I haven't been reading this thread so forgive me if someone mentioned this, but I used to use a port knock daemon. It's not bullet proof in and of itself but I think could be valuable as part of a greater scheme.<br>
<br><br>--Dennis<br><br><br><br><div class="gmail_quote">On Mon, Sep 19, 2011 at 2:47 PM, David Hillman <span dir="ltr"><<a href="mailto:hillmands@gmail.com">hillmands@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I agree running SSH on a different port isn't very good security. Every<br>
access that comes in from the Internet is done via public key on our<br>
end. Passwords aren't even allowed on the LAN. Then again, if someone<br>
is on the LAN, security from the Internet is the least of the concerns.<br>
I think there was someone working on using a machine ID system to<br>
identify and track machines on the local network that don't belong there.<br>
<br>
On 9/12/11 5:40 PM, Bob Toxen wrote:<br>
> Usually the hackers will try up to 1000 passwords on common accounts. I<br>
> know someone who had a root password of "password" and one who had<br>
> "root1234" (without quotes) on Internet-connected *nix systems. I got<br>
> one to change in time; the other got hacked.<br>
><br>
> Unless you monitor for unsuccessful attacks you don't know how hard they<br>
> are trying and how close they are getting.<br>
><br>
> It's my experience that even many of the best System Administrators do<br>
> not know what makes a hard-to-break password without education. I had<br>
> the pleasure to provide that to ALE last month and it's in the book.<br>
> Aaron should have that talk's video available some time this month for<br>
> free viewing by ALE members.<br>
><br>
><br>
> I highly recommend PortSentry for locking out port scanners.<br>
><br>
> Moving ssh to a different port will NOT stop a hacker who knows what she<br>
> is doing. Allowing log in only via a ssh public key or only from a<br>
> short list of IPs with a very strong password will stop anyone (unless<br>
> that private key or allowed IP's system is hacked).<br>
><br>
> Disabling root ssh and requiring one first to ssh in through another<br>
> account and su'ing or sudo'ing to root is not as effective as the above<br>
> solutions and may diminish security, in my opinion.<br>
><br>
> Bob Toxen<br>
> <a href="mailto:bob@verysecurelinux.com">bob@verysecurelinux.com</a> [Please use for email to me]<br>
> <a href="http://www.verysecurelinux.com" target="_blank">http://www.verysecurelinux.com</a> [Network&Linux security consulting]<br>
> <a href="http://www.realworldlinuxsecurity.com" target="_blank">http://www.realworldlinuxsecurity.com</a> [My book:"Real World Linux Security 2/e"]<br>
> Quality Linux& UNIX security and SysAdmin& software consulting since 1990.<br>
> Quality spam and virus filters.<br>
><br>
> "One disk to rule them all, One disk to find them. One disk to bring<br>
> them all and in the darkness grind them. In the Land of Redmond where<br>
> the shadows lie...and the Eye is everwatching"<br>
> -- The Silicon Valley Tarot Henrique Holschuh with ... Bob<br>
><br>
> On Mon, Sep 12, 2011 at 03:07:26PM -0400, Rich Faulkner wrote:<br>
>> My experience with these was that attackers were looking for an easy<br>
>> entry. I mean EASY. And some of the companies I was working on were<br>
>> more than easy prey...and I'm not even sure they're still in business as<br>
>> I told them over and over again to not follow these practices. But they<br>
>> did anyway....and for all I know they're gonners now.<br>
>> One in particular (a former employer) has never changed their passwords.<br>
>> None that I am aware of...and that's with the coming and going of many<br>
>> an employee from engineering. This includes FTP sites for content, VPNs<br>
>> and the main database servers. This not a major issue and a glaring<br>
>> hole in security? But then again, I don't work there anymore and will<br>
>> not attempt to gain access to their systems just to see if they have<br>
>> changed the passwords.<br>
>> I DID just buy BOB TOXIN's book and got it in the mail over the weekend.<br>
>> Yeah, you Bob! Will be looking for you at an ALE Meeting soon to sign<br>
>> it for me! (Also need the CD - BTW...it was a used book and had the<br>
>> disk missing). But more to the original point...I would rather HACK MY<br>
>> OWN NETWORK than hack someone else's and that's exactly what I'm about<br>
>> to start doing. Thanks to the inspiration of the last ALE Meeting and<br>
>> topics like this thread....<br>
>> Bowing to Linux greatness in my midst....<br>
><br>
>> On Mon, 2011-09-12 at 13:38 -0400, Michael H. Warfield wrote:<br>
>>> On Mon, 2011-09-12 at 13:19 -0400, Erik Mathis wrote:<br>
>>>> I have to disagree with you on this, as you are only concerned about<br>
>>>> ssh. Since the remote box is most likely owned, ssh brute force<br>
>>>> attacks is likely only going to be the first wave of hate coming from<br>
>>>> that IP. Its best to me to just take a scorched earth approached in<br>
>>>> these situations. Every three months or so, you can remove the ACL<br>
>>>> (how ever you end up blocking) and see if it the hate comes back. Auto<br>
>>>> add rules should take care of the rest. In other words, its best to be<br>
>>>> prudent and proactive now, then later when your stuff is hacked and<br>
>>>> your only left with reactive options.<br>
>>> Ok... You guys apparently don't know what Abacus Port Sentry does.<br>
>>> That's what it does. If it detects a port scan above a certain<br>
>>> threshold, it blocks it out. I knew the author. I haven't played with<br>
>>> it in years but it is very effective and is the archetype for some<br>
>>> similar modern projects. Unless he's talking about another "Port<br>
>>> Sentry", he's already doing what he can and denyhost and fail2ban have<br>
>>> nothing to over over port sentry.<br>
>>><br>
>>> Also, as the runner of a honeynet for well over a decade, I can tell you<br>
>>> this - your argument just does not hold water. I have never seen a<br>
>>> follow up attack from correlated IP addresses on other services<br>
>>> following unsuccessful ssh attempts. If they can't connect to ssh, I<br>
>>> never hear from them on anything else. I have capture data going back<br>
>>> to 1998 on my darknet. No correlation. Even if they connect to one of<br>
>>> my honeypots (another band of addresses) they still never come back and<br>
>>> attack on another service. It's not happening. It's a nice argument<br>
>>> but you're just scaring away ghosts in New York City (old OLD joke).<br>
>>> The ssh scanning that's taking place is a joke. I seriously thought<br>
>>> they would have at least TRIED the stupid Debian bad ssh keys and my<br>
>>> honeypots were set up to deliberately trap and log on that if any ever<br>
>>> showed up. Nada! All I get are stoopid attempts at passwords like:<br>
>>><br>
>>> password<br>
>>> passwd<br>
>>> toor<br>
>>> qwert<br>
>>> trewq<br>
>>> poiuy<br>
>>> yuiop<br>
>>> 12345<br>
>>> 09876<br>
>>><br>
>>> Seriously!<br>
>>><br>
>>> And they've never come back a knocking. Even on very legitimate looking<br>
>>> honeypot systems with open services and everything.<br>
>>><br>
>>>> -Erik-<br>
>>> Regards,<br>
>>> Mike<br>
>>><br>
>>>> On Mon, Sep 12, 2011 at 12:36 PM, Michael H. Warfield<<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br>
>>>>> On Mon, 2011-09-12 at 11:59 -0400, Erik Mathis wrote:<br>
>>>>>> Use denyhosts. Simple and really easy to use.<br>
>>>>>> On Mon, Sep 12, 2011 at 11:05 AM, David Hillman<<a href="mailto:hillmands@gmail.com">hillmands@gmail.com</a>> wrote:<br>
>>>>>>> According to the PortSentry logs for my server, I have received thousands of<br>
>>>>>>> connection attempts via SSH port 22. Of course, that is not the port the<br>
>>>>>>> real SSH service is listening on. Logins were also disabled for root.<br>
>>>>>>> What's interesting is the IP addresses all belong to Serverloft<br>
>>>>>>> (<a href="http://www.serverloft.eu" target="_blank">www.serverloft.eu</a>); most attempts came from 188.138.32.16<br>
>>>>>>> (<a href="http://loft4385.serverloft.eu" target="_blank">loft4385.serverloft.eu</a>). I am guessing someone with a few VPS boxes has<br>
>>>>>>> nothing better to do than use up network bandwidth to terrorize the rest of<br>
>>>>>>> us. Or, maybe those boxes have been compromised.<br>
>>>>>>> I have e-mailed the folks over over at Serverloft, but I don't expect<br>
>>>>>>> anything of it. Is there anything else I can do?<br>
>>>>> Hold the phone here!<br>
>>>>><br>
>>>>> You guys are trying to over engineer this. Read what the OP wrote.<br>
>>>>><br>
>>>>> He's got ssh running on a different port already. fail2ban and<br>
>>>>> denyhosts will do nothing that port sentry (and I'm assuming that's the<br>
>>>>> old Abacus Port Sentry) and simple firewall rules won't do. All he's<br>
>>>>> seeing is connection ATTEMPTS. There's nothing there to connect to so<br>
>>>>> all he's seeing is Port Sentry logging noise. You've got it blocked<br>
>>>>> already and the service isn't running there anyways. You don't want the<br>
>>>>> noise, stop logging it. That's all. You can't stop the attempts. But<br>
>>>>> the attempts don't result in any connections. Nothing more to do. Move<br>
>>>>> on.<br>
>>>>><br>
>>>>> Mike<br>
>>>>> --<br>
>>>>> Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a> | mhw@WittsEnd.com<br>
>>>>> /\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
>>>>> NIC whois: MHW9 | An optimist believes we live in the best of all<br>
>>>>> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
<div><div></div><div class="h5">> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br>