[clug] mc-root anyone?
Michael Cohen
scudette at gmail.com
Thu Jun 18 12:39:35 GMT 2009
As a matter of habbit I always set up port knocking on internet facing
SSH servers. Its a good way of protecting your servers against future
vulnerabilities and also keeping your logs clean.
apt-get install knockd
Now does anyone know a way to automate the knocking from within
~/.ssh/config ? I typically have to write a 2 line shell script
wrapper for each host which seems a bit hackish.
Michael.
On Thu, Jun 18, 2009 at 10:33 PM, Kim Holburn<kim at holburn.net> wrote:
>
> On 2009/Jun/18, at 2:10 PM, Paul Wayper wrote:
>
>> On 18/06/09 14:53, Daniel Pittman wrote:
>>>
>>> Michael Still<mikal at stillhq.com> writes:
>>>>
>>>> Two questions:
>>>> - is there anything else I should do to this machine?
>>>
>>> That depends how much paranoia you have. My general experience, these
>>> days,
>>> is that many attackers are quite happy to automatically compromise a
>>> system
>>> and run a robot; they don't bother to go beyond that point.
>>
>> My observation is that attacks on Linux systems want to run more SSH
>> vulnerability checks, and infrequently a HTTP server they can put scam web
>> pages on. I haven't heard any evidence of full-blown zombie controllers
>> under Linux. (In other words, they may exist but they F-Secure and the
>> wider Linux community hasn't seen them as a common occurrence).
>>
>> Windows machines get zombie controllers slapped on them because they are
>> easy to take over, they form the vast majority of the machines on the
>> internet, and their administrators are frequently clueless. For that reason
>> they get the most attention from malware writers.
>>
>> I would recommend never allowing SSH on port 22 on anything that handles a
>> connection from the internet. I have a port remapping NAT rule on my
>> firewall to remap from a high port to SSH on my internal server; other
>> people just change the 'Port' number in /etc/ssh/sshd_config to a highish
>> number (2222 is easy to remember).
>
> Security by obscurity is OK but it doesn't give you that much. A good scan
> can tell you what's on an open port.
>
>> If you're paranoid, you also run fail2ban or some similar daemon that
>> checks for too many password failures and bans that IP address automatically
>> for a time.
>
> Yes, fail2ban. But first if you're going to allow external ssh in (depending
> on your version of sshd) put this in sshd_config:
>
> sshd_config:
>
> PermitRootLogin no
> PasswordAuthentication no
> RSAAuthentication yes
> PubkeyAuthentication yes
> AllowUsers fred barney
>
>
> You might consider a separate sshd and config for internet and internal
> networks. It's a pity you can't apply different sshd_config rules to
> different interfaces.
>
> Most of the successful attacks I've seen have been on old machines or badly
> configured machines especially accounts with bad passwords and have been
> through ssh or apache.
>
>> These people are scanning for connections on port 22. We haven't (yet)
>> seen people trying to actually scan the ports on a remote machine looking
>> for an SSH server.
>
> I used to see slow scans, below the radar of most automated response
> systems.
>
>> When we do, believe me, you will not be able to move on the internet
>> without hitting three or four sysadmins reconfiguring their external-facing
>> SSH servers.
>
>
>
>
> --
> Kim Holburn
> IT Network & Security Consultant
> Ph: +39 06 855 4294 M: +39 3494957443
> mailto:kim at holburn.net aim://kimholburn
> skype://kholburn - PGP Public Key on request
>
>
>
>
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
More information about the linux
mailing list