[clug] mc-root anyone?

Kim Holburn kim at holburn.net
Thu Jun 18 12:33:06 GMT 2009 

On 2009/Jun/18, at 2:10 PM, Paul Wayper wrote:

> On 18/06/09 14:53, Daniel Pittman wrote:
>> Michael Still<mikal at stillhq.com>  writes:
>>> Two questions:
>>> - is there anything else I should do to this machine?
>>
>> That depends how much paranoia you have.  My general experience,  
>> these days,
>> is that many attackers are quite happy to automatically compromise  
>> a system
>> and run a robot; they don't bother to go beyond that point.
>
> My observation is that attacks on Linux systems want to run more SSH  
> vulnerability checks, and infrequently a HTTP server they can put  
> scam web pages on.  I haven't heard any evidence of full-blown  
> zombie controllers under Linux.  (In other words, they may exist but  
> they F-Secure and the wider Linux community hasn't seen them as a  
> common occurrence).
>
> Windows machines get zombie controllers slapped on them because they  
> are easy to take over, they form the vast majority of the machines  
> on the internet, and their administrators are frequently clueless.   
> For that reason they get the most attention from malware writers.
>
> I would recommend never allowing SSH on port 22 on anything that  
> handles a connection from the internet.  I have a port remapping NAT  
> rule on my firewall to remap from a high port to SSH on my internal  
> server; other people just change the 'Port' number in /etc/ssh/ 
> sshd_config to a highish number (2222 is easy to remember).

Security by obscurity is OK but it doesn't give you that much.  A good  
scan can tell you what's on an open port.

> If you're paranoid, you also run fail2ban or some similar daemon  
> that checks for too many password failures and bans that IP address  
> automatically for a time.

Yes, fail2ban. But first if you're going to allow external ssh in  
(depending on your version of sshd) put this in sshd_config:

sshd_config:

PermitRootLogin no
PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
AllowUsers fred barney


You might consider a separate sshd and config for internet and  
internal networks.   It's a pity you can't apply different sshd_config  
rules to different interfaces.

Most of the successful attacks I've seen have been on old machines or  
badly configured machines especially accounts with bad passwords and  
have been through ssh or apache.

> These people are scanning for connections on port 22.  We haven't  
> (yet) seen people trying to actually scan the ports on a remote  
> machine looking for an SSH server.

I used to see slow scans, below the radar of most automated response  
systems.

> When we do, believe me, you will not be able to move on the internet  
> without hitting three or four sysadmins reconfiguring their external- 
> facing SSH servers.




-- 
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the linux mailing list