<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Sorry about that.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You don’t have to wait for your network/architecture team though. Even if it is open via your network firewall device(s) you can still control it via iptables
at host level and only open the ports in each specific host’s iptables that you expect to be used on that host. That is having external access to all ports on all hosts is a bad thing but you can mitigate it by insuring at least that your hosts are only
allowing the traffic you want.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Ideally any device exposed to INBOUND traffic from the internet should be DMZed so that there is a firewall device between it and the internet and another firewall
device between it and your internal network. Most servers only need OUTBOUND traffic to the internet. In the internal firewall device most of the traffic should be one way – from your internal servers to the DMZ host and not vice-versa though for a few
things you might actually need SOME inbound flow it is should be for very specific things and would be a lot less than you’d allow out to the DMZ host. The great thing about iptables is you can get even more granular at host level about what you allow into
it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> ale-bounces@ale.org [mailto:ale-bounces@ale.org]
<b>On Behalf Of </b>Edward Holcroft<br>
<b>Sent:</b> Tuesday, February 18, 2014 9:14 AM<br>
<b>To:</b> Atlanta Linux Enthusiasts<br>
<b>Subject:</b> Re: [ale] ssh brute-force<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Shit Jeff, you have just pointed out a design flaw in our entire AWS setup that I was unaware of! We use a single security policy for all our servers, and every time we need another port open, it gets added to the global policy. We should
be creating a policy for each individual server. After you comment, I went in there and took a look and yes, we have sql ports rdp ports ssh ports ftp ports http/s ports .... everything in the single policy. At this rate eventually everything will be world
open on all servers!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks for asking the question. I'm going to get our architecture guys on this right away.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">cheers<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">ed<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Feb 18, 2014 at 8:48 AM, Lightner, Jeff <<a href="mailto:JLightner@water.com" target="_blank">JLightner@water.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Given that 443 is the standard https port I’d think you’d still have an issue with lots of hits on
this port although they’ll be trying to break the wrong thing by default. Also since both ssh and https are based on ssl it is just possible someone smart enough to actually smart enough to hack one would be smart enough to hack the other. 443 is below
1000 so is in the space commonly reserved for root level processes. As a final note if you ever did put up a secure web service on this machine the port would conflict (unless you chose a different one for your web service).</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The question is why do you have 443 or other ports “open to the world” if they’re not actually in
use on the host? Much better to turn off 443 and turn on something random above 1000.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a> [mailto:<a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a>]
<b>On Behalf Of </b>Edward Holcroft<br>
<b>Sent:</b> Tuesday, February 18, 2014 8:35 AM</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<b>To:</b> Atlanta Linux Enthusiasts<br>
<b>Subject:</b> Re: [ale] ssh brute-force<o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks everyone for the useful links and comments. I decided to go with port 443 since that was already open to the world, meaning I did not need to open an additional port.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I was happy to note that enabling password logins did not stop my ssl-based logins from working on the same server. I was worried it might be an either/or scenario. Unfortunately,
for the service I'm setting up I had to provide a password-based login. I set up a restricted user for this purpose.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Will monitor things and see what kind of hits I get on that server. Hopefully the problem goes away or is significantly reduced by this. If I still see lots of hits then I guess
I'll just have to go back to denyhosts which seems to do a great job of nailing things down. Of course, I'd rather not have the hits at all.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">cheers<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">ed<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Mon, Feb 17, 2014 at 9:37 AM, JD <<a href="mailto:jdp@algoloma.com" target="_blank">jdp@algoloma.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Securing ssh:<br>
<a href="http://blog.jdpfu.com/2011/08/23/securing-ssh-connections-and-blocking-failures" target="_blank">http://blog.jdpfu.com/2011/08/23/securing-ssh-connections-and-blocking-failures</a><br>
<br>
The short version is:<br>
* only allow key-based logins, never passwords<br>
* use denyhosts or fail2ban<br>
* change to a non-default port (any will do) - use port translation at the<br>
router to make life easier, NOT on the server itself.<br>
* do not allow direct root logins over ssh, even on the LAN.<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
On 02/17/2014 08:51 AM, Lightner, Jeff wrote:<br>
> The reason why changing the port drops hits to near zero even if someone is doing a port scan is that the port scan doesn't tell them the port is ssh - just that it is open. Of course doing a telnet to an open port might reveal that..<br>
><br>
> The fail2ban idea is a good one. So is using the high number but you CAN do nmap for high numbers - most people just don't. Security is all about hardening so the bad guys move on to easier targets. Nothing is really going to stop the determined folks
specifically targeting you but it will keep out most of the hit and run types and script kiddies.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p> <o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">--
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Edward Holcroft | Madsen Kneppers & Associates Inc.<br>
11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097<br>
O <a href="tel:%28770%29%20446-9606" target="_blank">(770) 446-9606</a> | M <a href="tel:%28770%29%20630-0949" target="_blank">
(770) 630-0949</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY NOTICE: This message may be confidential and/or privileged. If you are not the intended recipient,
please notify the sender immediately then delete it - you should not copy or use it for any purpose or disclose its content to any other person. Internet communications are not secure. You should scan this message and any attachments for viruses. Any unauthorized
use or interception of this e-mail is illegal.</span><o:p></o:p></p>
</div>
</div>
<p> <o:p></o:p></p>
<p> <o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:fuchsia">Athena</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:fuchsia">®</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:fuchsia">,
Created for the Cause</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:fuchsia">™
</span><o:p></o:p></p>
<div>
<p><span style="font-family:"Arial","sans-serif"">Making a Difference in the Fight Against Breast Cancer</span><o:p></o:p></p>
<p> <o:p></o:p></p>
<p> <o:p></o:p></p>
</div>
<p><strong><span style="font-family:"Arial","sans-serif"">How and Why I Should Support Bottled Water!</span></strong><b><span style="font-family:"Arial","sans-serif""><br>
</span></b><span style="font-family:"Arial","sans-serif"">Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count!
Go to <a href="http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters" target="_blank">
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters</a> and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the
sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today!</span><o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">---------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information
is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------</span><o:p></o:p></p>
<p> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal">Edward Holcroft | Madsen Kneppers & Associates Inc.<br>
11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097<br>
O (770) 446-9606 | M (770) 630-0949<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<span style="font-size:10.0pt;font-family:"Arial","sans-serif"">MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY NOTICE: This message may be confidential and/or privileged. If you are not the intended recipient, please notify the sender
immediately then delete it - you should not copy or use it for any purpose or disclose its content to any other person. Internet communications are not secure. You should scan this message and any attachments for viruses. Any unauthorized use or interception
of this e-mail is illegal.</span><o:p></o:p></p>
</div>
</body>
</html>