| View previous topic :: View next topic |
| Author |
Message |
bakaohki
Tux's lil' helper
Joined: 14 Jul 2005
Posts: 129
Location: Hungary
|
 Posted: Sat Sep 10, 2005 8:58 pm Post subject: |
 |
|
I shouldn't even bother to post, because what I'm saying is so trivial: USE A DEDICATED FIREWALL  . Everyone out there. You can use Gentoo, Debian, whatever; I prefer FloppyFW with a fanless dumb P1 75mhz (put together from used garbage). And of course use strong passwords and iptables firewalls for the internal machines. Duh. Surfing on the net without a firewall is like walking around in the city without clothes; if you have weak passwords and opened ssh ports, then it means you're a hot babe without clothes in the worst area of the city at midnight waving a sign "kidnap me"... |
|
| Back to top |
|
 |
audiodef
Watchman
Joined: 06 Jul 2005
Posts: 6639
Location: The soundosphere
|
| Posted: Tue Sep 13, 2005 12:27 pm Post subject: Mystery logout |
|
|
| I think someone may have been trying to use my Gentoo box at my office, after hours. I had it up and running one day, screen locked, and logged out the next day. At best, someone hit the computer's reset button, but where would I look to find out exactly what happened? I know it's probably not a power failure because 1. another computer was still on the way I left it and 2. I don't think computer is not set up to reboot after a power failure. |
|
| Back to top |
|
|
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Sat Sep 17, 2005 6:58 pm Post subject: |
|
|
There is /var/log/syslog
If it was xlock, maybe it crashed.
Maybe someone switched it off for some reason, then changed their mind and switched it on again.
... |
|
| Back to top |
|
|
trip
n00b
Joined: 10 May 2005
Posts: 6
Location: nineth plane of hell
|
| Posted: Mon Sep 26, 2005 7:19 am Post subject: |
|
|
how do you turn of passwd-less logins? and is making a passwd-less acount as easy as not typing any when creating the acount? sorry for the noobs questions but i want to know exactly what to do in the litle time i have. 
tnx in advance
_________________
using linux since may 2005
using gentoo since sept. 2005
Testing and
Research
In
Progress |
|
| Back to top |
|
|
quantus
n00b
Joined: 30 Jul 2002
Posts: 60
|
| Posted: Mon Sep 26, 2005 10:43 pm Post subject: PAM... |
|
|
| trip wrote: | how do you turn of passwd-less logins? and is making a passwd-less acount as easy as not typing any when creating the acount? sorry for the noobs questions but i want to know exactly what to do in the litle time i have. :D
tnx in advance |
I'm a littly fuzzy on your question... see if these this helps you out: Hardening PAM |
|
| Back to top |
|
|
nhaggin
n00b
Joined: 15 Jun 2002
Posts: 74
Location: Illinois, USA
|
| Posted: Wed Oct 05, 2005 3:40 pm Post subject: |
|
|
Reply a little late to this, but I didn't see it until now....
| segedunum wrote: | | Quote: | | The simple fact is that running any service whatsoever, on any port, is a security hazard. The only truly secure network is the one you don't build, and the only truly secure computer is in a concrete bunker, under armed guard, with console access only, etc. Even then, there are various points of attack one could use to gain access, if one really wanted to. |
That's the usual cop-out rubbish I'm afraid. |
It might interest you to know that I'm not running a public SSH server, and that I do use OpenVPN to remotely administer my machine.
As to the rest of your reply: I was not attempting to ridicule your advice, nor was I making several of the assumptions you suggested I was; if my choice of language implied that, I apologize. I meant to indicate that, if one hardens one's SSH setup, one can expose it to the Internet, even on port 22, without immediate and grave danger, although there is still some danger present. IOW, it's not completely insane to have publicly-available SSH, although, as you have indicated, certain other systems are more secure.
_________________
Nick
A.M.D.G. |
|
| Back to top |
|
|
robinmdh
n00b
Joined: 01 Oct 2005
Posts: 6
|
| Posted: Wed Oct 05, 2005 7:14 pm Post subject: |
|
|
| Code: | Oct 2 10:52:23 [sshd] Invalid user anna from 210.6.64.3
Oct 2 10:52:31 [sshd] Invalid user arthur from 210.6.64.3
Oct 2 10:52:38 [sshd] Invalid user aron from 210.6.64.3
Oct 2 10:52:42 [sshd] Invalid user austin from 210.6.64.3
Oct 2 10:52:46 [sshd] Invalid user barbara from 210.6.64.3
Oct 2 10:52:50 [sshd] Invalid user bart from 210.6.64.3
Oct 2 10:52:53 [sshd] Invalid user ben from 210.6.64.3
Oct 2 10:52:57 [sshd] Invalid user beny from 210.6.64.3
Oct 2 10:53:02 [sshd] Invalid user bert from 210.6.64.3
Oct 2 10:53:05 [sshd] Invalid user bill from 210.6.64.3
Oct 2 10:53:13 [sshd] Invalid user bind from 210.6.64.3
Oct 2 10:53:17 [sshd] Invalid user bob from 210.6.64.3
Oct 2 10:53:20 [sshd] Invalid user bobby from 210.6.64.3
Oct 2 10:53:24 [sshd] Invalid user bret from 210.6.64.3
Oct 2 10:53:27 [sshd] Invalid user brian from 210.6.64.3
Oct 2 10:53:31 [sshd] Invalid user bruce from 210.6.64.3
Oct 2 10:53:36 [sshd] Invalid user carl from 210.6.64.3
Oct 2 10:53:39 [sshd] Invalid user carol from 210.6.64.3
Oct 2 10:53:45 [sshd] Invalid user cesar from 210.6.64.3
Oct 2 10:53:48 [sshd] Invalid user clark from 210.6.64.3
Oct 2 10:53:51 [sshd] Invalid user clinton from 210.6.64.3
Oct 2 10:53:55 [sshd] Invalid user corinna from 210.6.64.3
Oct 2 10:53:59 [sshd] Invalid user craig from 210.6.64.3
Oct 2 10:54:02 [sshd] Invalid user daniel from 210.6.64.3
Oct 2 10:54:06 [sshd] Invalid user danny from 210.6.64.3
Oct 2 10:54:11 [sshd] Invalid user dave from 210.6.64.3
Oct 2 10:54:14 [sshd] Invalid user dexter from 210.6.64.3
Oct 2 10:54:18 [sshd] Invalid user dick from 210.6.64.3
Oct 2 10:54:21 [sshd] Invalid user earl from 210.6.64.3
Oct 2 10:54:26 [sshd] Invalid user ed from 210.6.64.3
Oct 2 10:54:30 [sshd] Invalid user eddie from 210.6.64.3
Oct 2 10:54:33 [sshd] Invalid user edgar from 210.6.64.3
Oct 2 10:54:37 [sshd] Invalid user ellen from 210.6.64.3
Oct 2 10:54:40 [sshd] Invalid user emil from 210.6.64.3
Oct 2 10:54:45 [sshd] Invalid user enzo from 210.6.64.3
Oct 2 10:54:48 [sshd] Invalid user felix from 210.6.64.3
Oct 2 10:54:52 [sshd] Invalid user fred from 210.6.64.3
Oct 2 10:54:57 [sshd] Invalid user francis from 210.6.64.3
Oct 2 10:55:02 [sshd] Invalid user harry from 210.6.64.3
Oct 2 10:55:06 [sshd] Invalid user ian from 210.6.64.3
Oct 2 10:55:10 [sshd] Invalid user ismail from 210.6.64.3
Oct 2 10:55:20 [sshd] Invalid user james from 210.6.64.3
Oct 2 10:55:24 [sshd] Invalid user jesse from 210.6.64.3
|
lol
don't think i've been hacked but will step up on security! |
|
| Back to top |
|
|
pengatom
n00b
Joined: 04 Oct 2004
Posts: 14
Location: Norway
|
| Posted: Fri Oct 07, 2005 9:08 pm Post subject: |
|
|
I've got 23 000 "Failed password" logins the laste 3 months... Changed the ssh port, hopfully it gets better 
In my iptables I've written:
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
would the "ssh" port number change to whatever I set i sshd_conf, or does "ssh" mean port 22?
btw, if I try to set a "easy" password on a user, gentoo tells me this, anyone know what this definition on a "BAD password" is? |
|
| Back to top |
|
|
Malcolm
n00b
Joined: 11 Jul 2002
Posts: 59
Location: Ontario, Canada
|
| Posted: Wed Oct 12, 2005 6:25 pm Post subject: |
|
|
I've gotten alot of these break-in attempts aswell, both through SSH and FTP. My suggestion is to setup an auto blacklisting script like ssh black.
I've had this setup on my system for 3 days now and the blacklist always has 5-10 IPs, rotating of course |
|
| Back to top |
|
|
Errtu
Apprentice
Joined: 12 Nov 2002
Posts: 155
Location: Brazil
|
| Posted: Thu Oct 13, 2005 10:06 am Post subject: |
|
|
| I got tired of maintaining blacklists, scripts and other stuff to keep 'm out, so i just configured sshd to listen on a higher IP. Since i've done that i get no more of these attempts. And my logfile stays a bit cleaner too |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
| Posted: Thu Oct 13, 2005 1:51 pm Post subject: |
|
|
I just grepped over my log and have about 2,000+ pages of attempts ranging back from August of this year.
All of them lame dictionary attempts. Does reporting these IP's to their respective ISP's help anything?
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
christsong84
Veteran
Joined: 06 Apr 2003
Posts: 1003
Location: GMT-8 (Spokane)
|
| Posted: Thu Oct 13, 2005 7:10 pm Post subject: |
|
|
| bigun89 wrote: | I just grepped over my log and have about 2,000+ pages of attempts ranging back from August of this year.
All of them lame dictionary attempts. Does reporting these IP's to their respective ISP's help anything? |
sometimes but not often. I generally report those IP's to them anyways...might as well, it can't hurt anything. I've gotten three ISP's who've actually done something and asked me to let them know if things happen again.
_________________
while(true) {self.input(sugar);}  |
|
| Back to top |
|
|
oracleofmist
Apprentice
Joined: 19 Jun 2004
Posts: 235
|
| Posted: Sat Oct 15, 2005 12:13 am Post subject: |
|
|
on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice?
_________________
Segmentation Fault |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
| Posted: Sat Oct 15, 2005 2:55 pm Post subject: |
|
|
| oracleofmist wrote: | | on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice? |
Ehh... that's more of security by obscurity... but at the very least will keep bot attempts out.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
chrispolderman
n00b
Joined: 12 Oct 2005
Posts: 14
|
| Posted: Mon Oct 24, 2005 5:52 am Post subject: |
|
|
Is there a solid way to traceback the ip number in question and obtaining the abuse email address for the corresponding ISP or am I just speaking nonsense here?
Would be a nice script: more than 20 password tries logged and a process would automatically file a complaint to the corresponding ISP...
Is this possible (apart from spoofed IP's ofcourse)..?
Chris |
|
| Back to top |
|
|
dsb
n00b
Joined: 09 Sep 2004
Posts: 30
Location: MO
|
| Posted: Tue Oct 25, 2005 7:33 am Post subject: |
|
|
| My traceroute shows they are coming from China |
|
| Back to top |
|
|
shiggity s
n00b
Joined: 26 Oct 2005
Posts: 11
|
| Posted: Wed Oct 26, 2005 7:03 am Post subject: |
|
|
| Those crazy Chinese hackers |
|
| Back to top |
|
|
Cinder6
l33t
Joined: 05 Aug 2004
Posts: 767
Location: California
|
| Posted: Thu Oct 27, 2005 10:58 pm Post subject: |
|
|
I've been getting some from South Korea, and a couple that IP locators can't find 
_________________
Knowledge is power.
Power corrupts.
Study hard.
Be evil.
Ugly Overload |
|
| Back to top |
|
|
Monkeh
Veteran
Joined: 06 Aug 2005
Posts: 1656
Location: England
|
| Posted: Fri Oct 28, 2005 12:37 am Post subject: |
|
|
| bigun89 wrote: | | oracleofmist wrote: | | on top of being behind a router firewall that drops all incoming connections except to specified ports w/ specified protocols i've also take the libery of changing my ftp, ssh services to high port numbers. good practice? |
Ehh... that's more of security by obscurity... but at the very least will keep bot attempts out. |
There's nothing wrong with security by obscurity, in fact it's a good practice. Just don't rely on it. |
|
| Back to top |
|
|
heartburn
n00b
Joined: 18 Oct 2002
Posts: 40
|
| Posted: Thu Nov 03, 2005 11:17 pm Post subject: |
|
|
I'm not sure if it's been mentioned yet on this thread (it's a very long thread). But you can configure sshd to use DSA authentication instead of PasswordAuthentication. Then, a cracker would need an existing user's private key to use ssh.
You can find the instructions here:
http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml?style=printable
Also, logwatch makes a nice daily report of login attempts:
| Code: | --------------------- SSHD Begin ------------------------
Didn't receive an ident from these IPs:
xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
xxx.xxx.com (xxx.xxx.xxx.xxx): 1 Time(s)
Failed logins from these:
invalid user admin (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
invalid user administrator (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
invalid user carol (password) from ::ffff:xxx.xxx.xxx.xxx: 2 Time(s)
invalid user jack (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
invalid user marvin (password) from ::ffff:xxx.xxx.xxx.xxx: 1 Time(s)
root/password from ::ffff:xxx.xxx.xxx.xxx: 31 Time(s)
Users logging in through sshd:
jblow:
xxx.xxx.net (xxx.xxx.xxx.xxx): 4 times
---------------------- SSHD End ------------------------- |
I also have a script to page me when someone succefully logs on through ssh. That's not too practical if you have lots of users. But it's good if you aren't expecting any logins. I think I stole this script from somewhere else in this forum (my apologies to its author).
| Code: |
# Send a brief alert with connection details
#
when=`/usr/bin/date`
where=`echo $SSH_CONNECTION|cut -f1 -d' '|cut -f4 -d:`
if [ -z "$SSH_TTY" ] ; then
what="Connect by $USER"
else
what="Login by $USER on $SSH_TTY"
fi
mailto=""
cc_to=""
bcc_to=""
while read address mode
do
if [ -z "$address" -o "${address:0:1}" = "#" ] ; then continue; fi
if [ "x$mode" = "xcc" -o "x$mode" = "xCC" ] ; then
cc_to=${cc_to:+${cc_to},}$address
elif [ "x$mode" = "xbcc" -o "x$mode" = "xBCC" ] ; then
bcc_to=${bcc_to:+${bcc_to},}$address
else
mailto=${mailto:+${mailto},}$address
fi
done </etc/ssh/notify
mailto=${mailto:-operator}
cc_to=${cc_to:+"-c $cc_to"}
bcc_to=${bcc_to:+"-b $bcc_to"}
mail ${cc_to} ${bcc_to} -s "SSH Alert" ${mailto} >&2 <<-EOM
${what} from ${where} at ${when}
EOM
|
~~~~~EDIT~~~~~
I just did a search and it seems that I stole the script from timeBandit. He has written an excellent HOW-TO about it here:
https://forums.gentoo.org/viewtopic-t-393795-highlight-send+brief+alert+connection+details.html
Last edited by heartburn on Thu Nov 03, 2005 11:28 pm; edited 1 time in total |
|
| Back to top |
|
|
abaelinor
n00b
Joined: 27 Aug 2005
Posts: 51
|
| Posted: Tue Nov 08, 2005 4:58 am Post subject: |
|
|
aa
Last edited by abaelinor on Tue Oct 21, 2008 4:28 am; edited 1 time in total |
|
| Back to top |
|
|
heartburn
n00b
Joined: 18 Oct 2002
Posts: 40
|
| Posted: Tue Nov 08, 2005 5:39 am Post subject: |
|
|
| like I said, I stole it from timeBandit. He deserves the credit. But I've been using it for about two weeks and it works great. I love hearing my phone make a satisfying chirp every time I log on. And I like hearing nothing when I'm not logging on even better |
|
| Back to top |
|
|
d11wtq
Apprentice
Joined: 14 Jul 2005
Posts: 192
Location: Manchester, UK
|
| Posted: Fri Nov 11, 2005 10:38 am Post subject: |
|
|
Hopefully I've not missed something... I just read 16 pages of thread very quickly. What a great thread!
I run a web server. I'm not being paranoid but this has made me think a lot about security considerations. One thing that worries me is that I have set up user accounts for friends & family on my server (shell accounts/ftp/virtualhost apache accounts) so they can host websites too.
Everyone seems to only be mentioning SSH attacks... all of my users (most know virtually nothing about *nix) have shell access by SSH. The worrying thing is that I'm relying upon them to use secure passwords too now. How can I force increased password security? I want them all to login and do a passwd, then I want passwd to make sure their passwords:
a) Contain at least 8 characters
b) Contain at least 2 numbers
c) Contain a mixture of uppercase and lowercase letters
passwd already forces at least *6* chars but the rest is perfectly allowed
I'm amazed we're only discussing SSH. Is FTP any security risk? It uses the same passwords as the shell access and all users are chrooted to their home directory. Hell... I've even been told you can compromise a box by telnetting to port 80 (HTTP) and doing some magic 
I've already installed and changed a few configs during the course of this thread... I may as well do this extra thing with the passwords too. I'll run a "last" command every so often so that users who aren't using SSH have their access removed temporarily too. They'd just get a message upon successful login which says that they need to contact me to have their access re-enabled and then it disconnects again.
Password criteria help anyone? |
|
| Back to top |
|
|
Errtu
Apprentice
Joined: 12 Nov 2002
Posts: 155
Location: Brazil
|
| Posted: Fri Nov 11, 2005 1:19 pm Post subject: |
|
|
d11wtq:
Justdoing some searching on freshmeat gives these projects:
http://freshmeat.net/projects/pam_pwcheck/
- The pam_pwcheck is a PAM module for password strength checking
http://freshmeat.net/projects/pam_passwdqc/
- pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1).
Maybe one of these could be of help?
Leon |
|
| Back to top |
|
|
d11wtq
Apprentice
Joined: 14 Jul 2005
Posts: 192
Location: Manchester, UK
|
| Posted: Fri Nov 11, 2005 10:21 pm Post subject: |
|
|
| Thanks. I've emerged pam_passwdqc so that should help. I haven't set it up yet but it looks simple enough |
|
| Back to top |
|
|
|
Networking & Security
