers ... These settings aren't right for everybody, but they are very right for most people I encounter and thwart most dictionary attacks, even against weak passwords. I do work at some places with insane password policies, and this helps a bit. The one time I did have to clean up after an ssh break was before I adopted this policy, exploited a weak user's password, and, fortunately was just limited to a compromise of that one account - an ircd was running and a rootkit wasn't installed (though certainty on the last point is always in question until you can do offline forensics). OK, thousands of attempted logins - that's what a dictionary attack IS. There have also been attempts to find OpenSSL vulnerabilities with scripts that look like a dictionary attack (the feint). -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
On 12/18/05, Brian Chabot <[EMAIL PROTECTED]> wrote: Bill McGonigle wrote:> I sleep better at night knowing my servers have these lines in them:>> Protocol 2> PermitRootLogin no> IgnoreRhosts yes> PasswordAuthentication no> AllowUsers ... I like to add in:MaxAuthTries 6UsePrivilegeSeparation yesAllowUsers can be a pain if your user bas changes..ListenAddress if your users always come from the same IP adresses. Not always doable, but if it is Port # changing to a non standard portI'm at a site that blocks all outgoing ports except 22 :-( Security by obscurity, but it makes you harder to find then your neighbors.I've started running something called DenyHosts. If I get N failed logins from an IP address, it gets added to /etc/hosts.deny and my sshd never sees that IP again. It's worth checking out. All automated w/ email alerts, expiration of IPs (or not), number of failures, etc. -- A strong conviction that something must be done is the parent of many bad measures. - Daniel Webster
passwd help...
For my day to day job I do a lot of software demos. Lately I've been using a Redhat system running in a VMWare image. I just got a new system that has some cool demos in it and I want to change all the passwords to be the same thing as the usernames. I realize this is going to shock a lot of folks, but it is a demo system and it is a VMWare instance, so I can always go back to the source VM if things get mucked up. Right now when I type passwd I get: Changing password for user root. New UNIX password: (I type root here) BAD PASSWORD: it is too short etc. For some reason all my google searches are telling me how to modify the LDAP directory and how to secure systems instead of making them 'unsecure'. I know this goes against everything that everyone believes in, but can someone give me a quick and dirty way to set the root password to root and a user account password to the user name without having passwd barf? (I think I'm asking how to shut off PAM.) When you are in the throws of a demo it's sometimes hard to remember what the password is for a particular account. If you are using a GUI (web browser, X, etc.), it's very easy to copy and paste a username into a password field. When you have to type a username/password pair then you have the username already in your 'finger buffer' so it becomes very easy to type the password. Some of the software I demo takes a bit to do authentication and I like to turn away from the screen and talk about other things while I'm logging in. It's always a bummer to spend a minute or two talking to the crowd and then turn around expecting to see a great portal/web page and instead see: INVALID PASSWORD. Whatever point you were trying to make during that two minute segment was probably missed because folks in the crowd were saying "Hmmm, this guy can't even remember the passwords to his system, he probably has no idea what he is talking about..." Thanks, Rich ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Multi-boot, partition label conflict
I'd like to just double check my thinking on a configuration. Here's the setup: An HP Itanium machine comes with RHEL AS 4 factory installed on the internal SCSI disk. It also contains a fiber channel controller card for use in connecting to an existing SAN. I did a new install of RHEL to the SAN (so that it could boot from the SAN rather than the local disk) and upon boot it complains because it is trying to mount / and finding that there are two partitions with that label, one on the SAN and one on the SCSI disk. The ways around this that I see include: 1. Use something like Partition Magic to hide the SCSI partition. 2. Format the SCSI disk (since it won't be used anyway.) 3. Change the /etc/fstab to mount by device name rather than label. 4. Change the label on at least one disk. Are there other options that I'm missing? Has anyone else run into this? Thanks in advance, Dan ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: passwd help...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard Soule wrote: | For my day to day job I do a lot of software demos. Lately I've been | using a Redhat system running in a VMWare image. I just got a new | system that has some cool demos in it and I want to change all the | passwords to be the same thing as the usernames. I realize this is | going to shock a lot of folks, but it is a demo system and it is a | VMWare instance, so I can always go back to the source VM if things | get mucked up. | | Right now when I type passwd I get: | | Changing password for user root. | New UNIX password: (I type root here) | BAD PASSWORD: it is too short Just keep typing the same password in. After about 2 consecutive tries with the same password, it seems to figure out that you really do want an unsecure password, and accepts it. At least, that's how it works with *my* Redhat systems! | ... - --Bruce -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDps1O/TBScWXa5IgRAi8EAJ9XwyWBitJtpuw4bmaawnpOJsbGHACgoICD BgKg3JnlWOeg3G6W8gAOhR4= =+2YM -END PGP SIGNATURE- ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: passwd help...
On 12/19/05, Richard Soule <[EMAIL PROTECTED]> wrote: > Right now when I type passwd I get: > > Changing password for user root. > New UNIX password: (I type root here) > BAD PASSWORD: it is too short I've seen that before. In my experience, on Red Hat and derivatives, if "root" is running the passwd command, it warns you that the password is bad, but will accept it anyway if you confirm it. If passwd is *not* running as root, it requires passwords to meet strength checks. So one way to bypass the strength checks is to set all the passwords as the "root" user. > (I think I'm asking how to shut off PAM.) Not exactly, but the password strength checking should be configurable via PAM. I suspect if you poke around in /etc/pam.d/ and remove any references to "crack" (password cracker), you would be able to disable for everybody. Be aware that if you screw up PAM badly enough, you can lock yourself out of the system. Hope this helps, -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
On Mon, 2005-12-19 at 09:04 -0500, Tom Buskey wrote: > I've started running something called DenyHosts. If I get N failed > logins from an IP address, it gets added to /etc/hosts.deny and my > sshd never sees that IP again. It's worth checking out. All > automated w/ email alerts, expiration of IPs (or not), number of > failures, etc. I have to put in another vote for this. DenyHosts (http://denyhosts.sf.net) has decreased my log sizes significantly. Thankfully, it seems as though the scripts that most script kiddies are using seem to stop trying after they get failed connections due to being put in hosts.deny. -- "I have one plan for linux. World Domination." -Linus Torvalds Cole Tuininga Lead Developer Code Energy, Inc [EMAIL PROTECTED] PGP Key ID: 0x43E5755D ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Multi-boot, partition label conflict
On 12/19/05, Dan Coutu <[EMAIL PROTECTED]> wrote: > The ways around this that I see include: > > 1. Use something like Partition Magic to hide the SCSI partition. > 2. Format the SCSI disk (since it won't be used anyway.) > 3. Change the /etc/fstab to mount by device name rather than label. > 4. Change the label on at least one disk. > > Are there other options that I'm missing? 5. Physically disconnect the SCSI disk from the system (optionally moving it to another system, selling it, taking it home, using it as a door prize at a GNHLUG meet, etc., etc.). If you're concerned about vendor support and that kind of thing, I'd guess the best thing to do would be to change the partition label(s) on your SAN volume(s). That preserves the ability to boot the vendor-supplied configuration as a boot option. (Might be useful for trouble-shooting the FC interface someday, too.) By changing the SAN label(s), you avoid this problem in the future, too. I've been setting labels like "ROOT", "HOME", "BIGDISK", etc., on my partitions since before Red Hat was using them to mount partitions, and I've kept that habit. It does avoid this kind of confusion, I've found. (Not that I've worked with SANs, but when doing parallel installs for other reasons.) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
I figgered I was hardly the first one.:) Seriously, it does make me feel better. The first thing I did was move sshd off of port 22. So that much is evidently a Good Thing Everywhere. Thanks! I can't restrict IP addresses. My need is precisely that I myself, as well as my co-developers, need to get at my Subversion repositories from out on client site (or from Panera, heh :) so the incoming IP address has to remain flexible. Bill M's tip about DenyHosts looks like a good addition. I was thinking of writing a Python program to look for N failed logins and then adding the IP address to /etc/hosts.deny... wait, that violates the First Rule of Free Software: "First you Google for someone else who has already written it." !! I'll check into DenyHosts. And each of the other tips. Thank you all. And perhaps because of this list someone else will be saved the whole hassle. -Bill [Do I need to say, Thank goodness I'm running Linux? The damage was just a log filled up. Years ago in a former life, I used to run a monoculture OS. If this had been then...] **shudder** ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Debian Log Rotation
Christopher Schmidt writes:
> I use Debian for a web and mail server, hosted in a colocation facility.
> I'm running Debian Sarge, and have set up virtual domains using the
> tutorial at http://workaround.org/articles/ispmail-sarge/ . Everything
> works pretty nicely.
>
> However, I'm now trying to run lire to get log analysis, and my mail
> logs are currently rotated daily. I can't figure out where this is
> done.
>
> It seems to be happening by some call to `savelog` somewhere. However,
> I've looked through my /etc/cron.daily/, and can't find anything
> regarding it there. There is a sysklogd entry, which rotates all files
> in `syslogd-listfiles` -- but that does *not* list /var/log/mail.log
> (only /var/log/syslog).
I'm not a regular Debian user, but perhaps I can help.
Try out the attached Bash functions. You can actually paste the whole
file into a running Bash shell.
After doing this, try typing:
txtfind /etc /var | xargs grep '\'
Perhaps this will tell you where savelog is being invoked.
I find these functions to be invaluable in my daily work; I hope you
find them to be useful too.
Regards,
--kevin
--
GnuPG ID: B280F24E
# Author: kevin d. clark (alumni.unh.edu!kdc)
srcfind () {
if [ $# -eq 0 ] ; then
srcfind .
else
find "[EMAIL PROTECTED]" \( -name \*.c \
-o -name \*.cc \
-o -name \*.h \
-o -name \*.hh \
-o -name \*.java \
-o -name \*.c++ \
-o -name \*.el \
\) -print
fi
}
writeablesrcfind () {
if [ $# -eq 0 ] ; then
writeablesrcfind .
else
find "[EMAIL PROTECTED]" \( -name \*.c \
-o -name \*.cc \
-o -name \*.h \
-o -name \*.hh \
-o -name \*.java \
-o -name \*.c++ \
-o -name \*.el \
\) \
-exec test -w {} \; \
-print
fi
}
# files that are relevant to our build
buildfind () {
if [ $# -eq 0 ] ; then
buildfind .
else
find "[EMAIL PROTECTED]" \( -name \*.c \
-o -name \*.cc \
-o -name \*.h \
-o -name \*.java \
-o -name \*.c++ \
-o -name Makefile \
\) -print
fi
}
# files that are relevant to our build
newerbuildfind () {
if [ $# -lt 1 ] ; then
echo Usage: newerbuildfind file-with-timestamp directory1 directory2 ...
elif [ $# -lt 2 ] ; then
file_with_timestamp=$1 ; shift
newerbuildfind "$file_with_timestamp" .
else
file_with_timestamp=$1 ; shift
find "[EMAIL PROTECTED]" -newer $file_with_timestamp \
\( -name \*.c \
-o -name \*.cc \
-o -name \*.h \
-o -name \*.java \
-o -name \*.c++ \
-o -name Makefile \
-o -name imports \
-o -name exports \
-o -name project.defs \
-o -name mr_info\* \
\) -print
fi
}
# files that are relevant to our build
writablebuildfind () {
if [ $# -eq 0 ] ; then
echo Usage: writablebuildfind directory1 directory2 ...
else
find "[EMAIL PROTECTED]" \( -name \*.c \
-o -name \*.cc \
-o -name \*.h \
-o -name \*.java \
-o -name \*.c++ \
-o -name Makefile \
\) \
-exec test -w {} \; \
-print
fi
}
# Finds text files in the specified directories. These use Perl's -T and -B
# tests. Here's some relevant documentation from the perlfunc page:
#
#The "-T" and "-B" switches work as follows. The first block or
#so of the file is examined for odd characters such as strange
#control codes or characters with the high bit set. If too many
#strange characters (>30%) are found, it's a "-B" file, other-
#wise it's a "-T" file. Also, any file containing null in the
#first block is considered a binary file. [] Both "-T" and
#"-B" return true on a null file...
#
# Caveat programmer.
#
# Find text files
txtfind () {
if [ $# -eq 0 ] ; then
txtfind .
else
perl -MFile::Find -e 'find(sub{print "$File::Find::name\n" if (-f && -T);},
@ARGV);' "[EMAIL PROTECTED]"
fi
}
# Find DOS-formatted text files
dostxtfind () {
if [ $# -eq 0 ] ; then
dostxtfind .
else
perl -MFile::Find -e 'find(sub{
$crlf = 0;
if (($f = -f) && ($T = -T)) {
@ARGV=($_);
binmode(ARGV);
(/\r\n/ && $crlf++) while(<>);
}
print "$File::Find::name\n"
if ($f && $T && $
Re: Multi-boot, partition label conflict
On Mon, Dec 19, 2005 at 09:39:57AM -0500, Dan Coutu wrote: > I'd like to just double check my thinking on a configuration. Here's the > setup: > > An HP Itanium machine comes with RHEL AS 4 factory installed on the > internal SCSI disk. > It also contains a fiber channel controller card for use in connecting > to an existing SAN. > I did a new install of RHEL to the SAN (so that it could boot from the > SAN rather than > the local disk) and upon boot it complains because it is trying to mount > / and finding that there > are two partitions with that label, one on the SAN and one on the SCSI disk. > > The ways around this that I see include: > > 1. Use something like Partition Magic to hide the SCSI partition. > 2. Format the SCSI disk (since it won't be used anyway.) > 3. Change the /etc/fstab to mount by device name rather than label. > 4. Change the label on at least one disk. > > Are there other options that I'm missing? Has anyone else run into this? I'm not up on my Itanium, but by label, do you mean that your /etc/fstab has something like: LABEL=/ / ext3defaults 1 1 In it? If so, change the label. If you're not going to boot the exiting disk, use e2label to change the label on the existing disk. You can then probably mount the existing disk, change the label in /etc/fstab and you'll be all set. -Mark signature.asc Description: Digital signature
Re: passwd help...
Bruce Dawson wrote: Just keep typing the same password in. After about 2 consecutive tries with the same password, it seems to figure out that you really do want an unsecure password, and accepts it. That worked! Thanks Bruce (and Scott although Bruce's answer got here first) Rich ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: passwd help...
On Monday 19 December 2005 10:09 am, Ben Scott wrote: > to disable for everybody. Be aware that if you screw up PAM badly > enough, you can lock yourself out of the system. Good advice in this vain, but slightly off-topic: Don't log out of a machine after screwing with PAM until you've logged another terminal into it successfully. Once you release your session, you may not get back in, depending on the changes you made. -N ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: 1600sw & xorg.conf (Hi, Paul!).
On 12/19/05, Rob Lembree <[EMAIL PROTECTED]> wrote: >> On Dec 19, 2005, at 12:06 AM, Ben Scott wrote: >> ... products that convert DVI to the goofy SGI format. > > >ahem< goofy? Yes, "goofy", meaning "anything that doesn't fit what is on-hand and thus makes the speaker's life more complicated". > I worked for SGI back in the day ... LDI was use in almost all laptops. > The connector was also smaller and sturdier. Seemed a safe bet at > the time. Clearly, SGI should have done a better job predicting the future. ;-) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
For flexible SSH access, you can also have a world-acessible but passworded webpage with a form that adds your IP to the allowed list (iptables is easy to use this way.) --Drew
Re: Multi-boot, partition label conflict
On Monday 19 December 2005 9:50 am, Mark Komarinski wrote: > > > > The ways around this that I see include: > > > > 1. Use something like Partition Magic to hide the SCSI partition. > > 2. Format the SCSI disk (since it won't be used anyway.) > > 3. Change the /etc/fstab to mount by device name rather than label. > > 4. Change the label on at least one disk. > > > > Are there other options that I'm missing? Has anyone else run into > > this? > > I'm not up on my Itanium, but by label, do you mean that your /etc/fstab > has something like: > > LABEL=/ / ext3defaults 1 1 > > In it? If so, change the label. If you're not going to boot the > exiting disk, use e2label to change the label on the existing disk. You > can then probably mount the existing disk, change the label in > /etc/fstab and you'll be all set. The Itanium uses the Extensible Firmware Interface (EFI). This is similar to GRUB. BTW: Dan Will Beck says hello. -- Jerry Feldman <[EMAIL PROTECTED]> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Sconce wrote: |... |I'll check into DenyHosts. And each of the other tips. Thank you all. |And perhaps because of this list someone else will be saved the whole hassle. Beware of DenyHosts... A long, long time ago, at an ISP very far away, I tried doing this (and this was before the days of Protocol Version 2, but that's another story ;-). It turned out a host I had denied was the IT director's home IP address. Evidently his machine was compromised and he wasn't aware of it, and someone was using it to gain access to his ISP network (which is how I discovered it and got into this situation). However, once he scrubbed his system and tried to use it to work at home, he couldn't get in because I had denied his IP w/tcpwrappers. It took a while before I realized who the person on the other end of the phone was, what the real problem was, and removed the /etc/hosts.deny entry. Also, you need to beware of ISPs who use proxy servers - like AOL, Yahoo, PowerNet, ... Blocking one of those can block a lot of legitimate users. I wish there was something like RBL that listed bogons so I could block them. A lot of attacks lately have been coming from them. - --Bruce -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDpt0t/TBScWXa5IgRApMrAJ957xLhwA05JF8tM/mGKUyigU8JQACgrVx3 Ao1DlNOAjlqAZuccsngUj6k= =Hd4A -END PGP SIGNATURE- ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: gnhlug-discuss digest, Vol 1 #1694 - 1 msg
Hello Bill/Bruce, Does this SSH server face the internet? Is there a stand alone firewall in front of this ssh server (and I don't mean Iptables on the machine)? Why no IPSEC or SSL VPN instead? As for the SSH blacklisting check out this http://www.pettingers.org/code/sshblack.html Thanks, Joe[EMAIL PROTECTED] wrote: Send gnhlug-discuss mailing list submissions tognhlug-discuss@mail.gnhlug.orgTo subscribe or unsubscribe via the World Wide Web, visithttp://mail.gnhlug.org/mailman/listinfo/gnhlug-discussor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing! the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of gnhlug-discuss digest..."Today's Topics:1. Re: Ruminations on an SSH attack (Bruce Dawson)--__--__--Message: 1Date: Mon, 19 Dec 2005 11:17:49 -0500From: Bruce Dawson <[EMAIL PROTECTED]>To: Bill Sconce <[EMAIL PROTECTED]>CC: GNHLUG Subject: Re: Ruminations on an SSH attack-BEGIN PGP SIGNED MESSAGE-Hash: SHA1Bill Sconce wrote:|...|I'll check into DenyHosts. And each of the other tips. Thank you all.|And perhaps because of this list someone else will be saved the wholehassle.Beware of DenyHosts... A long, long time ago, at an ISP very far away,I tried doing this (and this was before the days of Protocol Version2, but that's another story ;-).It turned out a host I had denied ! was the IT director's home IPaddress. Evidently his machine was compromised and he wasn't aware ofit, and someone was using it to gain access to his ISP network (whichis how I discovered it and got into this situation).However, once he scrubbed his system and tried to use it to work athome, he couldn't get in because I had denied his IP w/tcpwrappers. Ittook a while before I realized who the person on the other end of thephone was, what the real problem was, and removed the /etc/hosts.denyentry.Also, you need to beware of ISPs who use proxy servers - like AOL,Yahoo, PowerNet, ... Blocking one of those can block a lot oflegitimate users.I wish there was something like RBL that listed bogons so I couldblock them. A lot of attacks lately have been coming from them.- --Bruce-BEGIN PGP SIGNATURE-Version: GnuPG v1.4.1 (GNU/Linux)Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.orgiD8DBQFDpt0t/TBScWXa5IgRApMrAJ957xLhwA05JF8tM/mGKUyigU8JQACgrVx3Ao1DlNOAjlqAZuccsngUj6k==Hd4A-END PGP SIGNATURE---__--__--___gnhlug-discuss mailing listgnhlug-discuss@mail.gnhlug.orghttp://mail.gnhlug.org/mailman/listinfo/gnhlug-discussEnd of gnhlug-discuss Digest
Re: Ruminations on an SSH attack
On 12/19/05, Bruce Dawson <[EMAIL PROTECTED]> wrote: > I wish there was something like RBL that listed bogons so I could > block them. A lot of attacks lately have been coming from them. http://www.cymru.com/Bogons/ I'm not sure those are the bogons you are looking for, though. -- Ben "Jedi mind trick" Scott ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
On 12/19/05, Bruce Dawson <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE-Hash: SHA1Bill Sconce wrote:|...|I'll check into DenyHosts. And each of the other tips. Thank you all.|And perhaps because of this list someone else will be saved the whole hassle.Beware of DenyHosts... A long, long time ago, at an ISP very far away,I tried doing this (and this was before the days of Protocol Version2, but that's another story ;-).It turned out a host I had denied was the IT director's home IP address. Evidently his machine was compromised and he wasn't aware ofit, and someone was using it to gain access to his ISP network (whichis how I discovered it and got into this situation).However, once he scrubbed his system and tried to use it to work at home, he couldn't get in because I had denied his IP w/tcpwrappers. Ittook a while before I realized who the person on the other end of thephone was, what the real problem was, and removed the /etc/hosts.deny entry.DenyHosts (and sshblack) have timeouts. After some time, the ip is allowed back.DenyHosts uses /etc/hosts.deny and works on most Unixen with tcpwrappers, sshblack uses iptables/ipchains and is limited to linux. Also, you need to beware of ISPs who use proxy servers - like AOL,Yahoo, PowerNet, ... Blocking one of those can block a lot of legitimate users.Proxy ssh servers? I can't imagine too many ISPs proxying ssh.I have used something that did ssh proxying over http. It had lots of latency but was usable. I wish there was something like RBL that listed bogons so I couldblock them. A lot of attacks lately have been coming from them. - --Bruce-BEGIN PGP SIGNATURE-Version: GnuPG v1.4.1 (GNU/Linux)Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.orgiD8DBQFDpt0t/TBScWXa5IgRApMrAJ957xLhwA05JF8tM/mGKUyigU8JQACgrVx3 Ao1DlNOAjlqAZuccsngUj6k==Hd4A-END PGP SIGNATURE-___gnhlug-discuss mailing listgnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss-- A strong conviction that something must be done is the parent of many bad measures. - Daniel Webster
Re: Ruminations on an SSH attack
Ben Scott wrote:
On 12/19/05, Bruce Dawson <[EMAIL PROTECTED]> wrote:
I wish there was something like RBL that listed bogons so I could
block them. A lot of attacks lately have been coming from them.
http://www.cymru.com/Bogons/
I'm not sure those are the bogons you are looking for, though.
They are.
And this could cut down on the spam coming from bogons (for those who
use sendmail):
FEATURE(dnsbl, `bogons.dnsiplists.completewhois.com',
`$&{client_addr} blocked by firewall, source IP not assigned (Bogon).'
(Courtesy of
http://moongroup.com/pipermail/mailhelp/2004-October/001449.html)
But I guess a better place to stop them would be in tcpwrappers or even
the firewall, but I haven't figured out a way to wedge something like
RBL into tcpwrappers or iptables/ipchains. Any ideas?
--Bruce
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: gnhlug-discuss digest, Vol 1 #1694 - 1 msg
Joseph wrote: Does this SSH server face the internet? Is there a stand alone firewall in front of this ssh server (and I don't mean Iptables on the machine)? Why no IPSEC or SSL VPN instead? As for the SSH blacklisting check out this http://www.pettingers.org/code/sshblack.html After several years of managing systems on the internet, I've learned a few things... * Have dual bastion routers/hosts. * Firewall the DMZ. * Maintain the honeypot. * Monitor the log files. * If you must have a backdoor, make sure it moves around. A lot. * Don't do anything obvious (like use standard ports). * Stay away from the newer standards (like IPSEC, OpenVPN, ...) They frequently have bugs that noone knows about at the moment, and that someone exploits when you can least afford it. * Code-review the old stuff - to the extent that you know how it works internally, and you've found at least 5 bugs. sshblack looks like a good idea, but I can't figure out if its dynamically updated or not (at least, not without reading the code, which I don't have time for at the moment.) --Bruce ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
On 12/19/05, Bruce Dawson <[EMAIL PROTECTED]> wrote: But I guess a better place to stop them would be in tcpwrappers or eventhe firewall, but I haven't figured out a way to wedge something likeRBL into tcpwrappers or iptables/ipchains. Any ideas? DenyHosts and sshblack poll (tail -f?) logfiles. DenyHosts adds sshd: into hosts.deny. sshblack adds to iptables/ipchains.If you can get sendmail to log bogons to a file, DenyHosts can probably be modified to use smtp: instead of sshd:. I'd imagine sshblack could do the same. -- A strong conviction that something must be done is the parent of many bad measures. - Daniel Webster
Re: Ruminations on an SSH attack
On Mon, Dec 19, 2005 at 01:21:12PM -0500, Bruce Dawson wrote:
> Ben Scott wrote:
>
> >On 12/19/05, Bruce Dawson <[EMAIL PROTECTED]> wrote:
> >
> >
> >>I wish there was something like RBL that listed bogons so I could
> >>block them. A lot of attacks lately have been coming from them.
> >>
> >>
> >
> >http://www.cymru.com/Bogons/
> >
> >I'm not sure those are the bogons you are looking for, though.
> >
> >
> They are.
>
> And this could cut down on the spam coming from bogons (for those who
> use sendmail):
>
> FEATURE(dnsbl, `bogons.dnsiplists.completewhois.com',
> `$&{client_addr} blocked by firewall, source IP not assigned (Bogon).'
>
> (Courtesy of
> http://moongroup.com/pipermail/mailhelp/2004-October/001449.html)
>
> But I guess a better place to stop them would be in tcpwrappers or even
> the firewall, but I haven't figured out a way to wedge something like
> RBL into tcpwrappers or iptables/ipchains. Any ideas?
For blocking bogons w/iptables I use:
iptables -A INPUT -i $INTERNET_IF -s 0.0.0.0/7 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 2.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 5.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 7.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 23.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 27.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 31.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 36.0.0.0/7 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 39.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 42.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 49.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 50.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 77.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 78.0.0.0/7 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 92.0.0.0/6 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 96.0.0.0/4 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 112.0.0.0/5 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 120.0.0.0/6 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 173.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 174.0.0.0/7 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 176.0.0.0/5 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 184.0.0.0/6 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 192.0.2.0/24 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 197.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 198.18.0.0/15 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 223.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET_IF -s 224.0.0.0/3
This bogon list is from:
http://www.cymru.com/Bogons/
The aggregated list:
http://www.cymru.com/Documents/bogon-bn-agg.txt
To get logging copy each line and replace "-j DROP" with
-j LOG --log-level debug --log-prefix "Bogon ip drop"
To implement an RBL at the firewall, I would do a zone transfer
(periodically) from an RBL, dump it and sed it into iptables statements
--
Jeff Kinz, Emergent Research, Hudson, MA.
speech recognition software may have been used to create this e-mail
"The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding." - Brandeis
To think contrary to one's era is heroism. But to speak against it is
madness. -- Eugene Ionesco
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
Bruce Dawson writes: > But I guess a better place to stop them would be in tcpwrappers or > even the firewall, but I haven't figured out a way to wedge something > like RBL into tcpwrappers or iptables/ipchains. Any ideas? Not entirely what you are looking for, but I find the following iptables rules to useful: iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 4 -j LOG --log-level WARN --log-prefix SSH-TOO-FAST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --rcheck --seconds 60 --hitcount 4 -j DROP Basically, if a given IP attempts to connect to your ssh port >4 times in a given minute, it gets dropped for a while. More documentation here: http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.16 I've deployed this scheme on a couple of machines with great success. In my case, I had to help maintain machines that were subjected to dictionary attacks (hundreds of attempts per minute), but were accessed legitimately by folks who I couldn't convince to use specific IP address (hosts.allow not possible), ssh keys, or even very good passwords (this was unfortunate but that was reality). The kiddies could still attack, but it was like wading through molasses for them. Boo-hoo! Regards, --kevin PS Credit to where it is due. I first heard this idea from dsr. -- GnuPG ID: B280F24E ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Ruminations on an SSH attack
On 12/19/05, Tom Buskey <[EMAIL PROTECTED]> wrote: >> Also, you need to beware of ISPs who use proxy servers - like AOL, >> Yahoo, PowerNet, ... Blocking one of those can block a lot of >> legitimate users. > > Proxy ssh servers? I can't imagine too many ISPs proxying ssh. Proxy IP servers. They don't proxy SSH in particular, they proxy *all* IP traffic. Masquerading/NAT fall into this category. So do systems that force everything out via an HTTP proxy. Be aware that "HTTP proxies" can carry arbitrary TCP traffic, via the CONNECT method. It's one way to bolt something like per-user accounting onto IP. The end result is that a single IP address is used by tens or hundreds of users. Thus, blocking a single address to block an attacker may block wanted traffic as well. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
NetTracker alternative
I did some poking around, but I figured I'd ask around here too.. Is there any opensource/free alternatives to NetTracker? Any suggestions? ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: 1600sw & xorg.conf (Hi, Paul!).
On Dec 19, 2005, at 12:06 AM, Ben Scott wrote: Out of curiosity, I Googled the specs on the 1600SW, to see if mass-market displays had caught up with it at this point. (Answer: It appears they have.) In the process, I stumbled upon the following, which both mention products that convert DVI to the goofy SGI format. >ahem< goofy? I worked for SGI back in the day when we came out with the 1600SW. The choice was between two digital connectors and signaling formats, DVI and LDI. DVI was sort of an unknown quantity, but LDI was use in almost all laptops. The connector was also smaller and sturdier. Seemed a safe bet at the time. Recall that the 1600SW was one of the very first flat displays, and was certainly one of the very first to use a digital interface! As soon as it became apparent that we'd lost the format war, SGI released the 'multilink adapter' which transcoded the formats. for your entertainment, the SGI 1600SW was code-named '7 of 9', and the multilink adapter was codenamed 'Droid'. ;-) http://www.icir.org/hodson/1600sw/gfx1600sw.html http://www.pixsolution.com/ FYI, FWIW, YMMV, etc., etc. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Any Opinions on SuSE 10.0 vs other Distros
Title: Any Opinions on SuSE 10.0 vs other Distros Just a query to the group, I was thinking of putting a Linux Distro on my HP Laptop and was wondering how SuSE 10.0 stacks up, the laptop has wired and wireless LAN DVD/CD/RW 512m memory Athlon 3400 64 bit cpu. Thanks Rich Richard A Sharpe 8 Meadowview Lane Merrimack, NH 03054 "May His light Shine on you and Guide you" "Put Christ back in CHRISTmas"
Re: NetTracker alternative
On 12/19/05, Travis Roy <[EMAIL PROTECTED]> wrote: > I did some poking around, but I figured I'd ask around here too.. > > Is there any opensource/free alternatives to NetTracker? I looked at this post and said to myself, "I know a lot of opensource/free software. But Travis, what is NetTracker?" > > Any suggestions? Describe in at least one sentence what you mean when you use jargon, product names, or something that somebody else might not recognize. Because I'm curious, I looked up NetTracker, and found out that it is 'Web Analytics' software. For 'Web Analytics', I'd recommend using AWStats. AWStats is a free powerful and featureful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. This log analyzer works as a CGI or from command line and shows you all possible information your log contains, in few graphical web pages. It uses a partial information file to be able to process large log files, often and quickly. It can analyze log files from all major server tools like Apache log files (NCSA combined/XLF/ELF log format or common/CLF log format), WebStar, IIS (W3C log format) and a lot of other web, proxy, wap, streaming servers, mail servers and some ftp servers. http://awstats.sourceforge.net/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: NetTracker alternative
Gee whiz, Greg - if everyone described in one sentence what they might mean by their jargon, following this list would be like drinking from a tsunami, not just a firehose. You Linux insiders keep me agoogling on pretty near any item of interest, since much of this stuff is neither intuitively obvious, nor can be derived from Maxwell's equations. Even among the cogniscenti, I suspect there is bound to be, sooner or later, something mentioned here that someone is unfamiliar with. Dave E. - Original Message - From: "Greg Rundlett" <[EMAIL PROTECTED]> To: "Travis Roy" <[EMAIL PROTECTED]> Cc: "GNHLUG" Sent: Monday, December 19, 2005 8:23 PM Subject: Re: NetTracker alternative > On 12/19/05, Travis Roy <[EMAIL PROTECTED]> wrote: > > I did some poking around, but I figured I'd ask around here too.. > > > > Is there any opensource/free alternatives to NetTracker? > > I looked at this post and said to myself, "I know a lot of > opensource/free software. But Travis, what is NetTracker?" > > > > > Any suggestions? > > Describe in at least one sentence what you mean when you use jargon, > product names, or something that somebody else might not recognize. > Because I'm curious, I looked up NetTracker, and found out that it is > 'Web Analytics' software. > > For 'Web Analytics', I'd recommend using AWStats. AWStats is a free > powerful and featureful tool that generates advanced web, streaming, > ftp or mail server statistics, graphically. This log analyzer works as > a CGI or from command line and shows you all possible information your > log contains, in few graphical web pages. It uses a partial > information file to be able to process large log files, often and > quickly. It can analyze log files from all major server tools like > Apache log files (NCSA combined/XLF/ELF log format or common/CLF log > format), WebStar, IIS (W3C log format) and a lot of other web, proxy, > wap, streaming servers, mail servers and some ftp servers. > > http://awstats.sourceforge.net/ > ___ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: NetTracker alternative
On Mon, Dec 19, 2005 at 08:54:26PM -0500, David Ecklein wrote: > Gee whiz, Greg - if everyone described in one sentence what they might mean > by their jargon, following this list would be like drinking from a tsunami, > not just a firehose. > > You Linux insiders keep me agoogling on pretty near any item of interest, > since much of this stuff is neither intuitively obvious, nor can be derived > from Maxwell's equations. > > Even among the cogniscenti, I suspect there is bound to be, sooner or later, > something mentioned here that someone is unfamiliar with. Hey there fella, if yer goin' to go usin' words like "cogniscenti" in this here list don't ferget to include a definition and a couple of examples...:) -- Jeff "I don't even know how to spell Google" Kinz, Emergent Research, Hudson, MA. speech recognition software may have been used to create this e-mail For Christ's sake, Put the Yule back in Yuletide. (wheee, back to ye olde egge nog!) ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
getting Authoritative Name Servers registered in TLD
I've registered ns1.venix.com ns2.venix.com secure.venix.com as name servers with my registrar (omnis). They can be listed as authoritative for other COM domains without difficulty. I would like to make them authoritative for some ORG domains. The org registrar (AITdomains) insists that it is up to the venix.com registrar (omnis) to push my name servers into the ORG root servers. omnis insists that it is the registrar for the ORG domain (AITdomains) that must do it. My reading of rfc2832 seems to say that omnis should be doing the job, but the programmer in me says omnis has no way of knowing which TLD domains will need my servers. Therefore if I list a venix.com server as authoritative for a .CC domain, the registrar for that .CC domain should handle putting my venix.com servers into the CC root. Was that clear? Whom should I be nagging, yelling at, leaning on??? -- Lloyd Kvam Venix Corp ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Server Security (was SSH attack)
I've got a number of servers at a hosting company that were configured prior to my becoming responsible for them. Traditionally, I've used SSH to do minor editing on servers, but more and more, I've come to rely on KDE's ability to 'speak' SSH to just browse (Konqueror) files on remote machines, edit them in an IDE (Quanta Plus). I use rsync to publish (actually synchronize) entire directory trees between development/staging/production areas. The environment I find myself in now is unlike ones that I'm used to. SSH is allowed for some hosts while not for others. For most host access, you need to go through a single point of entry (sentry), and then ssh from there over the local network. (There is both a front-end network 10.x.x.x for the hosted machines, and a backend network 10.y.y.y). I'm still trying to understand what all this buys me in terms of security, but from my simple perspective of a developer, it buys me a large level of complication with no usability. I am not really sure what tricks I need to get rsync to go from box C (desktop) to box B (sentry) to box A (host) because I' ve only gone from C->A in the past. MySQL is not allowed for any external connection. I can't use any database administration tools on the databases - because I have no direct access to the database server on any machine, and even installing a 'client' on the server won't work because I can't ssh -X to that particular box (and it's not running an X server). So, (I could easily be opining on things which I do not know enough about) according to what I know about thwarting script kiddies, and having good security measures while still providing critical services, it seems like it would be a 'best practice' approach to open SSHd and MySQLd to known IP address(es) using stong passwords, and non-standard ports. Of course, this presumes having a hardened OS, secured MySQL server, and updated SSHd. Maybe it's time to go read that book about secure servers. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
[EMAIL PROTECTED]: DenyHosts Report]
With all this talk about DenyHosts, I looked in my ssh log and saw several thousands of attempts at root logins from some Taiwanese IP last week. As a result, I took the time to install DenyHosts: I figured it'd be worth it, and right off the bat it blocked an attacking IP. Great idea, until about 15 minutes ago, when I got this email: > From: DenyHosts <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Date: Tue, 20 Dec 2005 00:32:16 -0500 > Subject: DenyHosts Report > > Added the following hosts to /etc/hosts.deny: > > commune.crschmidt.net Okay, so chances are extremely good that I could fix this with better settings, but for now I've shut down the denyhosts daemon until I can figure out what I did wrong. I do see 3 failed password attempts in the last 1000 lines of auth.log, but with 3 of us at the house regularly using SSH, that's not out of the question. And I certainly don't want to wake up in the morning and find out that my ssh access is blocked :) -- Christopher Schmidt Web Developer signature.asc Description: Digital signature
