[clug] unsubscribe
Nithya Babu
nithyababu at isofttech.com
Tue Jul 26 03:56:28 GMT 2005
-----Original Message-----
From: linux-bounces+nithyababu=isofttech.com at lists.samba.org
[mailto:linux-bounces+nithyababu=isofttech.com at lists.samba.org] On Behalf Of
linux-request at lists.samba.org
Sent: Tuesday, July 26, 2005 5:43 AM
To: linux at lists.samba.org
Subject: linux Digest, Vol 31, Issue 34
Send linux mailing list submissions to
linux at lists.samba.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.samba.org/mailman/listinfo/linux
or, via email, send a message with subject or body 'help' to
linux-request at lists.samba.org
You can reach the person managing the list at
linux-owner at lists.samba.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of linux digest..."
Today's Topics:
1. Re: Hoary old chestnut: Use of 'dump' (Martin Pool)
2. SSH attack (Steve Jenkin)
3. Re: Hoary old chestnut: Use of 'dump' (Stephen Rothwell)
4. Re: Hoary old chestnut: Use of 'dump' (Martin Pool)
5. Re: SSH attack (Steven Farlie)
6. July Canberra Linux Users Group meeting (Andrew Pollock)
7. Re: SSH attack (Michael Cohen)
8. Re: SSH attack (Alex Satrapa)
9. Re: Hoary old chestnut: Use of 'dump' (Stephen Granger)
10. Re: SSH attack (Andrew Pollock)
----------------------------------------------------------------------
Message: 1
Date: Mon, 25 Jul 2005 09:37:05 -0300
From: Martin Pool <mbp at sourcefrog.net>
Subject: Re: [clug] Hoary old chestnut: Use of 'dump'
To: Canberra Linux User Group <linux at lists.samba.org>
Message-ID: <1122295026.9693.2.camel at hope>
Content-Type: text/plain
On Mon, 2005-07-25 at 16:43 +1000, Alex Satrapa wrote:
> On 25 Jul 2005, at 15:19, Stephen Jenkin wrote:
>
> > I was talking to a mate about backups & when he said he used 'dump', I
> > trotted out the "it's got a design flaw" line.
>
> One could argue that rsync has a design flaw, since (as mentioned in
> the article about dump) it will set the atime of each file that is
> opened for reading.
Not necessarily. With a sufficiently recent rsync and kernel it can
preserve the atime on files you own (or all files, if root).
--
Martin
------------------------------
Message: 2
Date: Mon, 25 Jul 2005 23:51:22 +1000
From: Steve Jenkin <sjenkin at canb.auug.org.au>
Subject: [clug] SSH attack
To: CLUG List <linux at lists.samba.org>
Message-ID: <1122299483.5025.27.camel at p4>
Content-Type: text/plain
Tonight I noticed lots of inbound network activity to an unused host: I
mapped SSH through the firewall to it.
First event in log:
Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from 66.235.160.30
Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
from 66.235.160.30 port 60518 ssh2
Could this explain the compromise someone on the list saw recently.
I've created two lists from the attempts I've seen in /var/log/secure,
URL's below. Hope this is helpful to some of you out there. The first
number in the file is the count.
http://tip.net.au/~sjenkin/hack-ipnr.txt
http://tip.net.au/~sjenkin/hack-logins.txt
BTW: I've read the man page for 'sshd_config', and it seems pretty
sketchy to me on how to limit connections to sshd. All I found was:
=> AllowUsers USER at HOST
Doesn't seem to understand limiting to subnets or denying from address
ranges, say like Apache... Did I get this right?
cheers
steve
--
Steve Jenkin, Unix Sys Admin
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
mailto:sjenkin at canb.auug.org.au http://www.tip.net.au/~sjenkin
------------------------------
Message: 3
Date: Tue, 26 Jul 2005 01:04:50 +1000
From: Stephen Rothwell <sfr at canb.auug.org.au>
Subject: Re: [clug] Hoary old chestnut: Use of 'dump'
To: linux at lists.samba.org
Message-ID: <20050726010450.07993cf5.sfr at canb.auug.org.au>
Content-Type: text/plain; charset="us-ascii"
On Mon, 25 Jul 2005 09:37:05 -0300 Martin Pool <mbp at sourcefrog.net> wrote:
>
> Not necessarily. With a sufficiently recent rsync and kernel it can
> preserve the atime on files you own (or all files, if root).
How recent? This is something I have wanted for years. the current CVS
version doesn't have anything obvious ...
--
Cheers,
Stephen Rothwell sfr at canb.auug.org.au
http://www.canb.auug.org.au/~sfr/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/linux/attachments/20050726/fef18d0b/attachmen
t-0001.bin
------------------------------
Message: 4
Date: Mon, 25 Jul 2005 12:19:45 -0300
From: Martin Pool <mbp at sourcefrog.net>
Subject: Re: [clug] Hoary old chestnut: Use of 'dump'
To: linux at lists.samba.org
Message-ID: <1122304785.9693.36.camel at hope>
Content-Type: text/plain
On Tue, 2005-07-26 at 01:04 +1000, Stephen Rothwell wrote:
> On Mon, 25 Jul 2005 09:37:05 -0300 Martin Pool <mbp at sourcefrog.net> wrote:
> >
> > Not necessarily. With a sufficiently recent rsync and kernel it can
> > preserve the atime on files you own (or all files, if root).
>
> How recent? This is something I have wanted for years. the current CVS
> version doesn't have anything obvious ...
Oh, apparently this is in the kernel but not merged into rsync yet. I
think there's a patch somewhere.
--
Martin
------------------------------
Message: 5
Date: Tue, 26 Jul 2005 02:26:35 +1000
From: Steven Farlie <steven.farlie at gmail.com>
Subject: Re: [clug] SSH attack
Cc: CLUG List <linux at lists.samba.org>
Message-ID: <42E512BB.7090503 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Steve Jenkin wrote:
> Tonight I noticed lots of inbound network activity to an unused host: I
> mapped SSH through the firewall to it.
>
> First event in log:
> Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from 66.235.160.30
> Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
> from 66.235.160.30 port 60518 ssh2
>
> Could this explain the compromise someone on the list saw recently.
>
> I've created two lists from the attempts I've seen in /var/log/secure,
> URL's below. Hope this is helpful to some of you out there. The first
> number in the file is the count.
> http://tip.net.au/~sjenkin/hack-ipnr.txt
> http://tip.net.au/~sjenkin/hack-logins.txt
Someones been doing plain old dictionary attacks on ssh for a while now.
It seems to be reasonably effective. Even if it takes a bit longer than
a regular attack, you might just end up owning a unix box on a bit fat pipe.
http://it.slashdot.org/article.pl?sid=05/07/16/1615233
> BTW: I've read the man page for 'sshd_config', and it seems pretty
> sketchy to me on how to limit connections to sshd. All I found was:
> => AllowUsers USER at HOST
>
> Doesn't seem to understand limiting to subnets or denying from address
> ranges, say like Apache... Did I get this right?
Yep, that's about it. Most people should just set AllowUsers and enforce
strong passwords on those. Subnet and address range blocking is usually
best handled by firewalls.
--
Steven Farlie
------------------------------
Message: 6
Date: Tue, 26 Jul 2005 08:00:02 +1000
From: Andrew Pollock <andrew-clug at andrew.net.au>
Subject: [clug] July Canberra Linux Users Group meeting
To: linux at lists.samba.org
Message-ID: <200507252200.j6PM02A6020089 at caesar.andrew.net.au>
Canberra Linux Users Group Meeting - 28th July 2005
===================================================
Date: 28th July 2005 (Fourth Thursday of the month)
Time: 19:00 - 21:00 (or when it finishes)
Speaker: Bob Edwards
Abstract: Bob's going to give a short talk about his new Phillips
SLA5500 Wireless Music Receiver, and how to make it work
with Linux.
He's also going to demonstrate his new iRobot Roomba
Discovery vacuuming robot.
Venue: Room N101
Computer Science and Information Technology Building
North Road
The Australian National University
See http://clug.org.au/ for more directions and a map
Food/drink: Pizza and soft drink/juice. Come hungry, and bring
about $6 to cover the cost of your share if you
want some.
If you would like to give a talk at a future meeting, please email me.
------------------------------
Message: 7
Date: Tue, 26 Jul 2005 08:43:18 +1000
From: Michael Cohen <michael.cohen at netspeed.com.au>
Subject: Re: [clug] SSH attack
To: linux at lists.samba.org
Message-ID: <20050725224318.GC6435 at dell.homelinux.com>
Content-Type: text/plain; charset=us-ascii
On Tue, Jul 26, 2005 at 02:26:35AM +1000, Steven Farlie wrote:
> >BTW: I've read the man page for 'sshd_config', and it seems pretty
> >sketchy to me on how to limit connections to sshd. All I found was:
> >=> AllowUsers USER at HOST
> >
> >Doesn't seem to understand limiting to subnets or denying from address
> >ranges, say like Apache... Did I get this right?
>
> Yep, that's about it. Most people should just set AllowUsers and enforce
> strong passwords on those. Subnet and address range blocking is usually
> best handled by firewalls.
Note that the usuall way for doing this is through
/etc/security/access.conf (at least on debian based distros). For
example:
+:mic:10.
says allow mic to logon from 10. netmask
Michael.
------------------------------
Message: 8
Date: Tue, 26 Jul 2005 09:35:15 +1000
From: Alex Satrapa <grail at goldweb.com.au>
Subject: Re: [clug] SSH attack
To: CLUG List <linux at lists.samba.org>
Message-ID: <D8B51356-7CF4-408E-B53D-765E1CE7B0CD at goldweb.com.au>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
On 25 Jul 2005, at 23:51, Steve Jenkin wrote:
> Tonight I noticed lots of inbound network activity to an unused
> host: I
> mapped SSH through the firewall to it.
I secured my network by only allowing SSH to one externally visible
box, that box only allows key-based authentication (no passwords),
and only users who have accounts on that machine can have keys
present. Simple.
When brute force attacks start breaking into my box, I've probably
got bigger problems than just unauthorized access.
Alex
------------------------------
Message: 9
Date: Tue, 26 Jul 2005 09:50:11 +1000
From: Stephen Granger <sgranger at stepsoft.com.au>
Subject: Re: [clug] Hoary old chestnut: Use of 'dump'
Cc: linux at lists.samba.org
Message-ID: <42E57AB3.1040608 at stepsoft.com.au>
Content-Type: text/plain; charset=ISO-8859-1
Thanks for your warning in regards to the timing condition with rsync
Antti. I guess I should have assumed the same problem could plague
rsync... I guess it's just my bias towards rsync and unfamiliarity with
dump/restore. I've only really got a linux background, very little unix
experience (des that make any sense?).
Rather than the back "everything" up scenario, I like, and have seen in
practice, and am more favourable to, back up as little as possible up
and build your servers in a common way. Use packages as much as
possible, even if you have to build them yourself (eg php on debian
which doesn't have --pspell). This process can be very handy if you are
creating/replicating servers with 'simple' services, such as webservers
(okay, may not be simple). To add, even if you can't build your servers
in a generic way utilise such tools as FAI (Debian) and Kickstart
(Redhat) so that you can replicate your base/total system as easily as
possible. This avoids backing up alot of the /usr filesystem .Store
configuration files in a central repository so you and the other
sysadmins can edit them and you are aware of the changes (CVS).
Following the Linux Files System Hierarchy (FHS) allows you to be aware
what files are where that need to be backed up.
The main resistance I've come across to this proposal is:
"What about the other files on the system that you don't know about?
you'll miss them if you don't backup everything!"
(Again, this maybe very linux centric)
You mean you've got files all over your system that you don't know
about? This maybe the case if you didn't build the box, but if you built
the box, shouldn't you know what's on it? tripwire can be your friend to
tell you what files are modified/created.
If you didn't build the box you should aleast know how to build the box
from scratch, document that process so you know how it's built and then
do a diff (again, I love rsync for this, but there is probably a better
way to do it) on the box you've just built and the other one you didn't
build. You'll have to wade through (grep out maybe) all of the log files
you know about and other stuff (content, databases, etc) but it may just
dig up the file named
Do_not_delete_runs_everything.sh in
/usr/local/test/monday/back_from_holidays/last_nightsbackup/restore/puppydog
s/two_more_sleeps/
directory which you didn't know about. (This can also help you
understand why they got rid of their last sysadmin :) )
This is assuming you have the time and adequete hardware to carry out
such an opperation.
There is a few more things that you have to be aware of, maybe I can
talk about them on Thursday night? I don't have slides or anything but I
have been working on a paper/howto/document for this process that I can
bring along.
I'd really like some feedback on my ideas, especially if you think they
are totally flawed or could do with some improvements.
Randall Crook wrote:
> --
>
> Maybe I am a little out of it, but I usually use vdump (Tru64 with advfs)
> to disk then tar the dumps to tape (yes I still prefer tape. :)) on
> nightly cold backups (applications shutdown). Then once each 6 month
> actually do a standalone backup (single user mode).
>
> Now this works fine for me as I am dealing with 6 syncronised application
> servers and losing one for a couple of hours each night is not a major
> problem.
>
> This does however ensure I have a clean backup of the important data
> files. It also allows me to do standalone backups of one server as a
> reference each time I need to perform major upgrades/patches so recovery
> after a stuff up is relatively straight forward.
>
> I have always wondered if the method i use is appropriate or the most
> efficient (cost as well as reasouces) for the environment.
>
> As each server is almost identical to the others (hostname, ip and a few
> minor configs the only diffs between them) I usually just image a rebuild
> off an existing server, so the backups to tape are really for absolute
> desastar conditions and for the warm fuzzy feeling factor.
I guess it's not that easy to replicate your server if say all or your
servers are "disabled" (The good old biblical flood scenario). This
replication can be done just as easily with FAI or kickstart which can
be stored on a CD and given out to serveral employees, sent to a remote
location.
> If anyone can point me to better (at no extra cost) solutions, I would be
> very happy give them.:)
>
--
Stephen Granger
------------------------------
Message: 10
Date: Tue, 26 Jul 2005 10:12:11 +1000
From: Andrew Pollock <andrew-clug at andrew.net.au>
Subject: Re: [clug] SSH attack
To: Steve Jenkin <sjenkin at canb.auug.org.au>
Cc: CLUG List <linux at lists.samba.org>
Message-ID: <20050726001211.GA29425 at daedalus.andrew.net.au>
Content-Type: text/plain; charset=us-ascii
On Mon, Jul 25, 2005 at 11:51:22PM +1000, Steve Jenkin wrote:
> Tonight I noticed lots of inbound network activity to an unused host: I
> mapped SSH through the firewall to it.
>
> First event in log:
> Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from 66.235.160.30
> Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
> from 66.235.160.30 port 60518 ssh2
>
> Could this explain the compromise someone on the list saw recently.
I use Netfilter to slow these down a bit. The attacks are always impatient,
and that is usually their downfall.
http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks
There can be a bit of collateral damage with these rules and legitimate SSH
connections originating from lossy networks, so judicious use of
whitelisting is advised.
I find this greatly reduces the noise in the logs without needing to filter
it out altogether.
regards
Andrew
------------------------------
_______________________________________________
linux mailing list
linux at lists.samba.org
https://lists.samba.org/mailman/listinfo/linux
End of linux Digest, Vol 31, Issue 34
*************************************
More information about the linux
mailing list