Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Peter Hardy 
On Tue, 2006-02-14 at 14:25 +1100, Howard Lowndes wrote:
> One word of caution, esp if you are using a laptop; make sure that your 
> private key on your lappy is passphrase encoded.  It will be the same 
> from any site you might access from but it does lock out casual passing 
> hackers if you leave the lappy unattended.

By the same token, it's worth looking at the -t option to ssh-agent and
ssh-add to specify a maximum lifetime for keys added to your ssh agent.

In a perfect world, though, keys would have an idle timeout (like the
way sudo works) instead of an absolute life.

-- 
Pete

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Voytek Eymont 

On Tue, February 14, 2006 2:25 pm, Howard Lowndes wrote:

> Glen Turner wrote:


> One word of caution, esp if you are using a laptop; make sure that your
> private key on your lappy is passphrase encoded.  It will be the same from
> any site you might access from but it does lock out casual passing hackers
> if you leave the lappy unattended.

thanks for all comments.
no, no laptop (anymore)...
luckily, just an USB stick (it's considerably lighter, not just on the
arm) and a Palm


-- 
Voytek

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Howard Lowndes 



Glen Turner wrote:



as is, I'm the sole ssh user, though, I do use it from several hosts, not
all known in advance to me



In that case you might want to consider turning off password
authentication all together and going with just public key
authentication.  Stops the door knockers cold.

Main advantage is that you're then not tied to particular
IP addresses, which is handy if you've got a laptop or
going through a big NAT somewhere.


One word of caution, esp if you are using a laptop; make sure that your 
private key on your lappy is passphrase encoded.  It will be the same 
from any site you might access from but it does lock out casual passing 
hackers if you leave the lappy unattended.


--
Howard.
LANNet Computing Associates - Your Linux people 
When you want a computer system that works, just choose Linux;
When you want a computer system that works, just, choose Microsoft.
--
Flatter government, not fatter government; abolish the Australian states.

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Paul Dwerryhouse 
On Tue, Feb 14, 2006 at 07:55:58AM +1100, Voytek Eymont wrote:
> as of few weeks ago, my log watch has swollen up well over 500k, full of
> dictionary ? attempted atacks like below:
> 
> is there much I can do ? like to prevent multiple attempts from same IP ?

I have the following configured to drop connections after four ssh
connections from the same address in the space of 60 seconds, using
ipt_state:

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent \
--set --name SSH --rsource 
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP 

Cheers,

Paul


-- 
Paul Dwerryhouse| PGP Key ID: 0x6B91B584

Installing Debian Sarge with software RAID:
http://nepotismia.com/debian/raidinstall/
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Matthew Hannigan 
On Tue, Feb 14, 2006 at 01:32:29PM +1100, Voytek Eymont wrote:
> 
> On Tue, February 14, 2006 11:52 am, Matthew Hannigan wrote:
> > On Tue, Feb 14, 2006 at 12:05:25PM +1100, Dave Kempe wrote:
> >> Voytek Eymont wrote:
> 
> > You probably want DenyHosts :   http://denyhosts.sourceforge.net/
> 
> > But you're far better off whitelisting than blacklisting, if you can.
> > I only accept ssh connections to my box from a few machines.
> 
> thanks
> as is, I'm the sole ssh user, though, I do use it from several hosts, not
> all known in advance to me
> 
> where do I enter 'approved' hosts ?

You can do it in at least 2 places. do both if you like...

1. /etc/hosts.allow, /etc/hosts.deny (these files are part of 'tcp_wrappers',

do 'man hosts.allow' to find out more.
Put sshd: ALL in /etc/hosts.deny and sshd: in hosts.allow

This is part of what the 'denyhosts' program mentioned above does
for you dynamically.

2. iptables (i.e. firewall)

Do you have iptables/firewalling on?  If so read on, if not, you probably need
to think hard about what you need to let in.  Set up a basic one with
'system-config-security'

Then add one ore more lines like:
-A RH-Firewall-1-INPUT -m state -s  
--state NEW -m tcp -p tcp --dport 22 -j ACCEPT
in /etc/sysconfig/iptables, 
Make sure a line like
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
is towards then end.
Then 'service iptables restart'

Also don't do this remotely just in case you lock yourself out.

> 
> my current sshd_config has:
> 
> ---
> Protocol 2
> AllowUsers voytek

good!

> SyslogFacility AUTHPRIV
> X11Forwarding yes
> Subsystemsftp/usr/libexec/openssh/sftp-server
> ---
> I guess I should get rid of the X11 line ?

doesn't matter

> what else should I do here ?
> do I need sftp-server ?

again doesn't matter, you may as well leave it.
you may want sftp access. (sftp is ssh transfers made to look a bit like ftp)

Matt


-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Glen Turner 



as is, I'm the sole ssh user, though, I do use it from several hosts, not
all known in advance to me


In that case you might want to consider turning off password
authentication all together and going with just public key
authentication.  Stops the door knockers cold.

Main advantage is that you're then not tied to particular
IP addresses, which is handy if you've got a laptop or
going through a big NAT somewhere.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Voytek Eymont 

On Tue, February 14, 2006 11:52 am, Matthew Hannigan wrote:
> On Tue, Feb 14, 2006 at 12:05:25PM +1100, Dave Kempe wrote:
>> Voytek Eymont wrote:

> You probably want DenyHosts :   http://denyhosts.sourceforge.net/

> But you're far better off whitelisting than blacklisting, if you can.
> I only accept ssh connections to my box from a few machines.

thanks
as is, I'm the sole ssh user, though, I do use it from several hosts, not
all known in advance to me

where do I enter 'approved' hosts ?

my current sshd_config has:

---
Protocol 2
AllowUsers voytek
SyslogFacility AUTHPRIV
X11Forwarding yes
Subsystemsftp/usr/libexec/openssh/sftp-server
---
I guess I should get rid of the X11 line ?
what else should I do here ?
do I need sftp-server ?

-- 
Voytek

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Matthew Hannigan 
On Tue, Feb 14, 2006 at 12:05:25PM +1100, Dave Kempe wrote:
> Voytek Eymont wrote:
> >as of few weeks ago, my log watch has swollen up well over 500k, full of
> >dictionary ? attempted atacks like below:
> >
> >is there much I can do ? like to prevent multiple attempts from same IP ?

You probably want DenyHosts :   http://denyhosts.sourceforge.net/

"DenyHosts is a script intended to be run by
Linux system administrators to help thwart ssh
server attacks."

It's in fedora4 'extras', fwiw.

But you're far better off whitelisting than blacklisting, if you can.
I only accept ssh connections to my box from a few machines.

> ipt_recent netfilter module can help you there.
> or you could just setup port-knocking.
> I recommend portknocking.org as an intro

portknocking can be a little dodgy.  To a certain extent
it's security by obscurity.

Matt
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Dave Kempe 

Voytek Eymont wrote:

as of few weeks ago, my log watch has swollen up well over 500k, full of
dictionary ? attempted atacks like below:

is there much I can do ? like to prevent multiple attempts from same IP ?


ipt_recent netfilter module can help you there.
or you could just setup port-knocking.
I recommend portknocking.org as an intro

dave
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[SLUG] blocking recurrent attempted access ?

2006-02-13 Thread Voytek Eymont 
as of few weeks ago, my log watch has swollen up well over 500k, full of
dictionary ? attempted atacks like below:

is there much I can do ? like to prevent multiple attempts from same IP ?

RH73, ipchains

---
Failed logins from these:
   root/password from 202.30.108.64: 85 time(s)
   root/password from 218.24.139.109: 59 time(s)
...

**Unmatched Entries**
Failed password for illegal user bash from 221.244.156.229 port 58573 ssh2
Received disconnect from 221.244.156.229: 11: Bye Bye
input_userauth_request: illegal user bash
Failed password for illegal user bash from 221.244.156.229 port 59460 ssh2
...


-- 
Voytek

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html