Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
i got hacked. what were they up to?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, ... 16, 17, 18  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Mon Aug 16, 2004 9:42 pm    Post subject: Reply with quote

tomchuk wrote:
I know, it was a joke, notice the 'Razz' and 'Smile' smileys.


Argh, sorry, stressful day. :)
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
Captain_Loser
Tux's lil' helper
Tux's lil' helper


Joined: 19 Mar 2003
Posts: 106

PostPosted: Mon Aug 16, 2004 11:38 pm    Post subject: Reply with quote

bcore wrote:
I'm certainly willing to tar up the directory for anyone who is curious. I have no way of hosting it though...


I don't mind hosting. However I will remove something required for the program to operate, just so that I won't be hosting something evil. PM, or e-mail me if your interested.
_________________
KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN!!!!!!!
Back to top
View user's profile Send private message
evoweiss
Veteran
Veteran


Joined: 07 Sep 2003
Posts: 1668
Location: Edinburgh, UK

PostPosted: Tue Aug 17, 2004 3:29 am    Post subject: Reply with quote

Hi All,

This is definitely becoming an interesting thread and I've got a bit more to contribute after an interesting email today.

I received an email that was purportedly from zywall and asked me to fill out a 'customer survey'. It smelled like BS to me, and using the wonderful pine email client, I quickly saw that it was.

I would have been redirected to some website that, undoubtedly, would have fscked around with some aspect of my set-up.

Unfortunately, I managed to accidently delete the email. Did anybody else receive something similar and how did they know I use a zywall router/firewall (lucky guess?).

Also, I noticed a post that mentioned port knocking. I've heard of this before, but am not sure what it is nor how to set it up. Care to explain it to me and point me to any useful how-tos in the event that I'm interested?

If I receive another email like it (and I probably will), I'll be sure to save it this time and even do a wget on the url I'm directed to, post the html code, etc.

Best,

Alex
Back to top
View user's profile Send private message
bcore
n00b
n00b


Joined: 09 Apr 2003
Posts: 59
Location: Toronto

PostPosted: Tue Aug 17, 2004 5:36 am    Post subject: Reply with quote

Captain_Loser wrote:
I don't mind hosting.


How could I turn that down. We have very similar signatures. :) I'll email it to you tomorrow..
_________________
MR DOWNY: BISCUIT BRAAAAAAAAAAA
YUO: LOL!!!!!
Back to top
View user's profile Send private message
Paulten
Apprentice
Apprentice


Joined: 28 Mar 2003
Posts: 257
Location: Sykkylven, Norway

PostPosted: Tue Aug 17, 2004 10:03 am    Post subject: Reply with quote

So you got a test user without a password right? Does ssh permit users with empty password? It should not, I have
PermitEmptyPasswords no in my sshd_config, I don't if I put it there myself or if this is default behavior.

Did you have username: test and passwd: test maybe ? :p

Later
_________________
Homepage : http://paul.kde.no Jabber ID : tenfjord@jabber.org
"Dei levde som dyr. Dei verken røykte eller drakk" -Ukjent
Back to top
View user's profile Send private message
JudgeNik
Tux's lil' helper
Tux's lil' helper


Joined: 02 Mar 2004
Posts: 86
Location: Bolzano, Italy

PostPosted: Tue Aug 17, 2004 10:25 am    Post subject: Reply with quote

As he previously stated in the first post:
Quote:
...I made an account with the username AND password of "test"...

_________________
See the famous Niko Roberts at http://www.nikoroberts.com
Back to top
View user's profile Send private message
Paulten
Apprentice
Apprentice


Joined: 28 Mar 2003
Posts: 257
Location: Sykkylven, Norway

PostPosted: Tue Aug 17, 2004 10:38 am    Post subject: Reply with quote

JudgeNik wrote:
As he previously stated in the first post:
Quote:
...I made an account with the username AND password of "test"...


soorrry :P
_________________
Homepage : http://paul.kde.no Jabber ID : tenfjord@jabber.org
"Dei levde som dyr. Dei verken røykte eller drakk" -Ukjent
Back to top
View user's profile Send private message
devon
l33t
l33t


Joined: 23 Jun 2003
Posts: 943

PostPosted: Tue Aug 17, 2004 3:42 pm    Post subject: Reply with quote

evoweiss wrote:
Also, I noticed a post that mentioned port knocking. I've heard of this before, but am not sure what it is nor how to set it up. Care to explain it to me and point me to any useful how-tos in the event that I'm interested?

Google for port knocking. :)
Back to top
View user's profile Send private message
Captain_Loser
Tux's lil' helper
Tux's lil' helper


Joined: 19 Mar 2003
Posts: 106

PostPosted: Tue Aug 17, 2004 6:46 pm    Post subject: Reply with quote

I notcied that I was getting about 5 of these crack attempts a day, so I set up a simple firewall to see if I could try to keep some of this stuff away. I made a script that uses iptables with anti portscan and anti os-fingerprinting stuff in it. I know that it is impossible to stop all port scans and all os fingerprinting attempts, but I can try. Now that I run this firewall I haven't gotten any of these crack attempts against my machine. The attempts on my machine had been going on for about a month, and now they have stopped. I am putting this script on other linux boxes that are getting hit to see if this stops the attempts on them as well.
_________________
KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN!!!!!!!
Back to top
View user's profile Send private message
silentbob
Apprentice
Apprentice


Joined: 09 Nov 2003
Posts: 159
Location: UK

PostPosted: Tue Aug 17, 2004 7:15 pm    Post subject: Reply with quote

Captain_Loser wrote:
... I made a script that uses iptables with anti portscan and anti os-fingerprinting stuff in it.

Care to share with us, or is it (a) already available or (b) security risk?
Back to top
View user's profile Send private message
OdinsDream
Veteran
Veteran


Joined: 01 Jun 2002
Posts: 1057

PostPosted: Tue Aug 17, 2004 7:36 pm    Post subject: Reply with quote

Could someone help me figure out where my /var/log/sshd information is?

I have other entries in /var/log/, but I have no ssh-related files or directories. ps shows:

/usr/sbin/syslogd -m 0

...running. Do I need to specifically enable sshd logging somewhere? Many thanks, great thread!
_________________
s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi

Don't blame me. I didn't vote for him.

http://john.simplykiwi.com
Back to top
View user's profile Send private message
Captain_Loser
Tux's lil' helper
Tux's lil' helper


Joined: 19 Mar 2003
Posts: 106

PostPosted: Tue Aug 17, 2004 7:42 pm    Post subject: Reply with quote

silentbob wrote:
Captain_Loser wrote:
... I made a script that uses iptables with anti portscan and anti os-fingerprinting stuff in it.

Care to share with us, or is it (a) already available or (b) security risk?

Don't mind sharing it. Its not as secure as it could be though. I am putting this firewall on several machines that have different access needs, so instead of blocking everything and opening up the necessary ports, I just blocked certain types of traffic. I also didn't add logging support, but logging isn't too difficult to add. The bad flags section, and the os figerprinting section are what seems to have done the trick. Here it is.

Code:
#!/bin/bash

#Define the location of the IPTABLES executable
IPTABLES=/sbin/iptables

#Interfaces
#These are only needed for Forwarding
EXTIF=eth0 #External Interface
INTIF=eth1 #Internal Interface

#Lets be friendly
echo "Loading Firewall Ruleset"

###########################################################################
#INSMOD section, only uncomment if you get errors
# or know that you don't have the following modules
# built into the kernel
###########################################################################
#echo "Loading Modules"
#/sbin/modprobe ip_talbes
#/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack


##########################################################################
#Clear out all current chains and restore defaults
##########################################################################
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set Defaults to ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT


############################################################################
#Define User Chains
#There should be no need to edit this section
#Make all changes after this section
############################################################################

#SYN flood protection
$IPTABLES -N SYN-FLOOD
$IPTABLES -A SYN-FLOOD -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
$IPTABLES -A SYN-FLOOD -p tcp --syn -j DROP
$IPTABLES -A SYN-FLOOD -p tcp ! --syn -j ACCEPT

#Ping of Death Protection
$IPTABLES -N POD
$IPTABLES -A POD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Bad Flags section
$IPTABLES -N BF
$IPTABLES -A BF -p tcp --tcp-flags ALL NONE -j DROP #NULL scan
$IPTABLES -A BF -p tcp --tcp-flags ALL ALL -j DROP #XMAS scan
$IPTABLES -A BF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #NMAP
$IPTABLES -A BF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP #NMAP
$IPTABLES -A BF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #SYN-RST scan
$IPTABLES -A BF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #SYN-FIN scan

#OS Fingerprinting
$IPTABLES -N OSF
$IPTABLES -A OSF -p tcp --dport 0 -j DROP #Block port 0
$IPTABLES -A OSF -p udp --dport 0 -j DROP #Block port 0
$IPTABLES -A OSF -p tcp --sport 0 -j DROP #Block port 0
$IPTABLES -A OSF -p udp --sport 0 -j DROP #Block port 0
$IPTABLES -A OSF -p icmp --icmp-type address-mask-request -j DROP #Block ICMP-Address-Mask
$IPTABLES -A OSF -p icmp --icmp-type address-mask-reply -j DROP #Block ICMP-Address-Mask

#Various Virii and Backdoors
$IPTABLES -N BD
$IPTABLES -A BD -p tcp --dport 6670 -j DROP #Deepthroat
$IPTABLES -A BD -p tcp --dport 1243 -j DROP #Subseven
$IPTABLES -A BD -p udp --dport 1243 -j DROP #Sebseven
$IPTABLES -A BD -p tcp --dport 27374 -j DROP #Subseven
$IPTABLES -A BD -p udp --dport 27374 -j DROP #Subseven
$IPTABLES -A BD -p tcp --dport 6711:6713 -j DROP #Subseven
$IPTABLES -A BD -p tcp --dport 12345:12346 -j DROP #Netbus
$IPTABLES -A BD -p tcp --dport 20034 -j DROP #Netbus
$IPTABLES -A BD -p udp --dport 31337:31338 -j DROP #Back Orifice
$IPTABLES -A BD -p udp --dport 28431 -j DROP #Hack-a-Tack-2000

#SMB Traffic (wind0ws file sharing)
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP

#Forwarding support
$IPTABLES -N PASS
$IPTABLES -A PASS -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PASS -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A PASS -j LOG

############################################################################
#Add user chains to system chains
#This section should be edited to your needs.
#Comment or uncomment sections as needed
############################################################################

#Enable NAT Forwading between EXTIF and INTIF
#Make sure to eneable forwarding in sysctl section below
#$IPTABLES -A FORWARD -j PASS
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#Drop invalid Packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

#SYN Flood Protection
$IPTABLES -A INPUT -j SYN-FLOOD
$IPTABLES -A FORWARD -j SYN-FLOOD

#Block Ping of Death
$IPTABLES -A INPUT -j POD
$IPTABLES -A FORWARD -j POD

#Drop Bad Flags (port scans)
$IPTABLES -A INPUT -j BF
$IPTABLES -A FORWARD -j BF

#Block OS Fingerprinting (Doesn't always work)
$IPTABLES -A INPUT -j OSF
$IPTABLES -A FORWARD -j OSF

#Block Virii and Backdoors
$IPTABLES -A INPUT -j BD
$IPTABLES -A FORWARD -j BD

#Block SMB Traffic (windo0s file sharing)
#Only blocks the traffic from getting in/out of the LAN
$IPTABLES -A INPUT -j SMB
$IPTABLES -A FORWARD -j SMB

#sys-ctl variables, edit to your needs

#Enable IP Forwarding
#echo "1" > /proc/sys/net/ipv4/ip_forward

#Dyanamic Addressing (useful for forwarding)
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Disable IP Spoofing
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to Pings
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

#Don't respond to ICMP Broadcast (smurf attacks)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Bad ICMP message protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Disabe source routed packets. (Keeps people from looking in through the NAT)
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

#Disable Redirects (Redirects can be used to mess up routing tables, aka spyware)
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable log_martians (logs bad traffic)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#Enable SYN-Cookies (not necessary in some kernels)
#echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Continue being friendly
echo "Done"

_________________
KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN!!!!!!!
Back to top
View user's profile Send private message
Yoda_Oz
Tux's lil' helper
Tux's lil' helper


Joined: 20 Jul 2004
Posts: 143
Location: Southampton, UK

PostPosted: Tue Aug 17, 2004 8:45 pm    Post subject: Reply with quote

you dudes are really smart. how did you get to know all that stuff? i would not have the first idea of anything yous are talking about!
im in total awe!
_________________
DELL INSPIRON 5150 (2004)
Intel P4 HT 3.06
512Mb
nVidia GeForce FX Go5200 64Mb
Actiontec 802CAT1 Wireless PCMCIA
Linux Kernel vmlinuz-2.6.10-2-386
Back to top
View user's profile Send private message
Mben
Guru
Guru


Joined: 29 Mar 2004
Posts: 465
Location: New York, USA

PostPosted: Tue Aug 17, 2004 9:21 pm    Post subject: Reply with quote

after reading this tread i took a look at my logs and found that i too had been probed. is there any way to report this? that part of my log is below:
Code:

Aug  2 18:46:57 localhost sshd[5288]: Failed password for illegal user test from  ::ffff:64.246.32.92 port 46390 ssh2
Aug  2 18:46:57 localhost sshd[5290]: User guest not allowed because shell /dev/ null is not executable
Aug  2 18:46:58 localhost sshd[5290]: error: Could not get shadow information fo r NOUSER
Aug  2 18:46:58 localhost sshd[5290]: Failed password for illegal user guest fro m ::ffff:64.246.32.92 port 46484 ssh2
Aug  2 18:46:58 localhost sshd[5293]: Illegal user admin from ::ffff:64.246.32.9 2
Aug  2 18:46:59 localhost sshd[5293]: error: Could not get shadow information fo r NOUSER
Aug  2 18:46:59 localhost sshd[5293]: Failed password for illegal user admin fro m ::ffff:64.246.32.92 port 46553 ssh2
Aug  2 18:46:59 localhost sshd[5295]: Illegal user admin from ::ffff:64.246.32.9 2
Aug  2 18:47:00 localhost sshd[5295]: error: Could not get shadow information fo r NOUSER
Aug  2 18:47:00 localhost sshd[5295]: Failed password for illegal user admin fro m ::ffff:64.246.32.92 port 46612 ssh2
Aug  2 18:47:01 localhost sshd[5297]: Illegal user user from ::ffff:64.246.32.92
Aug  2 18:47:01 localhost sshd[5297]: error: Could not get shadow information fo r NOUSER
Aug  2 18:47:01 localhost sshd[5297]: Failed password for illegal user user from  ::ffff:64.246.32.92 port 46692 ssh2
Aug  2 18:47:03 localhost sshd[5299]: Failed password for root from ::ffff:64.24 6.32.92 port 46769 ssh2
Aug  2 18:47:04 localhost sshd[5301]: Failed password for root from ::ffff:64.24 6.32.92 port 46842 ssh2
Aug  2 18:47:05 localhost sshd[5303]: Failed password for root from ::ffff:64.24 6.32.92 port 46929 ssh2
Aug  2 18:47:05 localhost sshd[5305]: Illegal user test from ::ffff:64.246.32.92
Aug  2 18:47:05 localhost sshd[5305]: error: Could not get shadow information fo r NOUSER
Aug  2 18:47:05 localhost sshd[5305]: Failed password for illegal user test from  ::ffff:64.246.32.92 port 46992 ssh2
Back to top
View user's profile Send private message
silentbob
Apprentice
Apprentice


Joined: 09 Nov 2003
Posts: 159
Location: UK

PostPosted: Tue Aug 17, 2004 9:54 pm    Post subject: Reply with quote

Code:
$ grep -i "failed password" /var/log/messages
Aug  2 23:29:23 <myhost> sshd[2236]: Failed password for illegal user test from 220.69.12.96 port 57967 ssh2
Aug  2 23:29:26 <myhost> sshd[2238]: Failed password for illegal user guest from 220.69.12.96 port 58007 ssh2

Code:
$ grep -i "user guest" /var/log/messages
Aug  2 23:29:26 <myhost> sshd[2238]: User guest not allowed because shell /dev/null is not executable

Me too until I've locked down my iptables config. Now I have restricted the SSH port (22) to only the 2 IP addresses that I will connect from.
Back to top
View user's profile Send private message
revertex
l33t
l33t


Joined: 23 Apr 2003
Posts: 806

PostPosted: Tue Aug 17, 2004 10:02 pm    Post subject: Reply with quote

hi guys!
this tread is really interesting to open my eyes about security.
looking in these forums you can found nice tip that how make your boxes a little more safe.

-port knocking hide your ports to regular port scanners, only revealing when a special portscan sequency is send.

-keychain, you need bring your key with you, not so handy, do not use in untrusted machine.(look at ibm developerworks drobbins article )

-skey, the one way password, just work one time, perfect for login form untrusted machines.

-edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group.

-if you ssh from work/school tha haven't a static ip, create a dinamic dns account (no-ip, dyndns) for your office box and only allow logins from that address, like "myoffice.homeip.net", me_at_school.homeip.net"

-use a nice root tail to watch what's happen closely

-install something like chkrootkit, integrit, snort, configure once and run forever, no excuses.
Back to top
View user's profile Send private message
silentbob
Apprentice
Apprentice


Joined: 09 Nov 2003
Posts: 159
Location: UK

PostPosted: Tue Aug 17, 2004 10:54 pm    Post subject: Reply with quote

revertex wrote:
-edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group.

Just to clarify for anyone else who reads the filename too quickly, you need to edit the /etc/ssh/sshd_config file as stated (and not /etc/ssh/ssh_config like I have just spent the past few minutes playing with, and getting strange ssh, client, errors!)

[edit: /etc/ssh/sshd_config - d'oh]


Last edited by silentbob on Wed Aug 18, 2004 7:08 am; edited 1 time in total
Back to top
View user's profile Send private message
zerojay
Veteran
Veteran


Joined: 09 Aug 2003
Posts: 1033

PostPosted: Wed Aug 18, 2004 12:33 am    Post subject: Reply with quote

silentbob wrote:
revertex wrote:
-edit your sshd_config, disallow passwordless logins, root logins, and if possible allow login only for one user or group.

Just to clarify for anyone else who reads the filename too quickly, you need to edit the /etc/sshd_config file as stated (and not /etc/ssh_config like I have just spent the past few minutes playing with, and getting strange ssh, client, errors!)


/etc/ssh/sshd_config
Back to top
View user's profile Send private message
Goodle
n00b
n00b


Joined: 11 Jan 2004
Posts: 20

PostPosted: Wed Aug 18, 2004 5:02 am    Post subject: Reply with quote

I think it would be interesting to set up a honeypot for this lame attack. It looks like the poeple that are trying this have no idea what they are doing... It would be fun to screw round with them. Of course this would take time to set up a honeypot... SELinux Joy!
Back to top
View user's profile Send private message
skyfolly
Apprentice
Apprentice


Joined: 16 Jul 2003
Posts: 245
Location: Dongguan & Hong Kong, PRC

PostPosted: Wed Aug 18, 2004 5:53 am    Post subject: Reply with quote

would it be more secure without SSH installed?

Damn it, I have to install iptables and chrootkit tonight right away.
_________________
Gone forever.
Back to top
View user's profile Send private message
Goodle
n00b
n00b


Joined: 11 Jan 2004
Posts: 20

PostPosted: Wed Aug 18, 2004 6:14 am    Post subject: Reply with quote

Quote:
would it be more secure without SSH installed?

Damn it, I have to install iptables and chrootkit tonight right away.


There in no security vulnerability here... Only if you are a retarded and have a user named test with the password test. Don't go though the trouble, unless...
Back to top
View user's profile Send private message
Jeremy_Z
l33t
l33t


Joined: 05 Apr 2004
Posts: 671
Location: Shanghai

PostPosted: Wed Aug 18, 2004 7:45 am    Post subject: Reply with quote

I may be going to write a port knocking client / server in Perl, if some are interested i will post it.

My main concern is to secure my parent's gentoo routing box, currently it has all ports stealth (excepted some p2p ports) and i want to write something to knock the ssh port from my home.
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals
Back to top
View user's profile Send private message
skyfolly
Apprentice
Apprentice


Joined: 16 Jul 2003
Posts: 245
Location: Dongguan & Hong Kong, PRC

PostPosted: Wed Aug 18, 2004 7:58 am    Post subject: Reply with quote

shorewall looks good enough for me, quite nice documentation too. I am reading it.
_________________
Gone forever.
Back to top
View user's profile Send private message
Paulten
Apprentice
Apprentice


Joined: 28 Mar 2003
Posts: 257
Location: Sykkylven, Norway

PostPosted: Wed Aug 18, 2004 8:03 am    Post subject: Reply with quote

I have a small iptables script which I think works very well.

And another sshd_config tip is to "PermitRootLogin no".

And while we are on the subject I recommand using ssh pubkeys.
I use ssh-keygen and generate a key and upload it to the server as I described in this article http://paul.kde.no/modules/articles/article.php?id=5
and btw I got a tip that I should use DSA instead of rsa as I wrote in that article, I'll change it when I get some spare time.
Alternative, net-misc/keychain is worth looking into.

I also use /etc/hosts.allow to permit ssh access only to the IP's listed.
Create the file /etc/hosts.allow and add :
sshd : localhost : allow
sshd : someip : allow
sshd : workip : allow
sshd : ALL : deny

From debian's hosts.allow :
Code:

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5), hosts_options(5)
#                   and /usr/doc/netbase/portmapper.txt.gz
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.



My iptables script :
Code:

#eth0=lokal
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -N FILTER
/sbin/iptables -N LOKAL
/sbin/iptables -P INPUT DROP
#/sbin/iptables -A INPUT -p udp -i eth0 -s 192.168.0.0/24 -j QUEUE
/sbin/iptables -A INPUT -i eth1 -j FILTER
/sbin/iptables -A INPUT -i ! eth1 -j LOKAL
/sbin/iptables -A FILTER -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FILTER -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A FILTER -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A FILTER -p tcp --dport 25 -j ACCEPT
#/sbin/iptables -A FORWARD -p udp -i eth0 -s 192.168.0.0/24 -j QUEUE
#/sbin/iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 -j QUEUE
#/sbin/iptables -A FORWARD -p tcp -i eth0 -s 192.168.0.0/24 -m string --string X-Kazaa -j QUEUE
/sbin/iptables -A FILTER -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A FILTER -p tcp --dport 113 -j REJECT
/sbin/iptables -A FILTER -o eth0 -j ACCEPT
/sbin/iptables -A LOKAL -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to myinetIP.
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 21 -j DNAT --to-destination 192.168.0.21
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3306 -j DNAT --to-destination 192.168.0.23

/sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP


Paul..
_________________
Homepage : http://paul.kde.no Jabber ID : tenfjord@jabber.org
"Dei levde som dyr. Dei verken røykte eller drakk" -Ukjent
Back to top
View user's profile Send private message
TheUlk
Tux's lil' helper
Tux's lil' helper


Joined: 01 Mar 2004
Posts: 97

PostPosted: Wed Aug 18, 2004 10:39 am    Post subject: Deny users, groups and ip's Reply with quote

Hi all,

I've seen a lot of those breakin-attempts but I don't care that much about it.

I allow just one user to ssh from one certain ip.

I hope this is enough to protect my computer from ssh-breakins.

cu tu

Suggestions wellcome!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, ... 16, 17, 18  Next
Page 2 of 18

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum