Re: [OpenIndiana-discuss] Who is trying to break in ?
Sorry, too much web security lately! I meant OATH, not OAUTH. See http://www.nongnu.org/oath-toolkit/ ... Cheers Stefan Von: Stefan Müller-Wilken [stefan.mueller-wil...@acando.de] Gesendet: Donnerstag, 2. Juli 2015 11:53 An: Discussion list for OpenIndiana Betreff: Re: [OpenIndiana-discuss] Who is trying to break in ? We're using OAUTH toolkit's pam modules on our OI boxes with very good results. There's android and iOS apps for OTP key creation and installation was simple. Cheers Stefan Von: Till Wegmüller [toaster...@gmail.com] Gesendet: Donnerstag, 2. Juli 2015 10:25 An: Discussion list for OpenIndiana Betreff: Re: [OpenIndiana-discuss] Who is trying to break in ? David Brodbeck schrieb am Wednesday 01 July 2015 11.53:42: > Does anyone know of a 2-factor auth system for SSH? Being able to use > something like Google Authenticator would be nice. There are Yubikey and DUO Security Modules available for PAM There are also some generic Two factor Plugins available. U2F: Industry Standard for Two Factor auth mostly pushed by oauth OATH: NonGnu Project for Two Factor Tech MOTP: Independent OpenSource Project They should all theoretically work for OI, as PAM aims for Unix Compatibility. Greetings Till ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss - Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | USt-IdNr.: DE208833022 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss - Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | USt-IdNr.: DE208833022 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
We're using OAUTH toolkit's pam modules on our OI boxes with very good results. There's android and iOS apps for OTP key creation and installation was simple. Cheers Stefan Von: Till Wegmüller [toaster...@gmail.com] Gesendet: Donnerstag, 2. Juli 2015 10:25 An: Discussion list for OpenIndiana Betreff: Re: [OpenIndiana-discuss] Who is trying to break in ? David Brodbeck schrieb am Wednesday 01 July 2015 11.53:42: > Does anyone know of a 2-factor auth system for SSH? Being able to use > something like Google Authenticator would be nice. There are Yubikey and DUO Security Modules available for PAM There are also some generic Two factor Plugins available. U2F: Industry Standard for Two Factor auth mostly pushed by oauth OATH: NonGnu Project for Two Factor Tech MOTP: Independent OpenSource Project They should all theoretically work for OI, as PAM aims for Unix Compatibility. Greetings Till ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss - Acando GmbH, Millerntorplatz 1, 20359 Hamburg, Germany | Geschäftsführer: Guido Ahle | Amtsgericht Hamburg, HRB 76048 | USt-IdNr.: DE208833022 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
David Brodbeck schrieb am Wednesday 01 July 2015 11.53:42: > Does anyone know of a 2-factor auth system for SSH? Being able to use > something like Google Authenticator would be nice. There are Yubikey and DUO Security Modules available for PAM There are also some generic Two factor Plugins available. U2F: Industry Standard for Two Factor auth mostly pushed by oauth OATH: NonGnu Project for Two Factor Tech MOTP: Independent OpenSource Project They should all theoretically work for OI, as PAM aims for Unix Compatibility. Greetings Till ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
With some investigation, it looks like SmartOS has a package for this: http://everycity.co.uk/alasdair/2013/09/two-factor-authentication-google-authenticator-smartos/ Gary On 07/01/2015 03:11 PM, Gary Gendel wrote: Google Authenticator has a PAM module. I haven't tried it but I know it's available for several Linux distros. I'm not sure how difficult it would be to port to OI. http://www.tecmint.com/ssh-two-factor-authentication/ On 07/01/2015 02:53 PM, David Brodbeck wrote: On Wed, Jul 1, 2015 at 3:15 AM, Jim Klimov wrote: You can also boost security with no passwords allowed, keys only for ssh auth ;) True. I do this with machines where I'm the only one who'll be logging in. With machines that have lots of other users it becomes too much of an administrative hassle to distribute keys. Does anyone know of a 2-factor auth system for SSH? Being able to use something like Google Authenticator would be nice. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
Google Authenticator has a PAM module. I haven't tried it but I know it's available for several Linux distros. I'm not sure how difficult it would be to port to OI. http://www.tecmint.com/ssh-two-factor-authentication/ On 07/01/2015 02:53 PM, David Brodbeck wrote: On Wed, Jul 1, 2015 at 3:15 AM, Jim Klimov wrote: You can also boost security with no passwords allowed, keys only for ssh auth ;) True. I do this with machines where I'm the only one who'll be logging in. With machines that have lots of other users it becomes too much of an administrative hassle to distribute keys. Does anyone know of a 2-factor auth system for SSH? Being able to use something like Google Authenticator would be nice. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
On Wed, Jul 1, 2015 at 3:15 AM, Jim Klimov wrote: > You can also boost security with no passwords allowed, keys only for ssh > auth ;) > True. I do this with machines where I'm the only one who'll be logging in. With machines that have lots of other users it becomes too much of an administrative hassle to distribute keys. Does anyone know of a 2-factor auth system for SSH? Being able to use something like Google Authenticator would be nice. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
On Wed, 1 Jul 2015, Jim Klimov wrote: You can also boost security with no passwords allowed, keys only for ssh auth ;) This certainly helps, but a remote compromised machine could still use those keys to log in to your system. Hopefully users of those keys do apply a passphrase to them. If the remote machine is compromised, then the key passphrase could be captured by keystroke logging and the private key file could be copied at that time. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
1 июля 2015 г. 9:51:49 CEST, benta...@chez.com пишет: >Hi, >I've been using sshl to multiplex openvpn, https and ssh on port 443 to >be able to go through anything and before that I was using tcpproxy for >the same reason. >I'm pretty impressed by sshl and I hope to use it when I replace the >linux all-in-one box by an refurbished Ultra 20/hipster. > >To be honest, for a very long time I had port 22 opened as well for ssh >the time to trust sshl and the difference is quite noticeable, security >wise. >On the other hand, if you don't allow root login, have good passwords >for users and root and log rotation correctly set, port 22 or not is >just a convenience question but I'm not a security guy, really. > >Ben. > >- Mail original - >De: "Jim Klimov" >À: "Discussion list for OpenIndiana" >, "Till Wegmüller" > >Envoyé: Lundi 29 Juin 2015 21:02:44 >Objet: Re: [OpenIndiana-discuss] Who is trying to break in ? > >29 июня 2015 г. 9:37:26 CEST, "Till Wegmüller" >пишет: >>Brogyányi József schrieb am Sunday 28 June 2015 11.01:55: >> >>> /The last was strange a little bit because he wanted to switch of >the >> >>> server. I think you have to change the 21 and 22 communication port. >>> I use the 443 port for ssh. I can reach the server easily from >>anywhere >>> because every company left it open that port. >> >>I Advise Strongly against using a different port for SSH. Especially a >>port like 443 which by default is used by apache and other webservers. >>Some Webservers might refuse to launch depending on their >>configuration. >> >>> I've noticed some text output before shutting down the system. >>> It seems someone ( or bots ) are constantly trying to log in as >root. >> >>Yea there are some Chinese Bot nets that scan for open SSH Ports and >>try to log in with root. I have them on every SSH capable server which >>is Internet reachable. They don't only scan 22 but also 666 or 1337. >>But they only make tries with weak default passwords like 12345. >> >>If you want to block them I suggest the Tool fail2ban. I use it on my >>Linux boxes and it works like a charm. There also seems to be a Port >>for snv_134 https://github.com/jamesstout/fail2ban-0.8.4-OpenSolaris >>but I haven't tested that. >> >>Greetings Till >> >>___ >>openindiana-discuss mailing list >>openindiana-discuss@openindiana.org >>http://openindiana.org/mailman/listinfo/openindiana-discuss > >Got no qualms about ssh (or openvpn) on port 443 - indeed, if one sets >up something non-standard, gotta be ready for the consequences. And to >all ids'es and sniffers, cryptotraffic looks much the same (different >dynamic flow patterns may be discerned by the smarter filters out there >though). > >As was said earlier, many networks (especially free wifi, and some >cellulars) only allow http(s) outwards, so there's not much choice for >road-workers. > >Also, there are server-side projects to colocate frontends for https >and ssh or openvpn on the same socket to veil it even more. > > >-- >Typos courtesy of K-9 Mail on my Samsung Android > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >http://openindiana.org/mailman/listinfo/openindiana-discuss > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >http://openindiana.org/mailman/listinfo/openindiana-discuss You can also boost security with no passwords allowed, keys only for ssh auth ;) -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
Hi, I've been using sshl to multiplex openvpn, https and ssh on port 443 to be able to go through anything and before that I was using tcpproxy for the same reason. I'm pretty impressed by sshl and I hope to use it when I replace the linux all-in-one box by an refurbished Ultra 20/hipster. To be honest, for a very long time I had port 22 opened as well for ssh the time to trust sshl and the difference is quite noticeable, security wise. On the other hand, if you don't allow root login, have good passwords for users and root and log rotation correctly set, port 22 or not is just a convenience question but I'm not a security guy, really. Ben. - Mail original - De: "Jim Klimov" À: "Discussion list for OpenIndiana" , "Till Wegmüller" Envoyé: Lundi 29 Juin 2015 21:02:44 Objet: Re: [OpenIndiana-discuss] Who is trying to break in ? 29 июня 2015 г. 9:37:26 CEST, "Till Wegmüller" пишет: >Brogyányi József schrieb am Sunday 28 June 2015 11.01:55: > >> /The last was strange a little bit because he wanted to switch of the > >> server. I think you have to change the 21 and 22 communication port. >> I use the 443 port for ssh. I can reach the server easily from >anywhere >> because every company left it open that port. > >I Advise Strongly against using a different port for SSH. Especially a >port like 443 which by default is used by apache and other webservers. >Some Webservers might refuse to launch depending on their >configuration. > >> I've noticed some text output before shutting down the system. >> It seems someone ( or bots ) are constantly trying to log in as root. > >Yea there are some Chinese Bot nets that scan for open SSH Ports and >try to log in with root. I have them on every SSH capable server which >is Internet reachable. They don't only scan 22 but also 666 or 1337. >But they only make tries with weak default passwords like 12345. > >If you want to block them I suggest the Tool fail2ban. I use it on my >Linux boxes and it works like a charm. There also seems to be a Port >for snv_134 https://github.com/jamesstout/fail2ban-0.8.4-OpenSolaris >but I haven't tested that. > >Greetings Till > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >http://openindiana.org/mailman/listinfo/openindiana-discuss Got no qualms about ssh (or openvpn) on port 443 - indeed, if one sets up something non-standard, gotta be ready for the consequences. And to all ids'es and sniffers, cryptotraffic looks much the same (different dynamic flow patterns may be discerned by the smarter filters out there though). As was said earlier, many networks (especially free wifi, and some cellulars) only allow http(s) outwards, so there's not much choice for road-workers. Also, there are server-side projects to colocate frontends for https and ssh or openvpn on the same socket to veil it even more. -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
On Mon, Jun 29, 2015 at 2:02 AM, Jim Klimov wrote: > Got no qualms about ssh (or openvpn) on port 443 - indeed, if one sets up > something non-standard, gotta be ready for the consequences. And to all > ids'es and sniffers, cryptotraffic looks much the same (different dynamic > flow patterns may be discerned by the smarter filters out there though). > I think you underestimate sniffers and IDS's. While it's true that individual TCP packets in an encrypted stream may look the same, TLS and SSH have very different initial negotiation routines. I've never encountered a sniffer that did protocol identification and didn't know the difference. Now, distinguishing between two protocols that *both* use TLS would be more difficult. -- D. Brodbeck System Administrator, Linguistics University of Washington GPG key fingerprint: 0DB7 4B50 8910 DBC5 B510 79C4 3970 2BC3 2078 D875 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
I use fail2ban on my OpenIndiana machine. I opted to compile it because the one around for OI are pretty old. There were no issues. If I remember, I did use the svc files from one of these packages but I might have whipped up my own. I also moved my ssh port to 222 just because of the frequency ssh was getting hit. I rarely see an attempt to connect from a bot. Gary On 6/29/2015 3:37 AM, Till Wegmüller wrote: Brogyányi József schrieb am Sunday 28 June 2015 11.01:55: /The last was strange a little bit because he wanted to switch of the server. I think you have to change the 21 and 22 communication port. I use the 443 port for ssh. I can reach the server easily from anywhere because every company left it open that port. I Advise Strongly against using a different port for SSH. Especially a port like 443 which by default is used by apache and other webservers. Some Webservers might refuse to launch depending on their configuration. I've noticed some text output before shutting down the system. It seems someone ( or bots ) are constantly trying to log in as root. Yea there are some Chinese Bot nets that scan for open SSH Ports and try to log in with root. I have them on every SSH capable server which is Internet reachable. They don't only scan 22 but also 666 or 1337. But they only make tries with weak default passwords like 12345. If you want to block them I suggest the Tool fail2ban. I use it on my Linux boxes and it works like a charm. There also seems to be a Port for snv_134 https://github.com/jamesstout/fail2ban-0.8.4-OpenSolaris but I haven't tested that. Greetings Till ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
29 июня 2015 г. 9:37:26 CEST, "Till Wegmüller" пишет: >Brogyányi József schrieb am Sunday 28 June 2015 11.01:55: > >> /The last was strange a little bit because he wanted to switch of the > >> server. I think you have to change the 21 and 22 communication port. >> I use the 443 port for ssh. I can reach the server easily from >anywhere >> because every company left it open that port. > >I Advise Strongly against using a different port for SSH. Especially a >port like 443 which by default is used by apache and other webservers. >Some Webservers might refuse to launch depending on their >configuration. > >> I've noticed some text output before shutting down the system. >> It seems someone ( or bots ) are constantly trying to log in as root. > >Yea there are some Chinese Bot nets that scan for open SSH Ports and >try to log in with root. I have them on every SSH capable server which >is Internet reachable. They don't only scan 22 but also 666 or 1337. >But they only make tries with weak default passwords like 12345. > >If you want to block them I suggest the Tool fail2ban. I use it on my >Linux boxes and it works like a charm. There also seems to be a Port >for snv_134 https://github.com/jamesstout/fail2ban-0.8.4-OpenSolaris >but I haven't tested that. > >Greetings Till > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >http://openindiana.org/mailman/listinfo/openindiana-discuss Got no qualms about ssh (or openvpn) on port 443 - indeed, if one sets up something non-standard, gotta be ready for the consequences. And to all ids'es and sniffers, cryptotraffic looks much the same (different dynamic flow patterns may be discerned by the smarter filters out there though). As was said earlier, many networks (especially free wifi, and some cellulars) only allow http(s) outwards, so there's not much choice for road-workers. Also, there are server-side projects to colocate frontends for https and ssh or openvpn on the same socket to veil it even more. -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
Brogyányi József schrieb am Sunday 28 June 2015 11.01:55: > /The last was strange a little bit because he wanted to switch of the > server. I think you have to change the 21 and 22 communication port. > I use the 443 port for ssh. I can reach the server easily from anywhere > because every company left it open that port. I Advise Strongly against using a different port for SSH. Especially a port like 443 which by default is used by apache and other webservers. Some Webservers might refuse to launch depending on their configuration. > I've noticed some text output before shutting down the system. > It seems someone ( or bots ) are constantly trying to log in as root. Yea there are some Chinese Bot nets that scan for open SSH Ports and try to log in with root. I have them on every SSH capable server which is Internet reachable. They don't only scan 22 but also 666 or 1337. But they only make tries with weak default passwords like 12345. If you want to block them I suggest the Tool fail2ban. I use it on my Linux boxes and it works like a charm. There also seems to be a Port for snv_134 https://github.com/jamesstout/fail2ban-0.8.4-OpenSolaris but I haven't tested that. Greetings Till ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
Hi Please check your mail as root. Just you have to issue the mail command. I copied my mails. You can see some lost user in it: /To: root@hipster.local// //From: petersonal@hipster.local// //Subject: *** SECURITY information for hipster ***// //Content-Length: 138// // //hipster : Jun 5 21:22:49 : petersonal : user NOT in sudoers ; TTY=pts/1 ; PWD=/export/home/petersonal ; USER=root ; COMMAND=/usr/bin/su// //**// //To: root@hipster.local// //From: joe@hipster.local// //Subject: *** SECURITY information for hipster ***// //Content-Length: 142// // //hipster : Feb 21 14:42:04 : joe : user NOT in sudoers ; TTY=pts/1 ; PWD=/export/home/joe ; USER=root ; COMMAND=/usr/sbin/shutdown -y -i6 -g0// /The last was strange a little bit because he wanted to switch of the server. I think you have to change the 21 and 22 communication port. I use the 443 port for ssh. I can reach the server easily from anywhere because every company left it open that port. BR Brogyi 27 июня 2015 г. 9:42:29 CEST, Handojo via openindiana-discuss пишет: Dear Friends, I've noticed some text output before shutting down the system. It seems someone ( or bots ) are constantly trying to log in as root. Is there a mechanism to see the successfull and failed login attempts ? Thank you, Handojo ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss There is last/lastlog, but generally if you did not tweak the system against its defaults, 'root' is a role that can be assumed by another user via sudo or pfexec, but not an account that can be directly logged into. Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Who is trying to break in ?
27 июня 2015 г. 9:42:29 CEST, Handojo via openindiana-discuss пишет: >Dear Friends, > >I've noticed some text output before shutting down the system. >It seems someone ( or bots ) are constantly trying to log in as root. > >Is there a mechanism to see the successfull and failed login attempts ? > >Thank you, > >Handojo > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >http://openindiana.org/mailman/listinfo/openindiana-discuss There is last/lastlog, but generally if you did not tweak the system against its defaults, 'root' is a role that can be assumed by another user via sudo or pfexec, but not an account that can be directly logged into. Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Who is trying to break in ?
Dear Friends, I've noticed some text output before shutting down the system. It seems someone ( or bots ) are constantly trying to log in as root. Is there a mechanism to see the successfull and failed login attempts ? Thank you, Handojo ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
