Mailing List Archive

On Thu, 31 Mar 2005, Luis Diaz wrote:

> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

Port knocking.

http://www.portknocking.org/


--
gentoo-security@gentoo.org mailing list

The concept of watching a port or ports for connections or combination
of connections has been implemented in Port Knocking. You can read all
about it here:
http://www.portknocking.org

Brian

On Thu, 2005-03-31 at 11:42, dan wrote:

> You could write a script to listen for mail messages so that
> start@example.com will start up the sshd and stop@example.com will
> stop the sshd. Or even something along the lines of ssh@example.com
> "Subject start" and ... you get the idea.
>
> later,
> dan
>
>
>
> On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> > Some one may have my root password using a keylogger, so even after
> > change the password from other place i would like to make REALLY
> > secure my ssh connection, i already thinked on changing the port from
> > 22 to something like 8080, but i would like to do something like a
> > "trigger" so if a connect to some port then sshd is started...any
> > ideas???
> >
> > --
> > Luis Diaz - Un obsesivo con proyectos! :oP
> > --
> > gentoo-security@gentoo.org mailing list
> >
> >
> --
> gentoo-security@gentoo.org mailing list
>
>

You could write a script to listen for mail messages so that
start@example.com will start up the sshd and stop@example.com will
stop the sshd. Or even something along the lines of ssh@example.com
"Subject start" and ... you get the idea.

later,
dan



On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>
> --
> Luis Diaz - Un obsesivo con proyectos! :oP
> --
> gentoo-security@gentoo.org mailing list
>
>
--
gentoo-security@gentoo.org mailing list

Luis Diaz wrote:

>Some one may have my root password using a keylogger, so even after
>change the password from other place i would like to make REALLY
>secure my ssh connection, i already thinked on changing the port from
>22 to something like 8080, but i would like to do something like a
>"trigger" so if a connect to some port then sshd is started...any
>ideas???
>
>
>
See http://www.portknocking.org
That is exactly what you are looking for.
--
gentoo-security@gentoo.org mailing list

Try something like port knocking. Do a google search on the term and you
will find several articles.

On Thu, 2005-03-31 at 13:32 -0300, Luis Diaz wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>

--
gentoo-security@gentoo.org mailing list

Check out port knocking, for that extra layer :-)
http://gentoo-wiki.com/HOWTO_Port_Knocking


Luis Diaz wrote:

>Some one may have my root password using a keylogger, so even after
>change the password from other place i would like to make REALLY
>secure my ssh connection, i already thinked on changing the port from
>22 to something like 8080, but i would like to do something like a
>"trigger" so if a connect to some port then sshd is started...any
>ideas???
>
>
>

--
gentoo-security@gentoo.org mailing list

On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

Google for "port knocking"...it basically allows you to specify a set
sequence of ports that you need to hit in a certain order before ssh
will accept connections.
--
gentoo-security@gentoo.org mailing list

On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

Google for "port knocking"...it basically allows you to specify a set
sequence of ports that you need to hit in a certain order before ssh
will accept connections.
--
gentoo-security@gentoo.org mailing list

On Thu, 2005-03-31 at 13:32 -0300, Luis Diaz wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

www.portknocking.org

HTH

--
trepo

--
gentoo-security@gentoo.org mailing list

On Thursday 31 March 2005 11:32 am, Luis Diaz wrote:
> i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

`emerge knock`
-mike
--
gentoo-security@gentoo.org mailing list

Am Donnerstag, 31. März 2005 18:32 schrieb Luis Diaz:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

Some day I had a .procmailrc and some scripts running for triggering specific
actions on receive of a mail with a distinct subject line. The actions were
encoded inside the mail in a sort of modified shell script.

Finally I used the mechanism a few times for most getting glad to have such a
"intelligent" moloch and left it down in the dark of some harddisk ;-)

Kind regards - Eckard

--
gentoo-security@gentoo.org mailing list

Sounds like you want to implement "Port Knocking"...
http://www.portknocking.org/
http://www.linuxjournal.com/article/6811

Luis Diaz wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>
--
gentoo-security@gentoo.org mailing list

Moving sshd to another port is helpful but I would also disable
interactive login (passwd) and rely on certificates secured with
passphrases. As far as port knocking, this is relatively well
documented with numerous solutions. Hell someone's even created a site
dedicated to it. http://www.portknocking.org/

http://cryptknock.sourceforge.net/

-jeff

-----Original Message-----
From: Luis Diaz [mailto:diazluis@gmail.com]
Sent: Thursday, March 31, 2005 11:32 AM
To: gentoo-security@robin.gentoo.org
Subject: [gentoo-security] Protect SSH

Some one may have my root password using a keylogger, so even after
change the password from other place i would like to make REALLY
secure my ssh connection, i already thinked on changing the port from
22 to something like 8080, but i would like to do something like a
"trigger" so if a connect to some port then sshd is started...any
ideas???

--
Luis Diaz - Un obsesivo con proyectos! :oP
--
gentoo-security@gentoo.org mailing list


--
gentoo-security@gentoo.org mailing list

Moving sshd to another port is helpful but I would also disable
interactive login (passwd) and rely on certificates secured with
passphrases. As far as port knocking, this is relatively well
documented with numerous solutions. Hell someone's even created a site
dedicated to it. http://www.portknocking.org/

http://cryptknock.sourceforge.net/

-jeff

-----Original Message-----
From: Luis Diaz [mailto:diazluis@gmail.com]
Sent: Thursday, March 31, 2005 11:32 AM
To: gentoo-security@robin.gentoo.org
Subject: [gentoo-security] Protect SSH

Some one may have my root password using a keylogger, so even after
change the password from other place i would like to make REALLY
secure my ssh connection, i already thinked on changing the port from
22 to something like 8080, but i would like to do something like a
"trigger" so if a connect to some port then sshd is started...any
ideas???

--
Luis Diaz - Un obsesivo con proyectos! :oP
--
gentoo-security@gentoo.org mailing list


--
gentoo-security@gentoo.org mailing list

On Thursday 31 March 2005 18:32, Luis Diaz wrote:

> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

This technique is called "port knocking" (dynamic opening of filtered ports
based on tcp port-knocking-sequences)

Just have a look at http://portknocking.org/view/implementations
Maybe this is what you're looking for...

cu,
Helmut

--
Helmut Wuensch, Dompfaffstr. 140, 91056 Erlangen
PGP/GPG public key available at http://www.helmut-wuensch.de
fingerprint: 20B7 519F 8912 4606 F516 FF2D 417E EF82 5C9E 235A

On 31.03.2005, at 18:32, Luis Diaz wrote:
> Some one may have my root password using a keylogger,
I'm not familiar with those things. But, if someone is able to install a
keylogger on your maschine he may installed rootkits too.

> i already thinked on changing the port from 22 to something like 8080
imho, that's "security through obscurity" and a waste of time.

Disabling password and root-logins and therefor using a public-key
authentication should be one of the easiest ideas.
--
Daniel Martin

--
gentoo-security@gentoo.org mailing list

On Thursday 31 March 2005 18:32 CET Luis Diaz wrote:
> [...] i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

http://www.portknocking.org/

Cheers,
Malte
--
gentoo-security@gentoo.org mailing list

"Port knocking" is bad, very, very bad (as long as it's implemented on the
same box that's running sshd, that is). There is no extra layer. "Port
knocking" at first looks like an additional layer of protection before
one gets to SSH, but that's only when everything works right. When
things go wrong, i.e. if the (root)exploit is in the "port knocking"
daemon itself, well then ... game over, owned. The bad guys are in - on
just one layer; an entryway into your system that didn't even exist
previously. (Note that the "port knocking" usually adjusts filter rules,
that's typically a root level task.)

I'd think about bastion hosts and tcpwrapping ... my 2 cents.

--
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Martin a écrit :

>
> Disabling password and root-logins and therefor using a public-key
> authentication should be one of the easiest ideas.

In most cases this is probably true. But what if you use OTP to login
to your server from a non-trustable box? Will you then use sudo and
have all your efforts gone in case of a keylogger on the potentially
affected machine? So I prefer disabling passwords and use skey leaving
root-login enabled. I have hundreds of ssh attempts per day and just
in case my paranoïa is not satisfied enough, a trigger in the database
logs (PostgreSQL) would send me an sms if someone succeded from an
unhauthorized IP.

My 0.2 ¤

- --
Christophe Garault
Take your marks:
Gen too three: Emerge!


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCTDolJ5Nh3YMYAQsRAuMpAJwLu49zzQKUcmYwXi1NYiJvvWbYdwCfWneZ
pPLXF/i7vmCzEjbY6DvZnS4=
=EeTy
-----END PGP SIGNATURE-----


--
gentoo-security@gentoo.org mailing list

2005-03-31, cs keltezéssel 13.32-kor Luis Diaz ezt írta:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>

Use smartcard / USB token. If it is in your pocket, nobody can use your
account. You can get one about 30 euros.

--
Ãœdv:
Jo-Hans

--
gentoo-security@gentoo.org mailing list

Why are you not using key pairs and disallow root access to ssh?

/Uwe

Luis Diaz wrote:

>Some one may have my root password using a keylogger, so even after
>change the password from other place i would like to make REALLY
>secure my ssh connection, i already thinked on changing the port from
>22 to something like 8080, but i would like to do something like a
>"trigger" so if a connect to some port then sshd is started...any
>ideas???
>
>
>

On Thursday 31 March 2005 19:49, Andreas Waschbuesch wrote:

> one gets to SSH, but that's only when everything works right. When
> things go wrong, i.e. if the (root)exploit is in the "port knocking"
> daemon itself, well then ... game over, owned.

True, but why do we have to use a portknock-daemon with root-privileges?

One could just setup a (for example iptables-) firewall with some LOG-targets
rules, and a non-root perl-skript parses this logentries.
If there is a specific signature in the logfile, the script could start a
ssh-service on a high-port, so there will be no much need of
root-privileges....

btw, never tested it. Only kind of play of thought :)

> I'd think about bastion hosts and tcpwrapping ... my 2 cents.

Very recommended, of course!


cu,
Helmut

--
Helmut Wuensch, Dompfaffstr. 140, 91056 Erlangen
PGP/GPG public key available at http://www.helmut-wuensch.de
fingerprint: 20B7 519F 8912 4606 F516 FF2D 417E EF82 5C9E 235A

On Thu, 2005-03-31 at 20:35 +0200, Helmut Wuensch wrote:
> One could just setup a (for example iptables-) firewall with some LOG-targets
> rules, and a non-root perl-skript parses this logentries.
> If there is a specific signature in the logfile, the script could start a
> ssh-service on a high-port, so there will be no much need of
> root-privileges....

In that scheme, you have to be root to start sshd. Somewhere you will
have to gain priviledges. Even if you can get around that, it still
smacks of security through obscurity.

--
gentoo-security@gentoo.org mailing list

Another question under same topic.

Is it possible to automatically add hosts that try to login as root to
hosts.deny? If so, how? And also how would I get that to happen on
everyone who fail to login after certain number of tries?

Thanks.


--
gentoo-security@gentoo.org mailing list

I've got rootkited last days, and add same problem
I don't see any ebuild for that
Maybe someone know a place where I can find that ?

Beber

Brian Micek wrote:
> The concept of watching a port or ports for connections or combination
> of connections has been implemented in Port Knocking. You can read all
> about it here:
> http://www.portknocking.org
>
> Brian
>
> On Thu, 2005-03-31 at 11:42, dan wrote:
>
>>/You could write a script to listen for mail messages so that
>>start@example.com will start up the sshd and stop@example.com will
>>stop the sshd. Or even something along the lines of ssh@example.com
>>"Subject start" and ... you get the idea.
>>
>>later,
>>dan
>>
>>
>>
>>On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
>>> Some one may have my root password using a keylogger, so even after
>>> change the password from other place i would like to make REALLY
>>> secure my ssh connection, i already thinked on changing the port from
>>> 22 to something like 8080, but i would like to do something like a
>>> "trigger" so if a connect to some port then sshd is started...any
>>> ideas???
>>>
>>> --
>>> Luis Diaz - Un obsesivo con proyectos! :oP
>>> --
>>> gentoo-security@gentoo.org mailing list
>>>
>>>
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>/
>>
--
gentoo-security@gentoo.org mailing list

I take it its a remote attack? If you must leave ssh open, use some
iptables rules to restrict the address space to only those machines that
need to access the port. If you have some inkling of where they might
be coming from, blackhole all in/out traffic to that address/range of
addresses.

BillK


On Thu, 2005-03-31 at 13:32 -0300, Luis Diaz wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>
--
William Kenworthy <billk@iinet.net.au>
Home!

--
gentoo-security@gentoo.org mailing list

one word knockd

"knockd is a port-knock server. It listens to all traffic on an
ethernet (or PPP) interface, looking for special "knock" sequences of
port-hits. A client makes these port-hits by sending a TCP (or UDP)
packet to a port on the server. This port need not be open -- since
knockd listens at the link-layer level, it sees all traffic even if
it's destined for a closed port. When the server detects a specific
sequence of port-hits, it runs a command defined in its configuration
file. This can be used to open up holes in a firewall for quick
access. "

its awesome


On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>
> --
> Luis Diaz - Un obsesivo con proyectos! :oP
> --
> gentoo-security@gentoo.org mailing list
>
>
--
gentoo-security@gentoo.org mailing list

I found a script online that i hacked to loop through my /var/log/auth.log and
add entries that try to login to invalid users to hosts.deny, it works very
well but it's pretty inefficient.

Its pasted to the bottom of this email.

This is my hosts.deny file after one month

ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
200.225.159.88,203.236.241.148


#!/usr/bin/php
<?php
// Setup File names
$blacklist_file = '/etc/blacklist';
$secure_file = '/var/log/syslog';
$hosts_deny = '/etc/hosts.deny';

// Get files into an array
$blacklist = read_into_array($blacklist_file);
$secure = read_into_array($secure_file);

// Find 'Illegal' and parse IP from string
foreach($secure as $line){
if(strpos($line,'invalid user')){
$array = explode('from',$line);
$ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
if(!in_array($ip, $blacklist)){
$blacklist[] = $ip;
}
}
}

// When the blacklist file is read, we get a couple empty array elements
// We remove them here
foreach($blacklist as $arg){
if(strlen($arg >= 7)){ // 7 is minimum IP string length
$final_blacklist[] = $arg;
}
}

// Rewrite the blacklist file
$black = fopen($blacklist_file, 'w');
fwrite($black, implode("\n", $final_blacklist));
fclose($black);

//Rewrite the hosts.deny file
$deny = fopen($hosts_deny, 'w');
fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
fclose($deny);

// Reads a file into an array
// Had problems with file()
function read_into_array($file){
$resource = fopen($file, 'r');
$return = explode("\n",fread($resource,filesize($file)));
fclose($resource);
return $return;
}

?>




On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
> Another question under same topic.
>
> Is it possible to automatically add hosts that try to login as root to
> hosts.deny? If so, how? And also how would I get that to happen on
> everyone who fail to login after certain number of tries?
>
> Thanks.
>
>
> --
> gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

Why not do what we do with our servers?

If you are logging into your server from a fixed ip, then just only allow
access to port 22 from that ip address.
Else if you have a dynamic ip address then only allow access to ur network
range, for example: 165.165.40.0/24

Or create a "login server", For example, we have is 6 internet servers, but
they only allow access to port 22 from the ip address of the login server.
This forces people to first go through the login server, then have to login
to your server.


I find doing this, we never seem to have problems with login attempts from
strange ip addresses.

-Dave-
--------------------------------------------------------------------------
-----Original Message-----
From: Phillip Berry [mailto:phillipberry@blisswebhosting.com]
Sent: 01 April 2005 04:12 AM
To: gentoo-security@robin.gentoo.org
Subject: Re: [gentoo-security] Protect SSH

I found a script online that i hacked to loop through my /var/log/auth.log
and add entries that try to login to invalid users to hosts.deny, it works
very well but it's pretty inefficient.

Its pasted to the bottom of this email.

This is my hosts.deny file after one month

ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
200.225.159.88,203.236.241.148


#!/usr/bin/php
<?php
// Setup File names
$blacklist_file = '/etc/blacklist';
$secure_file = '/var/log/syslog';
$hosts_deny = '/etc/hosts.deny';

// Get files into an array
$blacklist = read_into_array($blacklist_file);
$secure = read_into_array($secure_file);

// Find 'Illegal' and parse IP from string foreach($secure as $line){
if(strpos($line,'invalid user')){
$array = explode('from',$line);
$ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
if(!in_array($ip, $blacklist)){
$blacklist[] = $ip;
}
}
}

// When the blacklist file is read, we get a couple empty array elements //
We remove them here foreach($blacklist as $arg){
if(strlen($arg >= 7)){ // 7 is minimum IP string length
$final_blacklist[] = $arg;
}
}

// Rewrite the blacklist file
$black = fopen($blacklist_file, 'w');
fwrite($black, implode("\n", $final_blacklist)); fclose($black);

//Rewrite the hosts.deny file
$deny = fopen($hosts_deny, 'w');
fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
fclose($deny);

// Reads a file into an array
// Had problems with file()
function read_into_array($file){
$resource = fopen($file, 'r');
$return = explode("\n",fread($resource,filesize($file)));
fclose($resource);
return $return;
}

?>




On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
> Another question under same topic.
>
> Is it possible to automatically add hosts that try to login as root to
> hosts.deny? If so, how? And also how would I get that to happen on
> everyone who fail to login after certain number of tries?
>
> Thanks.
>
>
> --
> gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list



--
gentoo-security@gentoo.org mailing list

On Thu, Mar 31, 2005 at 08:14:47PM +0200, Milus J?nos wrote:
> 2005-03-31, cs keltez??ssel 13.32-kor Luis Diaz ezt ??rta:
> > Some one may have my root password using a keylogger, so even after
> > change the password from other place i would like to make REALLY
> > secure my ssh connection, i already thinked on changing the port from
> > 22 to something like 8080, but i would like to do something like a
> > "trigger" so if a connect to some port then sshd is started...any
> > ideas???
> >
>
> Use smartcard / USB token. If it is in your pocket, nobody can use your
> account. You can get one about 30 euros.

How does this work? If it's a smartcard, you need all machines you'll
log in from to have smartcard readers. USB obviates this, for sure, but
I'm curious how secure those devices are.

To securely integrate them with SSH, one would want to allow only public
key auth and store the secret key on the token, which would itself hash
the nonce and handle the authentication in-hardware without ever
exposing the key to the client computer. I'm skeptical that the
off-the-shelf hardware available on the cheap does this. Does it?

Speaking from curiosity and ignorance here.

--
Dan Margolis
Gentoo Security/Audit

2005-04-01, p keltezéssel 00.12-kor Dan Margolis ezt írta:
> >
> > Use smartcard / USB token. If it is in your pocket, nobody can use your
> > account. You can get one about 30 euros.
>
> How does this work? If it's a smartcard, you need all machines you'll
> log in from to have smartcard readers. USB obviates this, for sure, but
> I'm curious how secure those devices are.
>
> To securely integrate them with SSH, one would want to allow only public
> key auth and store the secret key on the token, which would itself hash
> the nonce and handle the authentication in-hardware without ever
> exposing the key to the client computer. I'm skeptical that the
> off-the-shelf hardware available on the cheap does this. Does it?
>
> Speaking from curiosity and ignorance here.

I have experience with Axalto Cryptoflex 32k e-gate product
( http://www.axalto.com/infosec/egate.asp ) but I think it works the
same way with every openct / opensc supported cards. As you can see in
the Axalto's on-line store, 5 pieces of this card with the token
connectors costs USD $110 + shipping. (The cards are sold in packs of
5).

- This is a real smartcard. When you personalise it the card generates
the RSA key-pair, and the secret key never leaves the card.

- On the server side you need to compile openssh with x509 and ldap
support. You can put your users public keys to an ldap directory
(openldap works well), and ssh can authenticate with it.

- On client side you need to compile ssh with smartcard support, and
need a running openct as well. You start an ssh connection like this:
ssh -I 0 x.x.x.x (-I 0 means use the first smartcard). Of course openct
asks your PIN code before connected. During the authentication the
secret key dosen't leave the card. (Anyway, there are no known methods
to read the secret key itself).

- If you enable agent forwarding, you can go through multiple ssh "hops"
with the smartcard in your desktop computer, so you don't need to add
any user to your authorized_keys. This is useful, when you don't trust
some of the middle hops' administrators. Of course, this is not a
smartcard feature but an ssh feature, and you can use this with the good
old public key authentication as well.

>
--
Ãœdv:
Jo-Hans

--
gentoo-security@gentoo.org mailing list

On 1 Apr 2005, at 08:44, Milus János wrote:
> - If you enable agent forwarding, you can go through multiple ssh
> "hops"
> with the smartcard in your desktop computer, so you don't need to add
> any user to your authorized_keys. This is useful, when you don't trust
> some of the middle hops' administrators. Of course, this is not a
> smartcard feature but an ssh feature, and you can use this with the
> good
> old public key authentication as well.

One question to agent forwarding: Could any of those harmful system
administrators abuse the agent pipe SSH opens on the machines I am
logged in when agent forwarding is enabled? Could the attacker gain any
access to other systems using my public key during the time I am logged
in?

Regards,
Philipp Kern

One more quick question.

How easy is it for someone to breakin using ssh?

I, too, am getting bombarded daily by ssh breakin attempts.

I have a very strong passphrase. No one seems to have been able to get
into my system. In fact, the attempts seem rather naive.

I have to log in from publicly available machines, i.e., classroom
machines or internet cafes, so setting up something to use
certificates seems out of the question.

Aside from someone gaining access through stealing my passphrase, are
there ways of exploiting ssh?

Bill Roberts

On Fri, 1 Apr 2005 08:57:03 -0500
Bill Roberts <billbalt@eyeofthequark.com> bubbled:

> One more quick question.
>
> How easy is it for someone to breakin using ssh?
>
> I, too, am getting bombarded daily by ssh breakin attempts.
>
> I have a very strong passphrase. No one seems to have been able to get
> into my system. In fact, the attempts seem rather naive.
>
> I have to log in from publicly available machines, i.e., classroom
> machines or internet cafes, so setting up something to use
> certificates seems out of the question.

Why don't you switch to a non default SSH port?

Regards,
Martin

--
MyExcuse:
User was distributing pornography on server; system seized by FBI.

Martin Zwickel <martin.zwickel@technotrend.de>
Research & Development

TechnoTrend AG <http://www.technotrend.de>

On Fri, 1 Apr 2005 08:57:03 -0500
Bill Roberts <billbalt@eyeofthequark.com> bubbled:

> One more quick question.
>
> How easy is it for someone to breakin using ssh?
>
> I, too, am getting bombarded daily by ssh breakin attempts.
>
> I have a very strong passphrase. No one seems to have been able to get
> into my system. In fact, the attempts seem rather naive.
>
> I have to log in from publicly available machines, i.e., classroom
> machines or internet cafes, so setting up something to use
> certificates seems out of the question.

Why don't you switch to a non default SSH port?

Regards,
Martin

--
MyExcuse:
User was distributing pornography on server; system seized by FBI.

Martin Zwickel <martin.zwickel@technotrend.de>
Research & Development

TechnoTrend AG <http://www.technotrend.de>

Martin Zwickel wrote:
> Why don't you switch to a non default SSH port?

That is, again, "security through obscurity" as some like to call it.
But indeed for me it worked; no access attempts on my router (with
dynamic IPs), as I use a port that most likely won't even be scanned on
a normal portscan.

Greetings,
David
--
gentoo-security@gentoo.org mailing list

Martin Zwickel wrote:
> Why don't you switch to a non default SSH port?

That is, again, "security through obscurity" as some like to call it.
But indeed for me it worked; no access attempts on my router (with
dynamic IPs), as I use a port that most likely won't even be scanned on
a normal portscan.

Greetings,
David
--
gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

Martin Zwickel wrote:
> Why don't you switch to a non default SSH port?

That is, again, "security through obscurity" as some like to call it.
But indeed for me it worked; no access attempts on my router (with
dynamic IPs), as I use a port that most likely won't even be scanned on
a normal portscan.

Greetings,
David
--
gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

Martin Zwickel wrote:
> Why don't you switch to a non default SSH port?

That is, again, "security through obscurity" as some like to call it.
But indeed for me it worked; no access attempts on my router (with
dynamic IPs), as I use a port that most likely won't even be scanned on
a normal portscan.

Greetings,
David
--
gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Roberts wrote:
> One more quick question.
>
> How easy is it for someone to breakin using ssh?
>
> I, too, am getting bombarded daily by ssh breakin attempts.
>
> I have a very strong passphrase. No one seems to have been able to get
> into my system. In fact, the attempts seem rather naive.
>
> I have to log in from publicly available machines, i.e., classroom
> machines or internet cafes, so setting up something to use
> certificates seems out of the question.
>
> Aside from someone gaining access through stealing my passphrase, are
> there ways of exploiting ssh?
>
> Bill Roberts

Use a strong passphrase of known good entropy, like using the
http://diceware.com/ technique. a 10 word diceware passphrase used only
from secure computers without keyloggers/trojans (to ensure that, just
boot a Knoppix CD, for example) is just as secure as anything, besides
no one can steal a key file and then get access... (not that key files
don't have their good uses). Since a remote attack on the root password
would involve too much time, even a 5 word diceware passphrase would be
sound enough.

The suggestion to use only a gateway machine is a good one, and the
suggestion to restrict the range of IP addresses allowed to connect is
another. If you want to do both, you can use a known squid proxy as your
"gateway" together with ProxyTunnel (emerge proxytunnel or
proxytunnel.sf.net) and allow connects only from the proxy host.

Best regards,

- ---Venkat.

- --
http://www.rayservers.com/
Computers. Installed Secure. OpenPGP. AES Encrypted HD. Colocation.
Tel:+1-607-546-7300 Fax:+1-607-546-7387 Skype: rayservers
PGP/GPG Key: https://www.rayservers.com/keys/0x12430522.asc
4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
Your Privacy and Security are our Business [TM]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCTX++WdkW/RJDBSIRAkiAAKDowHX7Tnrsn7UxQEWH3JOgH73qTACfdV3y
HlQMd7WQ53V2LY4QbqFCDCs=
=0wy1
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Roberts wrote:
> One more quick question.
>
> How easy is it for someone to breakin using ssh?
>
> I, too, am getting bombarded daily by ssh breakin attempts.
>
> I have a very strong passphrase. No one seems to have been able to get
> into my system. In fact, the attempts seem rather naive.
>
> I have to log in from publicly available machines, i.e., classroom
> machines or internet cafes, so setting up something to use
> certificates seems out of the question.
>
> Aside from someone gaining access through stealing my passphrase, are
> there ways of exploiting ssh?
>
> Bill Roberts

Use a strong passphrase of known good entropy, like using the
http://diceware.com/ technique. a 10 word diceware passphrase used only
from secure computers without keyloggers/trojans (to ensure that, just
boot a Knoppix CD, for example) is just as secure as anything, besides
no one can steal a key file and then get access... (not that key files
don't have their good uses). Since a remote attack on the root password
would involve too much time, even a 5 word diceware passphrase would be
sound enough.

The suggestion to use only a gateway machine is a good one, and the
suggestion to restrict the range of IP addresses allowed to connect is
another. If you want to do both, you can use a known squid proxy as your
"gateway" together with ProxyTunnel (emerge proxytunnel or
proxytunnel.sf.net) and allow connects only from the proxy host.

Best regards,

- ---Venkat.

- --
http://www.rayservers.com/
Computers. Installed Secure. OpenPGP. AES Encrypted HD. Colocation.
Tel:+1-607-546-7300 Fax:+1-607-546-7387 Skype: rayservers
PGP/GPG Key: https://www.rayservers.com/keys/0x12430522.asc
4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
Your Privacy and Security are our Business [TM]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCTX++WdkW/RJDBSIRAkiAAKDowHX7Tnrsn7UxQEWH3JOgH73qTACfdV3y
HlQMd7WQ53V2LY4QbqFCDCs=
=0wy1
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Roberts wrote:
> One more quick question.
>
> How easy is it for someone to breakin using ssh?
>
> I, too, am getting bombarded daily by ssh breakin attempts.
>
> I have a very strong passphrase. No one seems to have been able to get
> into my system. In fact, the attempts seem rather naive.
>
> I have to log in from publicly available machines, i.e., classroom
> machines or internet cafes, so setting up something to use
> certificates seems out of the question.
>
> Aside from someone gaining access through stealing my passphrase, are
> there ways of exploiting ssh?
>
> Bill Roberts

Use a strong passphrase of known good entropy, like using the
http://diceware.com/ technique. a 10 word diceware passphrase used only
from secure computers without keyloggers/trojans (to ensure that, just
boot a Knoppix CD, for example) is just as secure as anything, besides
no one can steal a key file and then get access... (not that key files
don't have their good uses). Since a remote attack on the root password
would involve too much time, even a 5 word diceware passphrase would be
sound enough.

The suggestion to use only a gateway machine is a good one, and the
suggestion to restrict the range of IP addresses allowed to connect is
another. If you want to do both, you can use a known squid proxy as your
"gateway" together with ProxyTunnel (emerge proxytunnel or
proxytunnel.sf.net) and allow connects only from the proxy host.

Best regards,

- ---Venkat.

- --
http://www.rayservers.com/
Computers. Installed Secure. OpenPGP. AES Encrypted HD. Colocation.
Tel:+1-607-546-7300 Fax:+1-607-546-7387 Skype: rayservers
PGP/GPG Key: https://www.rayservers.com/keys/0x12430522.asc
4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
Your Privacy and Security are our Business [TM]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCTX++WdkW/RJDBSIRAkiAAKDowHX7Tnrsn7UxQEWH3JOgH73qTACfdV3y
HlQMd7WQ53V2LY4QbqFCDCs=
=0wy1
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Roberts wrote:
> One more quick question.
>
> How easy is it for someone to breakin using ssh?
>
> I, too, am getting bombarded daily by ssh breakin attempts.
>
> I have a very strong passphrase. No one seems to have been able to get
> into my system. In fact, the attempts seem rather naive.
>
> I have to log in from publicly available machines, i.e., classroom
> machines or internet cafes, so setting up something to use
> certificates seems out of the question.
>
> Aside from someone gaining access through stealing my passphrase, are
> there ways of exploiting ssh?
>
> Bill Roberts

Use a strong passphrase of known good entropy, like using the
http://diceware.com/ technique. a 10 word diceware passphrase used only
from secure computers without keyloggers/trojans (to ensure that, just
boot a Knoppix CD, for example) is just as secure as anything, besides
no one can steal a key file and then get access... (not that key files
don't have their good uses). Since a remote attack on the root password
would involve too much time, even a 5 word diceware passphrase would be
sound enough.

The suggestion to use only a gateway machine is a good one, and the
suggestion to restrict the range of IP addresses allowed to connect is
another. If you want to do both, you can use a known squid proxy as your
"gateway" together with ProxyTunnel (emerge proxytunnel or
proxytunnel.sf.net) and allow connects only from the proxy host.

Best regards,

- ---Venkat.

- --
http://www.rayservers.com/
Computers. Installed Secure. OpenPGP. AES Encrypted HD. Colocation.
Tel:+1-607-546-7300 Fax:+1-607-546-7387 Skype: rayservers
PGP/GPG Key: https://www.rayservers.com/keys/0x12430522.asc
4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
Your Privacy and Security are our Business [TM]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCTX++WdkW/RJDBSIRAkiAAKDowHX7Tnrsn7UxQEWH3JOgH73qTACfdV3y
HlQMd7WQ53V2LY4QbqFCDCs=
=0wy1
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list

I assume you realise this leaves you open to problems if someone manages to
spoof your dns or localhost? I used to get portsentry to do similar things
and decided against it after a useful ip address was spoofed.

----- Original Message -----
From: "Phillip Berry" <phillipberry@blisswebhosting.com>
To: <gentoo-security@robin.gentoo.org>
Sent: Friday, April 01, 2005 3:12 AM
Subject: Re: [gentoo-security] Protect SSH


>I found a script online that i hacked to loop through my /var/log/auth.log
>and
> add entries that try to login to invalid users to hosts.deny, it works
> very
> well but it's pretty inefficient.
>
> Its pasted to the bottom of this email.
>
> This is my hosts.deny file after one month
>
> ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
> 211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
> 218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
> 211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
> 218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
> 61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
> 219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
> 211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
> 210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
> 212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
> 67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
> 81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
> 220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
> 193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
> 206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
> 218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
> 200.225.159.88,203.236.241.148
>
>
> #!/usr/bin/php
> <?php
> // Setup File names
> $blacklist_file = '/etc/blacklist';
> $secure_file = '/var/log/syslog';
> $hosts_deny = '/etc/hosts.deny';
>
> // Get files into an array
> $blacklist = read_into_array($blacklist_file);
> $secure = read_into_array($secure_file);
>
> // Find 'Illegal' and parse IP from string
> foreach($secure as $line){
> if(strpos($line,'invalid user')){
> $array = explode('from',$line);
> $ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
> if(!in_array($ip, $blacklist)){
> $blacklist[] = $ip;
> }
> }
> }
>
> // When the blacklist file is read, we get a couple empty array elements
> // We remove them here
> foreach($blacklist as $arg){
> if(strlen($arg >= 7)){ // 7 is minimum IP string length
> $final_blacklist[] = $arg;
> }
> }
>
> // Rewrite the blacklist file
> $black = fopen($blacklist_file, 'w');
> fwrite($black, implode("\n", $final_blacklist));
> fclose($black);
>
> //Rewrite the hosts.deny file
> $deny = fopen($hosts_deny, 'w');
> fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
> fclose($deny);
>
> // Reads a file into an array
> // Had problems with file()
> function read_into_array($file){
> $resource = fopen($file, 'r');
> $return = explode("\n",fread($resource,filesize($file)));
> fclose($resource);
> return $return;
> }
>
> ?>
>
>
>
>
> On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
>> Another question under same topic.
>>
>> Is it possible to automatically add hosts that try to login as root to
>> hosts.deny? If so, how? And also how would I get that to happen on
>> everyone who fail to login after certain number of tries?
>>
>> Thanks.
>>
>>
>> --
>> gentoo-security@gentoo.org mailing list
>
> --
> gentoo-security@gentoo.org mailing list
>

--
gentoo-security@gentoo.org mailing list

Why dont you use keys with passphrase, instead of password
authentication...just a suggestion


Cheers

Christian

Toby Fisher wrote:

> I assume you realise this leaves you open to problems if someone
> manages to spoof your dns or localhost? I used to get portsentry to
> do similar things and decided against it after a useful ip address was
> spoofed.
>
> ----- Original Message ----- From: "Phillip Berry"
> <phillipberry@blisswebhosting.com>
> To: <gentoo-security@robin.gentoo.org>
> Sent: Friday, April 01, 2005 3:12 AM
> Subject: Re: [gentoo-security] Protect SSH
>
>
>> I found a script online that i hacked to loop through my
>> /var/log/auth.log and
>> add entries that try to login to invalid users to hosts.deny, it
>> works very
>> well but it's pretty inefficient.
>>
>> Its pasted to the bottom of this email.
>>
>> This is my hosts.deny file after one month
>>
>> ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
>> 211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
>> 218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
>> 211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
>> 218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
>> 61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
>> 219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
>> 211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
>> 210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
>> 212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
>> 67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
>> 81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
>> 220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
>> 193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
>> 206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
>> 218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
>> 200.225.159.88,203.236.241.148
>>
>>
>> #!/usr/bin/php
>> <?php
>> // Setup File names
>> $blacklist_file = '/etc/blacklist';
>> $secure_file = '/var/log/syslog';
>> $hosts_deny = '/etc/hosts.deny';
>>
>> // Get files into an array
>> $blacklist = read_into_array($blacklist_file);
>> $secure = read_into_array($secure_file);
>>
>> // Find 'Illegal' and parse IP from string
>> foreach($secure as $line){
>> if(strpos($line,'invalid user')){
>> $array = explode('from',$line);
>> $ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
>> if(!in_array($ip, $blacklist)){
>> $blacklist[] = $ip;
>> }
>> }
>> }
>>
>> // When the blacklist file is read, we get a couple empty array elements
>> // We remove them here
>> foreach($blacklist as $arg){
>> if(strlen($arg >= 7)){ // 7 is minimum IP string length
>> $final_blacklist[] = $arg;
>> }
>> }
>>
>> // Rewrite the blacklist file
>> $black = fopen($blacklist_file, 'w');
>> fwrite($black, implode("\n", $final_blacklist));
>> fclose($black);
>>
>> //Rewrite the hosts.deny file
>> $deny = fopen($hosts_deny, 'w');
>> fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
>> fclose($deny);
>>
>> // Reads a file into an array
>> // Had problems with file()
>> function read_into_array($file){
>> $resource = fopen($file, 'r');
>> $return = explode("\n",fread($resource,filesize($file)));
>> fclose($resource);
>> return $return;
>> }
>>
>> ?>
>>
>>
>>
>>
>> On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
>>
>>> Another question under same topic.
>>>
>>> Is it possible to automatically add hosts that try to login as root to
>>> hosts.deny? If so, how? And also how would I get that to happen on
>>> everyone who fail to login after certain number of tries?
>>>
>>> Thanks.
>>>
>>>
>>> --
>>> gentoo-security@gentoo.org mailing list
>>
>>
>> --
>> gentoo-security@gentoo.org mailing list
>>
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list

Why dont you use keys with passphrase, instead of password
authentication...just a suggestion


Cheers

Christian

Toby Fisher wrote:

> I assume you realise this leaves you open to problems if someone
> manages to spoof your dns or localhost? I used to get portsentry to
> do similar things and decided against it after a useful ip address was
> spoofed.
>
> ----- Original Message ----- From: "Phillip Berry"
> <phillipberry@blisswebhosting.com>
> To: <gentoo-security@robin.gentoo.org>
> Sent: Friday, April 01, 2005 3:12 AM
> Subject: Re: [gentoo-security] Protect SSH
>
>
>> I found a script online that i hacked to loop through my
>> /var/log/auth.log and
>> add entries that try to login to invalid users to hosts.deny, it
>> works very
>> well but it's pretty inefficient.
>>
>> Its pasted to the bottom of this email.
>>
>> This is my hosts.deny file after one month
>>
>> ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
>> 211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
>> 218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
>> 211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
>> 218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
>> 61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
>> 219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
>> 211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
>> 210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
>> 212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
>> 67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
>> 81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
>> 220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
>> 193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
>> 206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
>> 218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
>> 200.225.159.88,203.236.241.148
>>
>>
>> #!/usr/bin/php
>> <?php
>> // Setup File names
>> $blacklist_file = '/etc/blacklist';
>> $secure_file = '/var/log/syslog';
>> $hosts_deny = '/etc/hosts.deny';
>>
>> // Get files into an array
>> $blacklist = read_into_array($blacklist_file);
>> $secure = read_into_array($secure_file);
>>
>> // Find 'Illegal' and parse IP from string
>> foreach($secure as $line){
>> if(strpos($line,'invalid user')){
>> $array = explode('from',$line);
>> $ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
>> if(!in_array($ip, $blacklist)){
>> $blacklist[] = $ip;
>> }
>> }
>> }
>>
>> // When the blacklist file is read, we get a couple empty array elements
>> // We remove them here
>> foreach($blacklist as $arg){
>> if(strlen($arg >= 7)){ // 7 is minimum IP string length
>> $final_blacklist[] = $arg;
>> }
>> }
>>
>> // Rewrite the blacklist file
>> $black = fopen($blacklist_file, 'w');
>> fwrite($black, implode("\n", $final_blacklist));
>> fclose($black);
>>
>> //Rewrite the hosts.deny file
>> $deny = fopen($hosts_deny, 'w');
>> fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
>> fclose($deny);
>>
>> // Reads a file into an array
>> // Had problems with file()
>> function read_into_array($file){
>> $resource = fopen($file, 'r');
>> $return = explode("\n",fread($resource,filesize($file)));
>> fclose($resource);
>> return $return;
>> }
>>
>> ?>
>>
>>
>>
>>
>> On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
>>
>>> Another question under same topic.
>>>
>>> Is it possible to automatically add hosts that try to login as root to
>>> hosts.deny? If so, how? And also how would I get that to happen on
>>> everyone who fail to login after certain number of tries?
>>>
>>> Thanks.
>>>
>>>
>>> --
>>> gentoo-security@gentoo.org mailing list
>>
>>
>> --
>> gentoo-security@gentoo.org mailing list
>>
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
gentoo-security@gentoo.org mailing list

All such dynamic techniques are vulnerable to DOS. However, being smart
about what you do minimises the chance of this happening and it is a
very useful technique.

In more general terms (not ssh specific), before you actually kill
traffic, test it against a set of criteria including IP's you do not
want dropped for any reason. Also hosts.deny is not the best place for
this (if someone attacks your ssh port, I would think they would also
look at a number of other ports which may be vulnerable via
misconfiguration, bug or the accidental running of an application): I
suspect not all applications respect hosts.deny, better to use a proper
iptables script and sit the dynamic stuff on top.

BillK


On Fri, 2005-04-01 at 20:31 +0100, Toby Fisher wrote:
> I assume you realise this leaves you open to problems if someone manages to
> spoof your dns or localhost? I used to get portsentry to do similar things
> and decided against it after a useful ip address was spoofed.
>
> ----- Original Message -----
> From: "Phillip Berry" <phillipberry@blisswebhosting.com>
> To: <gentoo-security@robin.gentoo.org>
> Sent: Friday, April 01, 2005 3:12 AM
> Subject: Re: [gentoo-security] Protect SSH

>
--
William Kenworthy <billk@iinet.net.au>
Home!

--
gentoo-security@gentoo.org mailing list

I added important ip addresses and netblocks to hosts.allow, which is checked
first.

I realise that it's not the best solution (the script itself is nasty and
needs to be re-written), but it's reasonable for the moment. It has stopped
script kiddies brute forcing ssh for 30 minutes at time like they were before
it was implemented.

Phil

On Saturday 02 April 2005 05:31, Toby Fisher wrote:
> I assume you realise this leaves you open to problems if someone manages to
> spoof your dns or localhost? I used to get portsentry to do similar things
> and decided against it after a useful ip address was spoofed.
>
> ----- Original Message -----
> From: "Phillip Berry" <phillipberry@blisswebhosting.com>
> To: <gentoo-security@robin.gentoo.org>
> Sent: Friday, April 01, 2005 3:12 AM
> Subject: Re: [gentoo-security] Protect SSH
>
> >I found a script online that i hacked to loop through my /var/log/auth.log
> >and
> > add entries that try to login to invalid users to hosts.deny, it works
> > very
> > well but it's pretty inefficient.
> >
> > Its pasted to the bottom of this email.
> >
> > This is my hosts.deny file after one month
> >
> > ALL:218.232.120.92,62.193.232.172,63.246.154.78,211.157.108.19,
> > 211.158.7.250,218.78.213.182,218.38.53.30,140.112.110.146,
> > 218.188.2.175,210.127.244.207,218.75.119.120,165.194.84.133,
> > 211.142.64.2,219.238.239.10,202.172.59.84,202.155.199.18,
> > 218.104.128.213,220.95.232.60,62.193.226.4,61.129.33.252,
> > 61.95.128.104,218.188.22.146,218.107.159.131,200.99.34.46,
> > 219.150.171.48,203.122.231.16,221.143.48.240,61.79.228.100,
> > 211.46.216.61,218.232.187.58,210.87.136.171,61.66.208.117,
> > 210.114.175.122,62.193.235.47,61.31.49.130,203.232.151.249,
> > 212.43.199.56,211.58.254.24,218.108.29.74,70.60.92.80,
> > 67.103.15.70,203.63.40.254,221.186.133.106,210.179.155.18,
> > 81.19.77.138,210.99.250.238,209.73.240.230,200.21.18.197,
> > 220.95.215.148,211.115.112.90,220.130.105.9,209.25.160.46,
> > 193.43.234.5,202.181.172.83,211.236.178.95,62.193.236.45,
> > 206.225.82.8,221.239.127.151,218.145.226.85,210.103.67.65,
> > 218.1.127.170,211.176.33.46,210.0.141.89,218.188.9.202,
> > 200.225.159.88,203.236.241.148
> >
> >
> > #!/usr/bin/php
> > <?php
> > // Setup File names
> > $blacklist_file = '/etc/blacklist';
> > $secure_file = '/var/log/syslog';
> > $hosts_deny = '/etc/hosts.deny';
> >
> > // Get files into an array
> > $blacklist = read_into_array($blacklist_file);
> > $secure = read_into_array($secure_file);
> >
> > // Find 'Illegal' and parse IP from string
> > foreach($secure as $line){
> > if(strpos($line,'invalid user')){
> > $array = explode('from',$line);
> > $ip = substr(trim($array[1]),0,strpos(trim($array[1])," "));
> > if(!in_array($ip, $blacklist)){
> > $blacklist[] = $ip;
> > }
> > }
> > }
> >
> > // When the blacklist file is read, we get a couple empty array elements
> > // We remove them here
> > foreach($blacklist as $arg){
> > if(strlen($arg >= 7)){ // 7 is minimum IP string length
> > $final_blacklist[] = $arg;
> > }
> > }
> >
> > // Rewrite the blacklist file
> > $black = fopen($blacklist_file, 'w');
> > fwrite($black, implode("\n", $final_blacklist));
> > fclose($black);
> >
> > //Rewrite the hosts.deny file
> > $deny = fopen($hosts_deny, 'w');
> > fwrite($deny, 'ALL:' . implode(',', $final_blacklist) . "\n\n");
> > fclose($deny);
> >
> > // Reads a file into an array
> > // Had problems with file()
> > function read_into_array($file){
> > $resource = fopen($file, 'r');
> > $return = explode("\n",fread($resource,filesize($file)));
> > fclose($resource);
> > return $return;
> > }
> >
> > ?>
> >
> > On Friday 01 April 2005 05:07, Ilari Mäkimattila wrote:
> >> Another question under same topic.
> >>
> >> Is it possible to automatically add hosts that try to login as root to
> >> hosts.deny? If so, how? And also how would I get that to happen on
> >> everyone who fail to login after certain number of tries?
> >>
> >> Thanks.
> >>
> >>
> >> --
> >> gentoo-security@gentoo.org mailing list
> >
> > --
> > gentoo-security@gentoo.org mailing list
>
> --
> gentoo-security@gentoo.org mailing list

--
gentoo-security@gentoo.org mailing list