[clug] mc-root anyone?

Nathan Rickerby rickerby at gmail.com
Thu Jun 18 14:04:27 GMT 2009 

On Thu, Jun 18, 2009 at 10:39:35PM +1000, Michael Cohen wrote:
> As a matter of habbit I always set up port knocking on internet facing
> SSH servers. Its a good way of protecting your servers against future
> vulnerabilities and also keeping your logs clean.
> 
> apt-get install knockd

I disable password auth, allow skey and Pubkey auth only, limit the
public key in to being used from the internal network only, and set a
maximum connection rate from the Internet to 1 every 10 seconds.

> Now does anyone know a way to automate the knocking from within
> ~/.ssh/config ? I typically have to write a 2 line shell script
> wrapper for each host which seems a bit hackish.

Perhaps something like this at the top of your ~/.ssh/config

  ProxyCommand knock.sh %h %p

and knock.sh

  #!/bin/bash
  ping -c 1 $1
  # knock knock
  nc $1 12359
  nc $1 45335
  # and connect
  nc $1 $2

Nathan

> On Thu, Jun 18, 2009 at 10:33 PM, Kim Holburn<kim at holburn.net> wrote:
> >
> > On 2009/Jun/18, at 2:10 PM, Paul Wayper wrote:
> >
> >> On 18/06/09 14:53, Daniel Pittman wrote:
> >>>
> >>> Michael Still<mikal at stillhq.com>  writes:
> >>>>
> >>>> Two questions:
> >>>> - is there anything else I should do to this machine?
> >>>
> >>> That depends how much paranoia you have.  My general experience, these
> >>> days,
> >>> is that many attackers are quite happy to automatically compromise a
> >>> system
> >>> and run a robot; they don't bother to go beyond that point.
> >>
> >> My observation is that attacks on Linux systems want to run more SSH
> >> vulnerability checks, and infrequently a HTTP server they can put scam web
> >> pages on.  I haven't heard any evidence of full-blown zombie controllers
> >> under Linux.  (In other words, they may exist but they F-Secure and the
> >> wider Linux community hasn't seen them as a common occurrence).
> >>
> >> Windows machines get zombie controllers slapped on them because they are
> >> easy to take over, they form the vast majority of the machines on the
> >> internet, and their administrators are frequently clueless.  For that reason
> >> they get the most attention from malware writers.
> >>
> >> I would recommend never allowing SSH on port 22 on anything that handles a
> >> connection from the internet.  I have a port remapping NAT rule on my
> >> firewall to remap from a high port to SSH on my internal server; other
> >> people just change the 'Port' number in /etc/ssh/sshd_config to a highish
> >> number (2222 is easy to remember).
> >
> > Security by obscurity is OK but it doesn't give you that much.  A good scan
> > can tell you what's on an open port.
> >
> >> If you're paranoid, you also run fail2ban or some similar daemon that
> >> checks for too many password failures and bans that IP address automatically
> >> for a time.
> >
> > Yes, fail2ban. But first if you're going to allow external ssh in (depending
> > on your version of sshd) put this in sshd_config:
> >
> > sshd_config:
> >
> > PermitRootLogin no
> > PasswordAuthentication no
> > RSAAuthentication yes
> > PubkeyAuthentication yes
> > AllowUsers fred barney
> >
> >
> > You might consider a separate sshd and config for internet and internal
> > networks.   It's a pity you can't apply different sshd_config rules to
> > different interfaces.
> >
> > Most of the successful attacks I've seen have been on old machines or badly
> > configured machines especially accounts with bad passwords and have been
> > through ssh or apache.
> >
> >> These people are scanning for connections on port 22.  We haven't (yet)
> >> seen people trying to actually scan the ports on a remote machine looking
> >> for an SSH server.
> >
> > I used to see slow scans, below the radar of most automated response
> > systems.
> >
> >> When we do, believe me, you will not be able to move on the internet
> >> without hitting three or four sysadmins reconfiguring their external-facing
> >> SSH servers.
> >
> >
> >
> >
> > --
> > Kim Holburn
> > IT Network & Security Consultant
> > Ph: +39 06 855 4294  M: +39 3494957443
> > mailto:kim at holburn.net  aim://kimholburn
> > skype://kholburn - PGP Public Key on request
> >
> >
> >
> >
> >
> >
> > --
> > linux mailing list
> > linux at lists.samba.org
> > https://lists.samba.org/mailman/listinfo/linux
> >
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list