Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Sun, Dec 22, 2013 at 2:06 AM, Greg Woods wo...@ucar.edu wrote: On Sat, 2013-12-21 at 10:22 +, Patrick O'Callaghan wrote: Keepass and friends are worthy alternatives, but AFAIK they aren't usable from phones. I use Keepassdroid on an Android phone and it works just fine. It's a bit clunkier than on a desktop, but then, isn't everything? I manually download the database from Dropbox (only necessary if anything has changed), then Keepassdroid works just fine. Pasting the password after you've copied it to the clipboard is a long press. Thanks, Ill check that out. I see there's also Keepass2Android, though it may not be Android 4.4 compatible (yet). poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Sun, Dec 22, 2013 at 2:12 AM, bruce badoug...@gmail.com wrote: since this has been hijacked to be a thread regarding passwds.. why don't you relabel the topic... Maybe, if it goes on much longer. However I would hardly call this hijacking. It has drifted a little from the original topic, but hijacking is generally understood to mean starting an entirely new and unrelated topic within an existing thread. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Fri, Dec 20, 2013 at 9:34 PM, Rick Stevens ri...@alldigital.com wrote: Seconded. I use keepassx as well. My database is on a VFAT partition on a 1G USB Flash drive I carry with me with a second copy on my Droid phone...just in case I need it. Keepass and friends are worthy alternatives, but AFAIK they aren't usable from phones. I use Lastpass transparently on desktops (Fedora and Mac), tablets (iPad and Android) and my phone (Android). The mobile version costs a whole $12 a year but I decided it made sense for me. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Sat, 2013-12-21 at 10:22 +, Patrick O'Callaghan wrote: Keepass and friends are worthy alternatives, but AFAIK they aren't usable from phones. I use Keepassdroid on an Android phone and it works just fine. It's a bit clunkier than on a desktop, but then, isn't everything? I manually download the database from Dropbox (only necessary if anything has changed), then Keepassdroid works just fine. Pasting the password after you've copied it to the clipboard is a long press. --Greg -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
ok guys.. since this has been hijacked to be a thread regarding passwds.. why don't you relabel the topic... On Sat, Dec 21, 2013 at 9:06 PM, Greg Woods wo...@ucar.edu wrote: On Sat, 2013-12-21 at 10:22 +, Patrick O'Callaghan wrote: Keepass and friends are worthy alternatives, but AFAIK they aren't usable from phones. I use Keepassdroid on an Android phone and it works just fine. It's a bit clunkier than on a desktop, but then, isn't everything? I manually download the database from Dropbox (only necessary if anything has changed), then Keepassdroid works just fine. Pasting the password after you've copied it to the clipboard is a long press. --Greg -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
Allegedly, on or about 19 December 2013, Greg Woods sent: it is very risky to use the same password at multiple locations, even if it is an easy-to-remember but hard-to-guess password. It definitely is, and I've seen the results, even on the more benign side of things. e.g. A fool uses some webservice that asks you to log in with your hotmail username and password, so they do, despite the face that this webservice is not hotmail. It logs into hotmail, pretending to be them, and does things, such as: Spamming every address they find in their account, as if the hacked person was writing them a message. If somewhere along the way, they find the fool has other internet accounts (e.g. yahoo), it'll try logging into them using the same password. So, the fool with one password, lets someone into all their email accounts, their paypal account, their bank... I can't remember if it were two or three people I know who've been done like a dinner, that way. If I know a few, there's got to be thousands more. It's only slightly mitigated by webservices having different password contraints. e.g. As a simplistic example of that, some will stupidly say you can only have a six letter password, others will insist it must be more than eight letters. So a fool can't use the same password for everything, sometimes... -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
Have you seen this one. Only for RHEL5 so a bit out of date but much of it will still apply. http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf On Thu, Dec 19, 2013 at 3:05 AM, bruce badoug...@gmail.com wrote: Hey guys. - subject says it all!! For a basic centos/fedora install. Need to have pointers/docs/suggestions/solid steps to actually harden/secure a system. I've looked at a bunch of different articles/sites, so I'm also turning here. Also, are there any good (i know) security lists/resources (people) I could talk to about remotely hiring for this process.. thanks 'ppreciate it!! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Fri, Dec 20, 2013 at 8:05 AM, Tim ignored_mail...@yahoo.com.au wrote: e.g. A fool uses some webservice that asks you to log in with your hotmail username and password, so they do, despite the face that this webservice is not hotmail. Not quite what you're saying but tangentially related: many web sites are confusing to the naive user. They ask you to register using your email address and a password, without making it clear that they don't mean the password for the email account. I'm sure more than a few people have been caught by that. It doesn't mean the website is malicious, but now the attack front on the password has been expanded. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On 12/20/2013 09:24 PM, Patrick O'Callaghan wrote: On Fri, Dec 20, 2013 at 8:05 AM, Tim ignored_mail...@yahoo.com.au mailto:ignored_mail...@yahoo.com.au wrote: e.g. A fool uses some webservice that asks you to log in with your hotmail username and password, so they do, despite the face that this webservice is not hotmail. Not quite what you're saying but tangentially related: many web sites are confusing to the naive user. They ask you to register using your email address and a password, without making it clear that they don't mean the password for the email account. I'm sure more than a few people have been caught by that. It doesn't mean the website is malicious, but now the attack front on the password has been expanded. poc I've noticed that they prefer/require email address as user name to reduce the instance of simplistic user names while remaining memorable. There's nothing to stop one using a fictitious email address as a user name provided one remembers it when needed. qwert...@qwe.bv once worked for me along with similary stupid trials. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Fri, Dec 20, 2013 at 10:40 AM, Roger are...@bigpond.com wrote: On 12/20/2013 09:24 PM, Patrick O'Callaghan wrote: On Fri, Dec 20, 2013 at 8:05 AM, Tim ignored_mail...@yahoo.com.au wrote: e.g. A fool uses some webservice that asks you to log in with your hotmail username and password, so they do, despite the face that this webservice is not hotmail. Not quite what you're saying but tangentially related: many web sites are confusing to the naive user. They ask you to register using your email address and a password, without making it clear that they don't mean the password for the email account. I'm sure more than a few people have been caught by that. It doesn't mean the website is malicious, but now the attack front on the password has been expanded. poc I've noticed that they prefer/require email address as user name to reduce the instance of simplistic user names while remaining memorable. There's nothing to stop one using a fictitious email address as a user name provided one remembers it when needed. qwert...@qwe.bv once worked for me along with similary stupid trials. Except when they actually want the real address to confirm the registration, which is quite common. In any case, the point I was making is that the password should be different, something which may not be clear to every user. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Fri, 2013-12-20 at 18:35 +1030, Tim wrote: Allegedly, on or about 19 December 2013, Greg Woods sent: it is very risky to use the same password at multiple locations, even if it is an easy-to-remember but hard-to-guess password. It definitely is, and I've seen the results, even on the more benign side of things. The eventual point of this is that there is really no such thing as a hard-to-guess and easy-to-remember password. It's one thing to have a password like purplepolkadotsonmydog, but another to remember whether that password was for Amazon, Newegg, Kaiser, list of 100 other web sites. I can and do use a very small number of hard-to-guess, easy-to-remember passwords for places where using the password safe is not practical (e.g. the initial login to my personal machines, the password for the safe, the password for Dropbox). But for anyone who does a lot of stuff online, and therefore interacts with a large number of sites that use a password for authentication, you need a password safe. --Greg -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
Allegedly, on or about 20 December 2013, Greg Woods sent: The eventual point of this is that there is really no such thing as a hard-to-guess and easy-to-remember password. It's one thing to have a password like purplepolkadotsonmydog, but another to remember whether that password was for Amazon, Newegg, Kaiser, list of 100 other web sites. I can and do use a very small number of hard-to-guess, easy-to-remember passwords for places where using the password safe is not practical (e.g. the initial login to my personal machines, the password for the safe, the password for Dropbox). But for anyone who does a lot of stuff online, and therefore interacts with a large number of sites that use a password for authentication, you need a password safe. It gets worse if you use multiple computers. It's a nightmare trying to do something that's accessible on all, and secure. Whether that be letting applications remember passwords, and I'm severely pissed with browsers that can't remember passwords because some *utterly* *unimportant* site thinks they should block your browser from doing so (though I don't object to a bank site doing that), or having a special password safe application. I can remember but a few passwords off the top of my head. Smartarse passwords can bite you on the bum. I had to phone up a service and tell them a password for access. Previously, their system had given me a lot of grief, so I had set a password that stated what I thought of them. ;-) -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Fri, Dec 20, 2013 at 5:06 PM, Tim ignored_mail...@yahoo.com.au wrote: It gets worse if you use multiple computers. It's a nightmare trying to do something that's accessible on all, and secure. Whether that be letting applications remember passwords, and I'm severely pissed with browsers that can't remember passwords because some *utterly* *unimportant* site thinks they should block your browser from doing so (though I don't object to a bank site doing that), or having a special password safe application. I can remember but a few passwords off the top of my head. Online password managers such as Lastpass or Dasher are a way round this, and also can generate complex random passwords for you that you don't have to remember. Of course you then have to trust them to work properly, but as their entire business depends on them getting it right and the data they store is encrypted and decrypted locally using a single key known only to you, it seems to be a reasonable compromise. Unfortunately they tend to be closed-source. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
2013/12/20 Patrick O'Callaghan pocallag...@gmail.com On Fri, Dec 20, 2013 at 5:06 PM, Tim ignored_mail...@yahoo.com.au wrote: It gets worse if you use multiple computers. It's a nightmare trying to do something that's accessible on all, and secure. Whether that be letting applications remember passwords, and I'm severely pissed with browsers that can't remember passwords because some *utterly* *unimportant* site thinks they should block your browser from doing so (though I don't object to a bank site doing that), or having a special password safe application. I can remember but a few passwords off the top of my head. Online password managers such as Lastpass or Dasher are a way round this, and also can generate complex random passwords for you that you don't have to remember. Of course you then have to trust them to work properly, but as their entire business depends on them getting it right and the data they store is encrypted and decrypted locally using a single key known only to you, it seems to be a reasonable compromise. Unfortunately they tend to be closed-source. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org I use keepassx. It's a good application for this. https://admin.fedoraproject.org/pkgdb/acls/name/keepassx -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On 12/20/2013 01:27 PM, Dennis Kaptain issued this missive: 2013/12/20 Patrick O'Callaghan pocallag...@gmail.com mailto:pocallag...@gmail.com On Fri, Dec 20, 2013 at 5:06 PM, Tim ignored_mail...@yahoo.com.au mailto:ignored_mail...@yahoo.com.au wrote: It gets worse if you use multiple computers. It's a nightmare trying to do something that's accessible on all, and secure. Whether that be letting applications remember passwords, and I'm severely pissed with browsers that can't remember passwords because some *utterly* *unimportant* site thinks they should block your browser from doing so (though I don't object to a bank site doing that), or having a special password safe application. I can remember but a few passwords off the top of my head. Online password managers such as Lastpass or Dasher are a way round this, and also can generate complex random passwords for you that you don't have to remember. Of course you then have to trust them to work properly, but as their entire business depends on them getting it right and the data they store is encrypted and decrypted locally using a single key known only to you, it seems to be a reasonable compromise. Unfortunately they tend to be closed-source. poc -- users mailing list users@lists.fedoraproject.org mailto:users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org I use keepassx. It's a good application for this. https://admin.fedoraproject.org/pkgdb/acls/name/keepassx Seconded. I use keepassx as well. My database is on a VFAT partition on a 1G USB Flash drive I carry with me with a second copy on my Droid phone...just in case I need it. -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - grasshopotomus: A creature that can leap to tremendous heights... - -...once.- -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
Allegedly, on or about 18 December 2013, Rick Stevens sent: 3. Make sure you enforce complex passwords and require them to be rotated at least every 90 days. I take issue with the continually changing passwords idea. If you get hacked, changing the password after the event is too late. And if they installed a backdoor, changing your password will be completely pointless. If you haven't been hacked, you're just making life harder for yourself, trying to remember all these passwords. Or making things less secure, because you have to write them down. A reasonably good password can't be guessed, or likely to be got at by a dictionary attack without attracting attention. i.e. Even if my password was simply just the word, red, how many guesses, out of all the possible words in a dictionary, would it take to guess it? You can't partially crack it, like in the movies where they show that three letters in a password have been correctly guessed, it's complete pass/fail. Trying to find the right password has just got to be detectable. And the chances of someone guessing that my password might be purplepolkadotsonmydog are next to infinitely impossible. You'd have to guess what words, and in what order. Of course, completely stupid passwords (password, remember, the username logon repeated as the password) might be guessed in the first few attempts, as the first attack words on the list to try. You really need something that detects attempt to crack passwords, responds appropriately to thwart the attacks while they happen, and immediately notifies you that an attempt is happening as it happens (e.g. email to a separate system), so you know to check, and the notification isn't stored on somewhere that will be deleted during the attack. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists. George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/19/2013 12:16 PM, Tim wrote: You really need something that detects attempt to crack passwords, responds appropriately to thwart the attacks while they happen, and immediately notifies you that an attempt is happening as it happens (e.g. email to a separate system), so you know to check, and the notification isn't stored on somewhere that will be deleted during the attack. I'm kind of with you on the password rotation part. I do certainly see the need for routinely changing non-local (ie internet) passwords, but I'm not always convinced rotating internal ones make sense in every case. I personally use fail2ban for any internet facing system that has, for instance, ssh open. It works well and I get notification of password intrusion attempts if the login fails X number of times. Personally, I have mine set to disable login permanently instead of setting a time limit, then I can re-enable when I have time. As far as SSH goes I also have only one user account that is ssh accessible so I don't need to worry about my kids accounts, etc. - -- Mark Haney Network Administrator/IT Support Practichem W:919-714-8428 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSsytUAAoJEDgEuzPE0JQveb8H/RHTo+KqbqWH1Nm+2Dq9avV9 qzorJplqPpus8f12mggl2Ep51k4bY7kp8nsY0GCVzHaFggzVkB8EphEhnTnBXlYY IWJyQ1VyWiJJa7CpL4fH/Vb/dK2n57rBDh8GDgsRrafALr9dXzFGtVkJtC2MQ/NP FndAK9Gd9dHrxKFrtyAFSszYuiHgdbCZB7VHLkCWaYJD8CwqdiWljV5i51pZedTX XvTSq57fKRwgUpSJXj4LbEONJSaXCk11Y/mrIP1rZW6Ya2HcSS3ga6uVBSeAGZGt 3aoc7UBDZ9xJk5EKk4yuZnlUhPbXT94Lmge7NuTX+vKtBv/c0n6lnn2zUQKn4Ck= =sjeu -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
If you have not installed it, install denyhosts...it watches for ssh password attacks and locks out hosts automatically. It does limit the number of attempts someone gets before being completely locked out. On Thu, Dec 19, 2013 at 11:22 AM, Mark Haney mha...@practichem.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/19/2013 12:16 PM, Tim wrote: You really need something that detects attempt to crack passwords, responds appropriately to thwart the attacks while they happen, and immediately notifies you that an attempt is happening as it happens (e.g. email to a separate system), so you know to check, and the notification isn't stored on somewhere that will be deleted during the attack. I'm kind of with you on the password rotation part. I do certainly see the need for routinely changing non-local (ie internet) passwords, but I'm not always convinced rotating internal ones make sense in every case. I personally use fail2ban for any internet facing system that has, for instance, ssh open. It works well and I get notification of password intrusion attempts if the login fails X number of times. Personally, I have mine set to disable login permanently instead of setting a time limit, then I can re-enable when I have time. As far as SSH goes I also have only one user account that is ssh accessible so I don't need to worry about my kids accounts, etc. - -- Mark Haney Network Administrator/IT Support Practichem W:919-714-8428 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSsytUAAoJEDgEuzPE0JQveb8H/RHTo+KqbqWH1Nm+2Dq9avV9 qzorJplqPpus8f12mggl2Ep51k4bY7kp8nsY0GCVzHaFggzVkB8EphEhnTnBXlYY IWJyQ1VyWiJJa7CpL4fH/Vb/dK2n57rBDh8GDgsRrafALr9dXzFGtVkJtC2MQ/NP FndAK9Gd9dHrxKFrtyAFSszYuiHgdbCZB7VHLkCWaYJD8CwqdiWljV5i51pZedTX XvTSq57fKRwgUpSJXj4LbEONJSaXCk11Y/mrIP1rZW6Ya2HcSS3ga6uVBSeAGZGt 3aoc7UBDZ9xJk5EKk4yuZnlUhPbXT94Lmge7NuTX+vKtBv/c0n6lnn2zUQKn4Ck= =sjeu -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/19/2013 12:44 PM, Roger Heflin wrote: If you have not installed it, install denyhosts...it watches for ssh password attacks and locks out hosts automatically. Yes, denyhosts is also a good package and one I've forgotten about. Thanks for the reminder of that one. After 4 years away from IT, I don't always recall things I've used before. - -- Mark Haney Network Administrator/IT Support Practichem W:919-714-8428 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSszQhAAoJEDgEuzPE0JQvMFIH/R1FjDP5SRM1Umec0z9NiFQk jOgFAqBOZqyQvI1YOtwR9HMwcnkSY4/ioKtlxRXcZ0NNR5XzuyVq/9DDp85PClL5 HiJhioqi0TMEWwQSj6cAzdTQysMbJ3qKQNoHFoBXcWP3GBvDdbzx0RWh2N8NEc6P 2VmzIGYuScpfPV99IESjIA34Fo7Fe7djB0sxYZeD++PuqO5P4rFDRVBTD+VVZxSf gGSvGzwPmYm/Piwm8c8n1TfqaNl9LtT4qAgCmlYjjIg9xzkF5nv0QDoLKYOfs6Xh WUoGjDnvb3hHVvZINZojurpi//jrUh6RCruaEFrgHbRkOn8MvdGvksmtFy3ZGV8= =EHi+ -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On 12/18/2013 11:05 AM, bruce wrote: Hey guys. - subject says it all!! For a basic centos/fedora install. Need to have pointers/docs/suggestions/solid steps to actually harden/secure a system. I've looked at a bunch of different articles/sites, so I'm also turning here. Also, are there any good (i know) security lists/resources (people) I could talk to about remotely hiring for this process.. thanks 'ppreciate it!! Take a look at OSSEC. I have it on all my internet-accessible servers. -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Thu, Dec 19, 2013 at 5:16 PM, Tim ignored_mail...@yahoo.com.au wrote: If you get hacked, changing the password after the event is too late. And if they installed a backdoor, changing your password will be completely pointless. If you haven't been hacked, you're just making life harder for yourself, trying to remember all these passwords. Or making things less secure, because you have to write them down. Correct. There was a paper published a while back (I wish I could find a reference, but my google-fu is failing me right now) that showed enforcing strong passwords and frequent changes reduced overall security, among other reasons because users tended to write them down rather than remember them. Also, in this situation, changing passwords at all on the system is madness. The only sane option is a complete reinstall (yes, using different passwords). You don't know what the intruder has left on your system. A fresh OS install and a scan of your data for hidden nastiness is needed. Tet -- Java is a DSL for taking large XML files and converting them to stack traces -- Bulat Shakirzyanov -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
guys.. The project that the corrupt system is going to be driving will create a distributed network of systems, where the edge systems, are tied back into the central server(s). Think of the BOINC/SETI project, where you have a bunch of edge systems doing work and communicating back to the master system/process. The project was looking to use secure SSH in a manner, where there are public/private keys for the master/child servers(services) can comunicate with each other over the specified encrypted ports/tunnels. However, it occurs to me that if one of the master/child servers is hacked, then the person doing the hacking could get into the connected server via the SSH key/process. Comments/thoughts on options that can be considered viable/secure for the process of remotely accessing machines, that would allow for auto/programatic connection/xfer of data? thanks On Thu, Dec 19, 2013 at 1:04 PM, Steven Stern subscribed-li...@sterndata.com wrote: On 12/18/2013 11:05 AM, bruce wrote: Hey guys. - subject says it all!! For a basic centos/fedora install. Need to have pointers/docs/suggestions/solid steps to actually harden/secure a system. I've looked at a bunch of different articles/sites, so I'm also turning here. Also, are there any good (i know) security lists/resources (people) I could talk to about remotely hiring for this process.. thanks 'ppreciate it!! Take a look at OSSEC. I have it on all my internet-accessible servers. -- -- Steve -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Friday 20 of December 2013 03:46:13 Tim wrote: Allegedly, on or about 18 December 2013, Rick Stevens sent: 3. Make sure you enforce complex passwords and require them to be rotated at least every 90 days. I take issue with the continually changing passwords idea. using rotated passwords for ssh login is painful for human brain :) disabling passwd-auth and using ssh-key protected with single strong password is better for brain and security. for reducing services load and flood in /var/log/secure i suggest cut-off ipset rules based on ipdeny/dot/com and sshbl/org. BR, Paweł. -- gpg key fingerprint = 60B4 9886 AD53 EB3E 88BB 1EB5 C52E D01B 683B 9411 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On Fri, 2013-12-20 at 03:46 +1030, Tim wrote: Allegedly, on or about 18 December 2013, Rick Stevens sent: 3. Make sure you enforce complex passwords and require them to be rotated at least every 90 days. I take issue with the continually changing passwords idea. I agree with you on this one. There was a white paper I read (wish I still had the link to it) where they demonstrated that some security measures are actually more expensive than dealing with a break-in. The basic theory was a small-to-medium cost, when incurred by thousands of users, is higher than the high cost of dealing with the average compromise. I think changing passwords is up there on that list. It's a huge hassle (we're required to do this at work), and several thousand users have to go through it every six months. I don't think that is a good use of security resources. But the security people will argue that bad guys can get a hold of a password and not use it for months, which increases their odds of evading detection. Or they get encrypted passwords and decrypt them offline, using computing resources they've stolen from others (PC's in botnets, etc.). So it may take a long time to guess your 15-character password this way, but they've got forever if you never change your password. So it's hard to come up with numbers to back up my belief. That said, I also think it is very risky to use the same password at multiple locations, even if it is an easy-to-remember but hard-to-guess password. The reason is that if any one of those locations is compromised, the bad guys now have access to your accounts at all these other places that have *not* been hacked. It is very important to use different passwords at every place you do business. Yes, that means you have to write them down, so you write them down in a secure way, by using a password safe (I like Keepassx on Linux, it's packaged in Fedora, and there are versions of Keepass for Windows, MacOS, Android and iOS as well). The safe is strongly encrypted, so you can store it on insecure but easy-to-access locations like Dropbox (even so, I do not keep my banking password in Keepass/Dropbox, that is one of the very few that is stored nowhere but in my head). This allows me to use a password like K8_jBh6ewq,5 (no, silly people, that is NOT any of my actual passwords :-) Then there is one critical password that you have to memorize, which is the one to open the Keepass safe. My wife and I store our Keepass passwords in each other's safe, to guard against somehow forgetting it. That password is never used except on our own personal machines (I would argue that if someone has compromised your personal machine, the game is already over; there are many ways they can use that to get access to your accounts). You really need something that detects attempt to crack passwords Very few passwords are actually cracked by brute force on your machine. They are almost always obtained by compromising a server where (hopefully encrypted) passwords are stored, and then brute force cracking them offline, where you could not detect the attempt. Or just use the access to the server to capture the passwords used on that server (also undetectable by the end user). Another common attack lately is to use stolen certs to run a man-in-the-middle against https sessions (the security of many of the certificate authorities is atrocious, there have been many well-publicized compromises). So if you're like me and access hundreds of password-protected web sites, you want to use a different password for every one of them. --Greg -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
hacked - looking for doc/suggestions on hardening/securing systems from the start
Hey guys. - subject says it all!! For a basic centos/fedora install. Need to have pointers/docs/suggestions/solid steps to actually harden/secure a system. I've looked at a bunch of different articles/sites, so I'm also turning here. Also, are there any good (i know) security lists/resources (people) I could talk to about remotely hiring for this process.. thanks 'ppreciate it!! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
As it in not common to be hacked on linux, and linux is really strong after install, perhaps you could specify a little under what conditions you were hacked. Was a physical intrusion? communicational? software? a web page? an open service or port? an injection? stolen passwd? Normally, hacking a linux box is the result of an inconscious administrator, sorry. If the information you have is sensitive, -has some cost- you need to invest proportionally to it on security -hardening software, hardware, physical access.. etc.- Most persons on this list know enough to protect information to a certain level, but if you want to protect very expensive information, you should invest -as I said, proportionally- on a specialist. If not, google is enough. Hope you find the solution... R bruce badoug...@gmail.com wrote: Hey guys. - subject says it all!! For a basic centos/fedora install. Need to have pointers/docs/suggestions/solid steps to actually harden/secure a system. I've looked at a bunch of different articles/sites, so I'm also turning here. Also, are there any good (i know) security lists/resources (people) I could talk to about remotely hiring for this process.. thanks 'ppreciate it!! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- Sent from my Android device with K-9 Mail. Please excuse my brevity.-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
On 12/18/2013 09:05 AM, bruce issued this missive: Hey guys. - subject says it all!! For a basic centos/fedora install. Need to have pointers/docs/suggestions/solid steps to actually harden/secure a system. I've looked at a bunch of different articles/sites, so I'm also turning here. Also, are there any good (i know) security lists/resources (people) I could talk to about remotely hiring for this process.. Depends on how hardened you want the machines. There are a raft of options, some of the more simple: 1. Use a VPN to get at the machines from the outside world. 1a. As part of 1. above, set up the firewalls (both external and iptables) to not allow ANY externally initiated connections except for those from the VPN--and even then restrict those as much as possible (e.g. only allow ssh access). 2. Disable any service you do not need. 3. Make sure you enforce complex passwords and require them to be rotated at least every 90 days. 4. Disable ssh root logins and enforce sudo options. 5. Use something like tripwire on a freshly installed machine to watch for non-standard software being installed. 6. Use tools like rkhunter and clamscan to look for virii. 7. Enable and use SELinux and its tools or use a hardened kernel such as grsec. There are tons more of those sorts of things. A good set of guidelines are the PCI compliance standards. Those are the standards a company must meet (and must be audited annually by an external agency) to be permitted to process credit card transactions online. One of our subsidiaries is fully PCI-compliant as they do process credit card data. The rest of the company is PCI-compliant as far as network access and system updating is concerned. Our main business precludes being fully compliant but we implement as many of those standards as we can. As the old saying goes: I may be paranoid, but that doesn't mean they AREN'T out to get me! -- - Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com - - AIM/Skype: therps2ICQ: 22643734Yahoo: origrps2 - -- - Never try to outstubborn a cat. - -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: hacked - looking for doc/suggestions on hardening/securing systems from the start
Common rootkits that exploit weaknesses of old systems. I'd say it's enough to keep updated systems. If want some more hardening, close opened ports, use a firewall or iptables, create a DMZ, use strong passwords, disable unneeded services. Re included the list. There are people who reads the threads. Sorry for the top-posting, I started :( Merry christmas. On Wed, 2013-12-18 at 12:50 -0500, bruce wrote: Hey Rodolfo. That's just it, I have no idea how it was hacked.. it might have been a security hoole in the older FC I was using... the rootkits are cb Rootkit, SHV4 Rootkit, SHV5 Rootkit, Lite5-r Rootkit On Wed, Dec 18, 2013 at 12:45 PM, Rodolfo Alcazar Portillo nosp...@gmail.com wrote: As it in not common to be hacked on linux, and linux is really strong after install, perhaps you could specify a little under what conditions you were hacked. Was a physical intrusion? communicational? software? a web page? an open service or port? an injection? stolen passwd? Normally, hacking a linux box is the result of an inconscious administrator, sorry. If the information you have is sensitive, -has some cost- you need to invest proportionally to it on security -hardening software, hardware, physical access.. etc.- Most persons on this list know enough to protect information to a certain level, but if you want to protect very expensive information, you should invest -as I said, proportionally- on a specialist. If not, google is enough. Hope you find the solution... R bruce badoug...@gmail.com wrote: Hey guys. - subject says it all!! For a basic centos/fedora install. Need to have pointers/docs/suggestions/solid steps to actually harden/secure a system. I've looked at a bunch of different articles/sites, so I'm also turning here. Also, are there any good (i know) security lists/resources (people) I could talk to about remotely hiring for this process.. thanks 'ppreciate it!! -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- -- Rodolfo Alcazar Portillo - rodolf...@gmail.com otbits.blogspot.com / counter.li.org: #367962 -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org