Question about file permissions
in [Suse]
|
From: Vahis on 18 Apr 2010 01:02 On 2010-04-17, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >> O.K. I made an update: >> http://waxborg.servepics.com/opensuse/blockhosts > > There also is > http://www.novell.com/communities/node/3654/checking-log-file-invalid-ssh-connection-attempts Cool. I seem to have invented another wheel :) Vahis -- http://waxborg.servepics.com openSUSE 11.3 Milestone 5 (x86_64) 2.6.34-rc3-3-default 07:54am up 12:36, 4 users, load average: 0.00, 0.01, 0.00
From: Vahis on 18 Apr 2010 02:50 On 2010-04-10, houghi <houghi(a)houghi.org.invalid> wrote: > Will Honea wrote: >> The matter became even more immediate when I reviewed the system log this >> morning - page after page of someone running a dictionary attack on the ssh >> port > > Install BlockHosts. > Using BlockHost is a great way to keep your logfiles clean. I personally > do NOT see it as security (unless through obscurity). A different port I > also do not see as security. Whitelisting can be, depending on how much > you trust the things you whitelist. I'm not worried too much about ssh log in attempts myself. But I made an experiment. There were several addresses that had rained hard, over a thousand attempts. devlab:~ # grep "Invalid user" /var/log/messages|awk '{print $NF}' | \ > sort|uniq -c|sort -nr|head -n 25 1828 80.246.114.198 1774 210.83.84.23 1587 79.188.159.100 1410 211.100.47.198 1370 209.92.50.50 <snip> Now who is that with 1828 attempts: -------------------------------------------------------------- devlab:~ # whois 80.246.114.198 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '80.246.114.128 - 80.246.114.255' inetnum: 80.246.114.128 - 80.246.114.255 netname: IS-DCMY descr: Intersolute GmbH descr: Ostwall 101 - 107 descr: D-47798 Krefeld country: DE admin-c: GERD2-RIPE tech-c: FK884-RIPE status: ASSIGNED PA mnt-by: TRANSFAIR-NET mnt-lower: TRANSFAIR-NET mnt-by: TRANSFAIR-NET source: RIPE # Filtered person: Gerd Mende address: Transfair-Net GmbH address: Ostwall 101-107 address: D-47798 Krefeld address: Germany phone: +49 2151 5241880 fax-no: +49 2151 5241888 mnt-by: TRANSFAIR-NET nic-hdl: GERD2-RIPE source: RIPE # Filtered person: Frank Kempermann address: Transfair-Net GmbH address: Ostwall 101-107 address: D-47798 Krefeld address: Germany phone: +49 2151 5241880 fax-no: +49 2151 5241888 e-mail: info(a)transfair-net.de nic-hdl: FK884-RIPE mnt-by: TRANSFAIR-NET source: RIPE # Filtered % Information related to '80.246.112.0/20AS21461' route: 80.246.112.0/20 descr: DE-TRANSFAIR-NET-80 origin: AS21461 mnt-by: TRANSFAIR-NET source: RIPE # Filtered ----------------------------------------------------------- I wonder if Gerd or Frank there should be worried about something... Years ago I sent a couple of abuse mails to some of these people. Most of the time they replied and told that the abusing accounts had been shut down due to the mails. So what I mean here is that if one's machine reveives this noise it's not that serious. Sending mail might be a favor to them. But it's their problem... Vahis -- http://waxborg.servepics.com openSUSE 11.3 Milestone 5 (x86_64) 2.6.34-rc3-3-default 09:29am up 14:11, 5 users, load average: 0.01, 0.06, 0.02
From: Vahis on 18 Apr 2010 13:14 On 2010-04-18, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >> They must be big bot nets. > > And that is why they are a burden to everybody. > >> It would surely be more useful to also send mail than just block. >> It should be completely automatic though. > > I hope you mean the sending and not the blocking. > >> Say a machine attempts like ten times and a script sends mail to their >> abuse mail address. > > OK, the sending. And blocking. Both automagic. >> Blockhosts should be extended to send mail on top of blocking the >> address :) > > No. Blockhosts looks at each attempt individually. What you need is a > logfile analyzer: > http://bubba.org/wiki/index.php/SSH_Log_Action_Script > This is written in perl, but it should work. At least partly. There are risks with log readers like blockhosts: http://www.ossec.net/main/attacking-log-analysis-tools Since strong passwords is my mantra I haven't installed blockhosts on main machine anyway. (or did I forget, gee... lemme think...) >What are you going to do with an adress like > a88-112-24-179.elisa-laajakaista.fi? You can easily get the IP from it I guess. It's in it. Well hidden :) That's a virtual machine. With blockhosts. > Although that might not be very usefull. Looking at my own domain and my > own IP, I would never get the email myself. I guess it's the ISP that is supposed to get the mail. > >> What about setting up a virtual machine with some users like sales or >> marketing or bill with infinite retries and a simple password. >> And see what they do with it when they get in ;) > > People are already doing that. > http://en.wikipedia.org/wiki/Honeypot_%28computing%29 I am sure you can > find out what these have detected if you start looking for it. I've heard of honeypots and tarpits as well. Somehow the latter sounds more fun, haven't looked into them though :) Vahis -- http://waxborg.servepics.com openSUSE 11.3 Milestone 5 (x86_64) 2.6.34-rc3-3-default 20:02pm up 1 day 0:44, 6 users, load average: 0.00, 0.00, 0.00
From: David Bolt on 18 Apr 2010 13:25 On Sunday 18 Apr 2010 14:28, while playing with a tin of spray paint, Vahis painted this mural: > What about setting up a virtual machine with some users like sales or > marketing or bill with infinite retries and a simple password. > And see what they do with it when they get in ;) You mean run your own honeypot? Have a nosey at these: <http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts> <http://blog.sucuri.net/2010/01/honeypot-analysis-looking-at-ssh-scans.html> <http://www.cisco.com/web/about/security/intelligence/ssh-security.html> <http://www.oreillynet.com/pub/a/sysadmin/2006/09/28/honeypots.html> Regards, David Bolt -- Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s openSUSE 11.0 32b | | | openSUSE 11.3M4 32b openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2 64b | TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11
From: Will Honea on 18 Apr 2010 18:01
houghi wrote: > David Bolt wrote: > <snip> >> <http://www.cisco.com/web/about/security/intelligence/ssh-security.html> > > Must read. Made me add the following to my sshd_conf file: > PermitRootLogin no > AllowUsers hougie > > No idea why I never have done that before. > If you have many users, you can add a group (say sshusers), add all > users who are allowed to get ssh access to that group and use > AllowGroups sshusers > > There are more ways to make ssh even more secure. Using public keys is > one. > >> <http://www.oreillynet.com/pub/a/sysadmin/2006/09/28/honeypots.html> > > Must read if you want to run your own honeypot. http://www.honeyd.org/ > for even more info. This all started as a simple question - and grew to one of the longest threads I've see in a while. Good info, even if we did wander a bit from the initial topic ;-) I've tried the blockhosts bit as well as the upper ports stuff on the machines that were being hit. Of course, the only positive results I've gotten were in response to my own test script but it has been a worthwhile exercise anyway. The recent links made very good reading. Maybe a condensed wiki or how-to with all the links would be a useful effort. -- Will Honea |