[ale] SSH attempts

Dennis Ruzeski denniruz at gmail.com
Mon Sep 19 15:00:24 EDT 2011 

I haven't been reading this thread so forgive me if someone mentioned this,
but I used to use a port knock daemon. It's not bullet proof in and of
itself but I think could be valuable as part of a greater scheme.


--Dennis



On Mon, Sep 19, 2011 at 2:47 PM, David Hillman <hillmands at gmail.com> wrote:

> I agree running SSH on a different port isn't very good security.  Every
> access that comes in from the Internet is done via public key on our
> end.  Passwords aren't even allowed on the LAN.  Then again, if someone
> is on the LAN, security from the Internet is the least of the concerns.
> I think there was someone working on using a machine ID system to
> identify and track machines on the local network that don't belong there.
>
> On 9/12/11 5:40 PM, Bob Toxen wrote:
> > Usually the hackers will try up to 1000 passwords on common accounts.  I
> > know someone who had a root password of "password" and one who had
> > "root1234" (without quotes) on Internet-connected *nix systems.  I got
> > one to change in time; the other got hacked.
> >
> > Unless you monitor for unsuccessful attacks you don't know how hard they
> > are trying and how close they are getting.
> >
> > It's my experience that even many of the best System Administrators do
> > not know what makes a hard-to-break password without education.  I had
> > the pleasure to provide that to ALE last month and it's in the book.
> > Aaron should have that talk's video available some time this month for
> > free viewing by ALE members.
> >
> >
> > I highly recommend PortSentry for locking out port scanners.
> >
> > Moving ssh to a different port will NOT stop a hacker who knows what she
> > is doing.  Allowing log in only via a ssh public key or only from a
> > short list of IPs with a very strong password will stop anyone (unless
> > that private key or allowed IP's system is hacked).
> >
> > Disabling root ssh and requiring one first to ssh in through another
> > account and su'ing or sudo'ing to root is not as effective as the above
> > solutions and may diminish security, in my opinion.
> >
> > Bob Toxen
> > bob at verysecurelinux.com               [Please use for email to me]
> > http://www.verysecurelinux.com        [Network&Linux security
> consulting]
> > http://www.realworldlinuxsecurity.com [My book:"Real World Linux
> Security 2/e"]
> > Quality Linux&  UNIX security and SysAdmin&  software consulting since
> 1990.
> > Quality spam and virus filters.
> >
> > "One disk to rule them all, One disk to find them. One disk to bring
> > them all and in the darkness grind them. In the Land of Redmond where
> > the shadows lie...and the Eye is everwatching"
> > -- The Silicon Valley Tarot Henrique Holschuh with ... Bob
> >
> > On Mon, Sep 12, 2011 at 03:07:26PM -0400, Rich Faulkner wrote:
> >> My experience with these was that attackers were looking for an easy
> >> entry.  I mean EASY.  And some of the companies I was working on were
> >> more than easy prey...and I'm not even sure they're still in business as
> >> I told them over and over again to not follow these practices.  But they
> >> did anyway....and for all I know they're gonners now.
> >> One in particular (a former employer) has never changed their passwords.
> >> None that I am aware of...and that's with the coming and going of many
> >> an employee from engineering.  This includes FTP sites for content, VPNs
> >> and the main database servers.  This not a major issue and a glaring
> >> hole in security?  But then again, I don't work there anymore and will
> >> not attempt to gain access to their systems just to see if they have
> >> changed the passwords.
> >> I DID just buy BOB TOXIN's book and got it in the mail over the weekend.
> >> Yeah, you Bob!  Will be looking for you at an ALE Meeting soon to sign
> >> it for me!  (Also need the CD - BTW...it was a used book and had the
> >> disk missing).  But more to the original point...I would rather HACK MY
> >> OWN NETWORK than hack someone else's and that's exactly what I'm about
> >> to start doing.  Thanks to the inspiration of the last ALE Meeting and
> >> topics like this thread....
> >> Bowing to Linux greatness in my midst....
> >
> >> On Mon, 2011-09-12 at 13:38 -0400, Michael H. Warfield wrote:
> >>> On Mon, 2011-09-12 at 13:19 -0400, Erik Mathis wrote:
> >>>> I have to disagree with you on this, as you are only concerned about
> >>>> ssh. Since the remote box is most likely owned, ssh brute force
> >>>> attacks is likely only going to be the first wave of hate coming from
> >>>> that IP. Its best to me to just take a scorched earth approached in
> >>>> these situations. Every three months or so, you can remove the ACL
> >>>> (how ever you end up blocking) and see if it the hate comes back. Auto
> >>>> add rules should take care of the rest. In other words, its best to be
> >>>> prudent and proactive now, then later when your stuff is hacked and
> >>>> your only left with reactive options.
> >>> Ok...  You guys apparently don't know what Abacus Port Sentry does.
> >>> That's what it does.  If it detects a port scan above a certain
> >>> threshold, it blocks it out.  I knew the author.  I haven't played with
> >>> it in years but it is very effective and is the archetype for some
> >>> similar modern projects.  Unless he's talking about another "Port
> >>> Sentry", he's already doing what he can and denyhost and fail2ban have
> >>> nothing to over over port sentry.
> >>>
> >>> Also, as the runner of a honeynet for well over a decade, I can tell
> you
> >>> this - your argument just does not hold water.  I have never seen a
> >>> follow up attack from correlated IP addresses on other services
> >>> following unsuccessful ssh attempts.  If they can't connect to ssh, I
> >>> never hear from them on anything else.  I have capture data going back
> >>> to 1998 on my darknet.  No correlation.  Even if they connect to one of
> >>> my honeypots (another band of addresses) they still never come back and
> >>> attack on another service.  It's not happening.  It's a nice argument
> >>> but you're just scaring away ghosts in New York City (old OLD joke).
> >>> The ssh scanning that's taking place is a joke.  I seriously thought
> >>> they would have at least TRIED the stupid Debian bad ssh keys and my
> >>> honeypots were set up to deliberately trap and log on that if any ever
> >>> showed up.  Nada!  All I get are stoopid attempts at passwords like:
> >>>
> >>> password
> >>> passwd
> >>> toor
> >>> qwert
> >>> trewq
> >>> poiuy
> >>> yuiop
> >>> 12345
> >>> 09876
> >>>
> >>> Seriously!
> >>>
> >>> And they've never come back a knocking.  Even on very legitimate
> looking
> >>> honeypot systems with open services and everything.
> >>>
> >>>> -Erik-
> >>> Regards,
> >>> Mike
> >>>
> >>>> On Mon, Sep 12, 2011 at 12:36 PM, Michael H. Warfield<
> mhw at wittsend.com>  wrote:
> >>>>> On Mon, 2011-09-12 at 11:59 -0400, Erik Mathis wrote:
> >>>>>> Use denyhosts. Simple and really easy to use.
> >>>>>> On Mon, Sep 12, 2011 at 11:05 AM, David Hillman<hillmands at gmail.com>
>  wrote:
> >>>>>>> According to the PortSentry logs for my server, I have received
> thousands of
> >>>>>>> connection attempts via SSH port 22.  Of course, that is not the
> port the
> >>>>>>> real SSH service is listening on. Logins were also disabled for
> root.
> >>>>>>> What's interesting is the IP addresses all belong to Serverloft
> >>>>>>> (www.serverloft.eu); most attempts came from 188.138.32.16
> >>>>>>> (loft4385.serverloft.eu).  I am guessing someone with a few VPS
> boxes has
> >>>>>>> nothing better to do than use up network bandwidth to terrorize the
> rest of
> >>>>>>> us.  Or, maybe those boxes have been compromised.
> >>>>>>> I have e-mailed the folks over over at Serverloft, but I don't
> expect
> >>>>>>> anything of it.  Is there anything else I can do?
> >>>>> Hold the phone here!
> >>>>>
> >>>>> You guys are trying to over engineer this.  Read what the OP wrote.
> >>>>>
> >>>>> He's got ssh running on a different port already.  fail2ban and
> >>>>> denyhosts will do nothing that port sentry (and I'm assuming that's
> the
> >>>>> old Abacus Port Sentry) and simple firewall rules won't do.  All he's
> >>>>> seeing is connection ATTEMPTS.  There's nothing there to connect to
> so
> >>>>> all he's seeing is Port Sentry logging noise.  You've got it blocked
> >>>>> already and the service isn't running there anyways.  You don't want
> the
> >>>>> noise, stop logging it.  That's all.  You can't stop the attempts.
>  But
> >>>>> the attempts don't result in any connections.  Nothing more to do.
>  Move
> >>>>> on.
> >>>>>
> >>>>> Mike
> >>>>> --
> >>>>> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> >>>>>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> >>>>>    NIC whois: MHW9          | An optimist believes we live in the
> best of all
> >>>>>   PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
> of it!
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110919/90770695/attachment-0001.html

More information about the Ale mailing list