RE: [SLUG] sshd config: tighten access ?
ARG!! DOH! DOH! DOH! Thanks Dave you a dead right! Phill O'Flynn -Original Message- From: David Kempe [mailto:[EMAIL PROTECTED] Sent: Wednesday, 5 January 2005 11:02 PM To: Phill Cc: slug@slug.org.au Subject: Re: FW: [SLUG] sshd config: tighten access ? Phill wrote: > The IP/mask that I am connecting from is 192.168.1.3/255.255.255.0 the > server is located in a dmz with the IP address of 10.1.1.30 > well then you probably aren't connecting from 192.168.1.3, you are connecting from whatever connnects you to 10.1.1.30 (there must be a router there). try add 10.0.0.0/255.0.0.0 to your hosts.allow. dave smime.p7s Description: S/MIME cryptographic signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: FW: [SLUG] sshd config: tighten access ?
Phill wrote: The IP/mask that I am connecting from is 192.168.1.3/255.255.255.0 the server is located in a dmz with the IP address of 10.1.1.30 well then you probably aren't connecting from 192.168.1.3, you are connecting from whatever connnects you to 10.1.1.30 (there must be a router there). try add 10.0.0.0/255.0.0.0 to your hosts.allow. dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
FW: [SLUG] sshd config: tighten access ?
The IP/mask that I am connecting from is 192.168.1.3/255.255.255.0 the server is located in a dmz with the IP address of 10.1.1.30 Regards, Phill O'Flynn smime.p7s Description: S/MIME cryptographic signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: FW: [SLUG] sshd config: tighten access ?
This one time, at band camp, Phill wrote: >Hi slugers >A few days back Dave Kempe made the suggestion below to further secure >ssh. Now I tried to do this on my local network as a test using > >sshd: 192.168.1.0/255.255.255.0 >in the hosts.allow but winscp failed to connect. I tried a few options but >the only way I could connect is by using >sshd: ALL >in the hosts.allow file. What is going wrong? Maybe it's all going right. What IP are you connecting from? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
FW: [SLUG] sshd config: tighten access ?
Hi slugers A few days back Dave Kempe made the suggestion below to further secure ssh. Now I tried to do this on my local network as a test using sshd: 192.168.1.0/255.255.255.0 in the hosts.allow but winscp failed to connect. I tried a few options but the only way I could connect is by using sshd: ALL in the hosts.allow file. What is going wrong? Regards, Phill O'Flynn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Kempe Sent: Thursday, 30 December 2004 3:05 PM To: Voytek Cc: slug@slug.org.au Subject: Re: [SLUG] sshd config: tighten access ? Voytek wrote: > is a public web/mail server, so, I need to allow full access to web/mail/dns well instead of the ALL bit in hosts.allow/deny just use sshd if you use this tcpwrapper features, you can allow whole subnets easily. like so: (hosts.allow) #Australia sshd: 203.0.0.0/255.0.0.0 (hosts.deny) #Block ssh from everywhere (except those in hosts.allow) sshd: ALL of course you could just add the fixed ip and the subnet of your dialup IPs. that way at least you massively slash the amount of hosts that can connect to you. and mostly avoid the crackers from Romainia and Russia dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html smime.p7s Description: S/MIME cryptographic signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sshd config: tighten access ?
The documentation on setting up a remote public key account is really poor. Here's the procedure I should have added that this was for a password->publickey migration. If you've already disabled password authentication you'll have to find a non-ssh channel for getting the id_dsa.pub key to the server. USB memory sticks are handy for that kind of stuff. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sshd config: tighten access ?
Voytek wrote: I just looked through some logs, and, see a lot of attempted access like: # grep "illegal user" secure Dec 29 10:10:11 koala sshd[20080]: input_userauth_request: illegal user jane Dec 29 10:10:14 koala sshd[20080]: Failed password for illegal user jane from 20 3.42.32.89 port 56720 ssh2 ... what should I do to increase security ? There are a few steps, all worthwhile. 1) Don't make it insanely easy /etc/ssh/sshd_config: PermitEmptyPasswords no PermitRootLogin no People that want to do a root login can use sudo (config sudo's /etc/suduers with root ALL=(ALL) ALL %wheel ALL=(ALL) ALL and add those people to the "wheel" group). 2) Limit the acceptable users Add a group, I use "ssh" (ie, groupadd -r ssh) Add users allowed to ssh in to that group. Configure sshd AllowGroups ssh 3) Restrict IP addresses Configure /etc/hosts.deny with ALL: ALL Configure /etc/hosts.allow with ALL: 127. ALL: [::1]/128 sshd: ALL Modifying the sshd line to your particular access policy. Obviously you might need more lines if you run other services too. Monitor /var/log/secure and /var/log/messages. 4) Consider non-password authentication I use public key authentication for most machines. This is pretty easy to set up for a single user. The major restriction is that you shouldn't use it for chains of logins like: a> ssh b b> ssh c Then disable password authentication. Then all these password scanners can't succeed because they are stopped at a most basic level. PasswordAuthentication no KerberosAuthentication no ChallengeResponseAuthentication no What I'd really like from sshd is public key authentication and then password authentication (ie, something you have, something you know) but sshd can't do that. -- The documentation on setting up a remote public key account is really poor. Here's the procedure (adapted from an AARNet internal procedure): On your client client$ scp .ssh/id_dsa.pub server.example.edu.au:tmp.pub [EMAIL PROTECTED]'s password: ** id_dsa.pub 100% 604 3.8MB/s 00:00 [ If you don't have a .ssh/id_dsa.pub then create one using client$ ssh-keygen -t dsa If you get complaints during key generation about lack of entropy (common on lightly-loaded headless servers), then establish another login session and force some disk activity (eg, du -s /). ] Now connect to server.example.edu.au and add the client's public key to the list of authorised hosts. Note US spelling: client$ ssh server.example.edu.au [EMAIL PROTECTED]'s password: ** server$ cat tmp.pub >> .ssh/authorized_keys server$ chmod a=,u=rw .ssh/authorized_keys server$ rm tmp.pub Don't log out (you might need a prompt if testing fails). Test the connection client$ ssh server.example.edu.au Enter passphrase for key '/home/fab/.ssh/id_dsa': ** Note that it is asking for the password for your client machine's ssh private key (the password you typed when you first ran ssh-keygen on the client machine), not your password for server. You still need to know your server.example.edu.au password for running sudo, as that's the only way to gain root short of logging on through the console. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sshd config: tighten access ?
Voytek wrote: is a public web/mail server, so, I need to allow full access to web/mail/dns well instead of the ALL bit in hosts.allow/deny just use sshd if you use this tcpwrapper features, you can allow whole subnets easily. like so: (hosts.allow) #Australia sshd: 203.0.0.0/255.0.0.0 (hosts.deny) #Block ssh from everywhere (except those in hosts.allow) sshd: ALL of course you could just add the fixed ip and the subnet of your dialup IPs. that way at least you massively slash the amount of hosts that can connect to you. and mostly avoid the crackers from Romainia and Russia dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sshd config: tighten access ?
On 30/12/2004, at 2:42 PM, Brett Fenton wrote: if you're really interested you can add a line like to hosts.deny ALL: ALL: spawn (/bin/echo -e "%d %a %c %s from %h at `date`" |/usr/bin/mail -s 'LOGIN ATTEMPT %h %a' [EMAIL PROTECTED])& which basically emails you a log each time someone tries to connect. the connections will always fail unless they are coming from an IP from within an IP or IP range specified in hosts.allow Swatch makes life a lot easier when you're trying to do this kind of thing. -- Tony Green <[EMAIL PROTECTED]> -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sshd config: tighten access ?
> what do you use the machines for? if there are no services that require > general access eg a web or mail server, you can use hosts.allow and > hosts.deny to basically deny everything other than what is in the > hosts.allow > file. you could add some general C class block (or B class) to hosts.allow > > if you're really interested you can add a line like to hosts.deny Brett, is a public web/mail server, so, I need to allow full access to web/mail/dns -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] sshd config: tighten access ?
what do you use the machines for? if there are no services that require general access eg a web or mail server, you can use hosts.allow and hosts.deny to basically deny everything other than what is in the hosts.allow file. you could add some general C class block (or B class) to hosts.allow if you're really interested you can add a line like to hosts.deny ALL: ALL: spawn (/bin/echo -e "%d %a %c %s from %h at `date`" |/usr/bin/mail -s 'LOGIN ATTEMPT %h %a' [EMAIL PROTECTED])& which basically emails you a log each time someone tries to connect. the connections will always fail unless they are coming from an IP from within an IP or IP range specified in hosts.allow regards, brett On Thursday 30 December 2004 13:01, Voytek wrote: > I just looked through some logs, and, see a lot of attempted access like: > > # grep "illegal user" secure > Dec 29 10:10:11 koala sshd[20080]: input_userauth_request: illegal user > jane Dec 29 10:10:14 koala sshd[20080]: Failed password for illegal user > jane from 20 > 3.42.32.89 port 56720 ssh2 > Dec 29 10:10:15 koala sshd[20083]: input_userauth_request: illegal user > jane Dec 29 10:10:16 koala sshd[20085]: input_userauth_request: illegal > user pamela > Dec 29 10:10:18 koala sshd[20083]: Failed password for illegal user jane > from 20 > 3.42.32.89 port 56825 ssh2 > Dec 29 10:10:18 koala sshd[20085]: Failed password for illegal user pamela > from > 203.42.32.89 port 56842 ssh2 > Dec 29 10:10:20 koala sshd[20088]: input_userauth_request: illegal user > pamela > Dec 29 10:10:22 koala sshd[20088]: Failed password for illegal user pamela > from > 203.42.32.89 port 56898 ssh2 > Dec 29 22:52:18 koala sshd[944]: input_userauth_request: illegal user test > Dec 29 22:52:21 koala sshd[944]: Failed password for illegal user test > from 213. > 149.114.51 port 59211 ssh2 > Dec 30 10:48:10 koala sshd[30110]: input_userauth_request: illegal user > test Dec 30 10:48:10 koala sshd[30109]: input_userauth_request: illegal > user test Dec 30 10:48:14 koala sshd[30109]: Failed password for illegal > user test from 64 > .174.136.250 port 2399 ssh2 > Dec 30 10:48:14 koala sshd[30110]: Failed password for illegal user test > from 64 > .174.136.250 port 2401 ssh2 > Dec 30 10:48:22 koala sshd[30111]: input_userauth_request: illegal user > guest Dec 30 10:48:24 koala sshd[30111]: Failed password for illegal user > guest from 6 > 4.174.136.250 port 2433 ssh2 > > what should I do to increase security ? > > 99% of the time, I'm the sole user accessing via ssh, ocassionally, I > temporarily allow someone else. > 80% of the time, I ssh from a fixed IP, rest of the time, I ssh from > several Aussie ISP dislups/adsl > > is it worthwile to scan logs and block these ips temporarily ? > > is it easy to add such IPs to my ipchains ? > > > > > -- > Voytek -- Brett Fenton NetRegistry Pty Ltd ___ http://www.netregistry.com.au/ Tel: +61 2 96996099 | Fax: +61 2 96996088 PO Box 270 Broadway | NSW 2007, Australia Your Total Internet Business Services Provider Trusted by 10,000s of Oz Businesses Since 1997 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] sshd config: tighten access ?
I just looked through some logs, and, see a lot of attempted access like: # grep "illegal user" secure Dec 29 10:10:11 koala sshd[20080]: input_userauth_request: illegal user jane Dec 29 10:10:14 koala sshd[20080]: Failed password for illegal user jane from 20 3.42.32.89 port 56720 ssh2 Dec 29 10:10:15 koala sshd[20083]: input_userauth_request: illegal user jane Dec 29 10:10:16 koala sshd[20085]: input_userauth_request: illegal user pamela Dec 29 10:10:18 koala sshd[20083]: Failed password for illegal user jane from 20 3.42.32.89 port 56825 ssh2 Dec 29 10:10:18 koala sshd[20085]: Failed password for illegal user pamela from 203.42.32.89 port 56842 ssh2 Dec 29 10:10:20 koala sshd[20088]: input_userauth_request: illegal user pamela Dec 29 10:10:22 koala sshd[20088]: Failed password for illegal user pamela from 203.42.32.89 port 56898 ssh2 Dec 29 22:52:18 koala sshd[944]: input_userauth_request: illegal user test Dec 29 22:52:21 koala sshd[944]: Failed password for illegal user test from 213. 149.114.51 port 59211 ssh2 Dec 30 10:48:10 koala sshd[30110]: input_userauth_request: illegal user test Dec 30 10:48:10 koala sshd[30109]: input_userauth_request: illegal user test Dec 30 10:48:14 koala sshd[30109]: Failed password for illegal user test from 64 .174.136.250 port 2399 ssh2 Dec 30 10:48:14 koala sshd[30110]: Failed password for illegal user test from 64 .174.136.250 port 2401 ssh2 Dec 30 10:48:22 koala sshd[30111]: input_userauth_request: illegal user guest Dec 30 10:48:24 koala sshd[30111]: Failed password for illegal user guest from 6 4.174.136.250 port 2433 ssh2 what should I do to increase security ? 99% of the time, I'm the sole user accessing via ssh, ocassionally, I temporarily allow someone else. 80% of the time, I ssh from a fixed IP, rest of the time, I ssh from several Aussie ISP dislups/adsl is it worthwile to scan logs and block these ips temporarily ? is it easy to add such IPs to my ipchains ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html