| View previous topic :: View next topic |
| Author |
Message |
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
 Posted: Tue Feb 14, 2006 4:36 pm Post subject: |
 |
|
| RBH wrote: | I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.
I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?
I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take. |
It depends, my box *IS* the router, therefore having a NetGear router in front of it is mundane and rickety.
Besides, I trust the security of a Gentoo box that I manage 10 fold over a homegrade NetGear router.
Yes, it's added security in the physical sense. But it's one more thing to break, one more thing to manage, and one more thing to go wrong. If your Gentoo box takes care of it, along with the added bonus of being able to log it, why put in a router at all?
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
 |
assaf
Apprentice
Joined: 14 Feb 2005
Posts: 152
Location: http://localhost
|
| Posted: Tue Feb 14, 2006 5:19 pm Post subject: |
|
|
| RBH wrote: | I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.
I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?
I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take. |
If your router does not allow ssh then what's the point? You may as well not run sshd at all, or if you want to access it only from the LAN you could add a simple iptables rule. |
|
| Back to top |
|
|
linuxgeekery
n00b
Joined: 07 Jun 2005
Posts: 27
|
| Posted: Sat Feb 25, 2006 3:53 am Post subject: Script update |
|
|
Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof.
_________________
Workstation: Athlon 64 4000+X2 | 160GBx2 HD | 1.5GB RAM
(\ /)
(O.o)
(> <)
This is Bunny. Copy Bunny into your signature to help him on his way to world domination |
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Mon Feb 27, 2006 10:07 am Post subject: Re: Script update |
|
|
| linuxgeekery wrote: | | Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof. |
Which makes the assumption that I can't make sufficient connections to your machine in under a minute to bring it down ... worse still it means I could use YOU to make a DoS attack, all I have to do is poison your ARP cache to make you think that my IP is infact the desired target, and suddenly you're sending the contents of /dev/random to a complete inoccent. The puzzled expression on your face when your ISP annuls your contract & requests your presence in court will be priceless.
Getting the picture? Counter-measures you don't understand are more dangerous to you than the undesirables you're trying to dissuade from bothering you.
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Mon Feb 27, 2006 10:11 am Post subject: Re: Script update |
|
|
| linuxgeekery wrote: | | Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof. |
Or if you want to do this properly, see connection tarpitting. This is a method used often in anti-spam, which subtly alters the TCP response to an identified attacker effectively trapping them .. I'll leave you to do your research.
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
erikstotle
n00b
Joined: 07 Mar 2006
Posts: 5
Location: Holland, MI
|
| Posted: Tue Mar 07, 2006 2:28 am Post subject: |
|
|
I have a hardware router and I still get those ssh attacks. They get incessently annoying. I suggesst that you install iptables and then use dynfw (it's not in portage, you can get it from http://www.gentoo.org/doc/en/articles/files/dynfw-1.0.1.tar.bz2). Once you have that installed, you can block ips and limit the number of new connections per minute/hour/day on a port on the fly. For example, since I only use ssh for remote administration, I limit the number of new connections per minute on port 22 to 1. This does get annoying if you login incorrectly because you have to wait a minute before trying again, but it does make the ssh cracking scripts give up quite quickly. And even if it doesn't give up, only about 1/60th of it's login attempts get through.
For further reading go to this rather humerous article:
http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
| Posted: Tue Mar 07, 2006 3:29 pm Post subject: |
|
|
~~snip~~
I really like the ipdrop script, I'm going to start a thread in the programming forum to see if I can get it to run a bit better.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
minskpower
Tux's lil' helper
Joined: 16 Jun 2005
Posts: 94
Location: /dev/null
|
| Posted: Tue Mar 14, 2006 2:19 am Post subject: |
|
|
| To everybody complaining about ssh flooding - why don't you change the port to something else, you won't be bothered by those worms, they don't generally scan the upper ports, even if they do I doubt they can recognise it's running ssh (at this time). This solution applies if you are not limited by a third party firewall. |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
| Posted: Tue Mar 14, 2006 4:27 pm Post subject: |
|
|
The IPdrop script stops the attacks in their tracks. I only wish there was a script that ran in the background to detect such attacks and add the IP to the droplist automatically.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
dpetka2001
l33t
Joined: 04 Mar 2005
Posts: 804
|
| Posted: Sat Mar 18, 2006 8:01 pm Post subject: |
|
|
| hello just got back home and observed a strange in my computer...some files and directories were deleted and i found them in the Trash Can...the thing is that they were in different spots in my Desktop and is very unlikely that someone might accedentaly deleted them without having selected all of them on his own...i think i might have been hacked but am not really sure about it...how could i verify if i was hacked or not?? could you please show me the way to do this because i don't really know how to do it?? thanks in advance... |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
| Posted: Sat Mar 18, 2006 9:29 pm Post subject: |
|
|
Heh.... typically when your hacked, they don't move your icons or move stuff to your trash bin.
Try going to a more secure password and locking your bedroom door.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
dpetka2001
l33t
Joined: 04 Mar 2005
Posts: 804
|
| Posted: Sun Mar 19, 2006 12:05 pm Post subject: |
|
|
| well i don't think that anyone from my family would do such a thing...the don't know much of computers...anyway...is there something that i could check in order to find out if there was any attempt?? |
|
| Back to top |
|
|
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Sun Mar 19, 2006 3:26 pm Post subject: |
|
|
Sorry, I was waiting for this to unload my thoughts...
| erikstotle wrote: | | They get incessently annoying. |
Filter them in syslog 
Seriously, I repeat I think this issue is overrated. Trying 1 to 3 possible passwords on 100 accounts is no threat to security unless you have users with passwords such as "12345", "hello" or username_spelled_backwards.
It would be a threat if there was a security hole in ssh. There will be a threat when there is a known security hole in ssh. To reduce the likelihood of a successful attack, I would recommend a nonstandard port, possibly disabling password logins, possibly portknocking. About any ratelimiting solutions with iptables, be careful, you might lock yourself out. The IP droplist might be good, too, for any attack, but also makes a DOS attack possible (with IP spoofing).
And start worrying about real security problems. Especially if you think WEP provides any security (it doesn't). |
|
| Back to top |
|
|
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Sun Mar 19, 2006 3:31 pm Post subject: |
|
|
| dpetka2001 wrote: | | hello just got back home and observed a strange in my computer...some files and directories were deleted and i found them in the Trash Can...the thing is that they were in different spots in my Desktop |
looks more like some kind of "practical joke", nothing serious, but it might mean that you have a security hole. Maybe a weak password, maybe vnc or X server access to the world, maybe you left the computer for 5 minutes without xlock
There is a feature in Gnome, maybe called desktop sharing or something, which really is vnc access. |
|
| Back to top |
|
|
linuxgeekery
n00b
Joined: 07 Jun 2005
Posts: 27
|
| Posted: Sun Mar 19, 2006 6:57 pm Post subject: Re: Script update |
|
|
| MrUlterior wrote: | | linuxgeekery wrote: | | Update on that script that I talked about a few pages before. Thanks for people pointing out the flaws. I added to the script a section that runs another script. That script runs a "ps aux" every minute, with some sed and grep action. If there are more than 30 instances of the honeypot, it kills off all of the honeypots using kill -9 and pidof. |
Or if you want to do this properly, see connection tarpitting. This is a method used often in anti-spam, which subtly alters the TCP response to an identified attacker effectively trapping them .. I'll leave you to do your research. |
This proves once again that I am very incompetent with creating honeypots and things of that sort. Thanks for the information. I read up on connection tarpitting. Seems interesting...
_________________
Workstation: Athlon 64 4000+X2 | 160GBx2 HD | 1.5GB RAM
(\ /)
(O.o)
(> <)
This is Bunny. Copy Bunny into your signature to help him on his way to world domination |
|
| Back to top |
|
|
dpetka2001
l33t
Joined: 04 Mar 2005
Posts: 804
|
| Posted: Sun Mar 19, 2006 9:15 pm Post subject: |
|
|
| jamapii wrote: | looks more like some kind of "practical joke", nothing serious, but it might mean that you have a security hole. Maybe a weak password, maybe vnc or X server access to the world, maybe you left the computer for 5 minutes without xlock
There is a feature in Gnome, maybe called desktop sharing or something, which really is vnc access. |
well a friend of mine checked on my system with Nessus and told me that it found only 2 services running...a pop server (freepops) and a web server (amuleweb)...i don't have any services running except from the above mentioned...i don't think i have a weak password as it is 9 characters long including numbers...there's no vnc running...i run KDE and am not aware of any such feature nor do i know if it's activitated by default...how can i activate xlock if there is such thing in KDE?? thanks... |
|
| Back to top |
|
|
mpicklesimer
n00b
Joined: 22 Mar 2006
Posts: 59
Location: Boston, MA
|
| Posted: Wed Mar 22, 2006 5:50 pm Post subject: Stupid question |
|
|
| I have an OpenBSD box running 'pf' for the firewall on my home network. I'm wondering if it would be worth the time to block all traffic coming from those ips? What would you suggest (if different) if I were talking about a business site? Not that much of this matters, cuz I'm using strong keys instead of passwords, but I'm just curious. |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
| Posted: Thu Mar 23, 2006 5:50 pm Post subject: |
|
|
I'm putting a honeypot on my server with the username/password test.
It basically logs the date and time the script is executed, then cats /dev/random to them until the bot forces the machine's RAM to spill over to SWAP and eventually DoS. Aside from wasting bandwidth that I have plenty to spare of, it should also help alert the server-admin to trouble.
And to cover my buttocks, there is a message in my sshd.motd that says unauthorized access is prohibited.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
|
Networking & Security
