A couple days ago I had a brief article on the vandals banging away at the door of my ssh server. Like I said, I’ve, at times, been fairly smug abou the futility of their actions, but…. the persistance concerns me. Let me be more specific, I keep a fairly tight ssh server setup (don’t allow version 1, only have specific users allowed, use privilige seperation, deny root login, and keep it updated whenever there is a problem with a running version.) But, when you see a single IP making THOUSANDS of attempts to log in, you start thinking…. what if they were to hit on the right username and try a thousand combinations of passwords with that username. Hmmmm… disturbing. So, I wound up setting up denyhosts and thought I’d share a bit more about it here.
Tag: ssh
-
Vandals banging on the door of ssh….
Sometimes I wish I wasn’t curious about things…. The other night I was working on something on the testbox in the back room and saw the switch lights flickering fairly actively between the server and the internet gateway. At first I thought maybe it was some mail coming in, but it was awfully persistent. So, I started nosing around. I saw that sshd was showing up in the process list and on checking /var/log/messages…. found hundreds of ongoing attempts to break in through the ssh server. (sigh….) Now, there was a time when I’ve kind of snickered when I’ve seen these futile attempts, because I have a VERY short list of allowed ssh users. (AllowUsers username can be set in /etc/ssh/sshd_config) But, this was fairly persistent and there was more variety to the usernames than I’m used to seeing.
-
The security of remote tech support (ultravnc sc or x11vnc with wrapper script)
Well, I’ve got a nice way of doing “easy” one click (or one cut and paste) light desktop support for windows or linux, one uses ultravnc sc, the other uses x11vnc with a special wrapper script. So, what security flaws are there in this process? Well, for starters, I see the biggest vulnerability for the computer running the listening vncviewer (because it HAS to be available to the outside world.) That means the tech support desk must keep on top of vncviewer updates and keep the service turned off when not expecting a client connection. The other question that comes to mind is encryption though….
-
A closer look at x11vnc
I’ve got to say, one of the things I really like about linux are the myriad of options for remotely administering a system. SSH is the one I use the most, but for the graphical you have x (especially on the LAN), nxserver (which is a compressed and optionally encrypted wrapper of the X protocol….), vnc can be used, although as I’ve noted in the prior articles one problem with either nxserver, X or vnc is that you can’t by default connect to a running X session. x0rfbserver CAN, but only if a user is logged in (as far as I know….) I found an interesting trick with x11vnc that let’s you run it even if the system is at the greeter. (the login screen for X).
-
Netcubicle, you’re personalized network based linux desktop..
As they say on their site “Experience Linux without the hassles of installation and adminstration.” Inqub has a new product out called Netcubicle which basically is this…. for $4.50 a month, you can have a Gigabyte of storage and a linux desktop accessible from most any computer in the world. (Or command line SSH access too.) Apparently it’s based on Ubuntu/Kubuntu (They say gnome/kde are both available). The KDE Dot calls it a KDE Desktop Hosting Service.
-
Internet based filesystem with no transfer fees
I thought this was a great idea…. rsync.net Okay for 2$ per GB of storage per month (or $24 per year for 1GB of storage) you can have your very own secure online storage drive. For you windows users think of a G: drive or a Z: drive that you could SECURELY connect to from a home machine and a work machine…. If you’re concerned about a catastrophic failure of one of their datacenters, then pay $3.50/GB/month for a more geographically dispersed plan (uses redundant data centers..) The best parts (I think) are this…. ssh encrypted connection to your drive and no transfer fees.
-
Network Security – so https and ssh are immune to arp spoofing right?
When a machine has been arp spoofed, ALL network traffic from it is likely passing through a “hostile” machine. So, NO, https and ssh traffic is not immune, it is travelling through a hostile machine. However, it should be encrypted. There are a few exceptions though. SSH version 1 is a broken encryption scheme and should be avoided like the plague. As far as I know SSH 2 should be safe. Pay attention to complaints about the host identification not being able to be verified….
-
Using ssh to protect web browsing over wireless or other hostile networks
This really could be used to encyrpt web traffic over any “hostile” network. Here’s what I’m talking about. Laptop using wireless. Within our internal network we would LIKE all our web traffic to be encrypted at least from the laptop to a wired host. (From there to the outside world it will be open.) At the minimum we would like to have the traffic encrypted over the wireless leg of the journey. Here’s the most straightforward approaches uing ssh.
-
Common Networking Ports
Along the lines of “knowing your network” with the network security guide. Here are some of the most commonly used network ports. There are 65535 ports that can listen for a connection, so this is not a thorough listing. (These are tcp unless noted otherwise.)
-
Building RPM’s – building for several different releases on one machine
I support a few linux systems outside my own group. Those systems are not as quick to get upgraded to the latest and greatest version of Mandrake – now Mandriva as my home systems. But, I occasionally need to build rpms for them. I don’t want to have a build environment on each one and have to make sure they each have all the devel libraries installed. So what to do?