Re: ssh and security
Thanks Bruce. J. On Thu, 14 Feb 2002, Bruce Dawson wrote: > In your /etc/sendmail.cf file add "goaway" or "noexpn,novrfy" to > > O PrivacyOptions=... > > --Bruce > > Derek D. Martin wrote: > > > Joshua S. Freeman said: > > > > > >>Speaking of which, is there a how-to somewhere that instructs one how to > >>harden sendmail by disabling VRFY and EXPN ? > >> > >>J. > >> > > > > Yes. Sendmail comes wit a README that explains all the m4 macros for > > configuring it. You should be able to find it in /usr/doc/sendmail* > > if you're on Red Hat, and probably others too. Or, you can look at > > www.sendmail.org where the same info is posted (though harder to find, > > IMO). > > > > > > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Joshua S. Freeman | preferred email: [EMAIL PROTECTED] pgp public key: finger [EMAIL PROTECTED] http://www.threeofus.com -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: ssh and security
In your /etc/sendmail.cf file add "goaway" or "noexpn,novrfy" to O PrivacyOptions=... --Bruce Derek D. Martin wrote: > Joshua S. Freeman said: > > >>Speaking of which, is there a how-to somewhere that instructs one how to >>harden sendmail by disabling VRFY and EXPN ? >> >>J. >> > > Yes. Sendmail comes wit a README that explains all the m4 macros for > configuring it. You should be able to find it in /usr/doc/sendmail* > if you're on Red Hat, and probably others too. Or, you can look at > www.sendmail.org where the same info is posted (though harder to find, > IMO). > > * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: ssh and security
Thanks fellas J. On Thu, 14 Feb 2002, Paul Lussier wrote: > > In a message dated: Thu, 14 Feb 2002 10:18:58 EST > "Joshua S. Freeman" said: > > >Speaking of which, is there a how-to somewhere that instructs one how to > >harden sendmail by disabling VRFY and EXPN ? > > Sure: > - check the sendmail README file that comes with the source > - check sendmail.org > - check "The UNIX System Administration Handbook" by Nemeth, > et. al > -- > > Seeya, > Paul > > > God Bless America! > >If you're not having fun, you're not doing it right! > > ...we don't need to be perfect to be the best around, > and we never stop trying to be better. > Tom Clancy, The Bear and The Dragon > > > > * > To unsubscribe from this list, send mail to [EMAIL PROTECTED] > with the text 'unsubscribe gnhlug' in the message body. > * > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Joshua S. Freeman | preferred email: [EMAIL PROTECTED] pgp public key: finger [EMAIL PROTECTED] http://www.threeofus.com -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: ssh and security
In a message dated: Thu, 14 Feb 2002 10:18:58 EST "Joshua S. Freeman" said: >Speaking of which, is there a how-to somewhere that instructs one how to >harden sendmail by disabling VRFY and EXPN ? Sure: - check the sendmail README file that comes with the source - check sendmail.org - check "The UNIX System Administration Handbook" by Nemeth, et. al -- Seeya, Paul God Bless America! If you're not having fun, you're not doing it right! ...we don't need to be perfect to be the best around, and we never stop trying to be better. Tom Clancy, The Bear and The Dragon * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: ssh and security
Joshua S. Freeman said: > Speaking of which, is there a how-to somewhere that instructs one how to > harden sendmail by disabling VRFY and EXPN ? > > J. Yes. Sendmail comes wit a README that explains all the m4 macros for configuring it. You should be able to find it in /usr/doc/sendmail* if you're on Red Hat, and probably others too. Or, you can look at www.sendmail.org where the same info is posted (though harder to find, IMO). -- Derek Martin Senior System Administrator Mission Critical Linux [EMAIL PROTECTED] * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: ssh and security
Speaking of which, is there a how-to somewhere that instructs one how to harden sendmail by disabling VRFY and EXPN ? J. On Thu, 14 Feb 2002, Peter Beardsley wrote: > At 09:50 PM 2/13/2002 -0500, you wrote: > > >I see it all the time. Usernames are usually fairly easy to guess > >especially on a mailserver if it's sendmail and VRFY and EXPN are > >enabled. Check your mail logs for a lot of 550's, then check the IP > >address against recent spam. Anything that wasn't rejected and > >returned to the sender is a potential username on a box running SSH > >*and* a mail server. Also, if you own the domain name of the box, a > >simple whois will turn up several potential usernames. There are > >litterally hundreds of ways to get usernames. In theory. So I've heard > >;-) > > Yeah, I just saw that this user had been logged in several times that day > leading up to the attempt and got paranoid, thinking it was more than a > coincidence. Later I found out that mail had been sent out under this > username, which is probably how they got it. Thanks. > > > Peter Beardsley > Appropriate Solutions, Inc. > [EMAIL PROTECTED] > > > * > To unsubscribe from this list, send mail to [EMAIL PROTECTED] > with the text 'unsubscribe gnhlug' in the message body. > * > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Joshua S. Freeman | preferred email: [EMAIL PROTECTED] pgp public key: finger [EMAIL PROTECTED] http://www.threeofus.com -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: ssh and security
At 09:50 PM 2/13/2002 -0500, you wrote: >I see it all the time. Usernames are usually fairly easy to guess >especially on a mailserver if it's sendmail and VRFY and EXPN are >enabled. Check your mail logs for a lot of 550's, then check the IP >address against recent spam. Anything that wasn't rejected and >returned to the sender is a potential username on a box running SSH >*and* a mail server. Also, if you own the domain name of the box, a >simple whois will turn up several potential usernames. There are >litterally hundreds of ways to get usernames. In theory. So I've heard >;-) Yeah, I just saw that this user had been logged in several times that day leading up to the attempt and got paranoid, thinking it was more than a coincidence. Later I found out that mail had been sent out under this username, which is probably how they got it. Thanks. Peter Beardsley Appropriate Solutions, Inc. [EMAIL PROTECTED] * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: ssh and security
Hi Peter, Peter Beardsley wrote: > > Feb 12 20:00:37 xxx sshd(pam_unix)[18540]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72.153.69 > user=xx > Feb 12 20:00:55 xxx sshd(pam_unix)[18540]: 2 more authentication > failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72 > .153.69 user=xx The good news is that according to this, thay didn't get in. Personally, I would 1) make sure that all r* services are disabled, 2) don't use passwords, use public/private keypairs, 3) make sure you are up to date on all OpenSSH patches. > Where the user in question was a user that was being used to ssh into > this machine remotely, and the IP traces back to a Venezualean ISP. So > somehow s/he got the username. Has anyone seen anything like this > before? BTW I require ssh v2 connections. I see it all the time. Usernames are usually fairly easy to guess especially on a mailserver if it's sendmail and VRFY and EXPN are enabled. Check your mail logs for a lot of 550's, then check the IP address against recent spam. Anything that wasn't rejected and returned to the sender is a potential username on a box running SSH *and* a mail server. Also, if you own the domain name of the box, a simple whois will turn up several potential usernames. There are litterally hundreds of ways to get usernames. In theory. So I've heard ;-) > I've read a little here and > there about "monkey in the middle" attacks on ssh, but don't you have to > be on the same subnet? Nah They just have to be able to intercept your traffic, rebroadcast modified packets, then intercept the return traffic and modify that before rebroadcasting it. But it isn't an easy task. Besides, man-in-the-middle attacks usually involve an attempt at session-hijacking (also not an easy task), not a direct login attempt. C-Ya, Kenny -- --- Kenneth E. Lussier Geek by nature, Linux by choice PGP KeyID C0D2BA57 Public key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0D2BA57 * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: ssh and security
On Wed, 13 Feb 2002, Peter Beardsley wrote: > Feb 12 20:00:37 xxx sshd(pam_unix)[18540]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72.153.69 > user=xx [...] > So somehow s/he got the username. User names are often not that hard to find out. According to the log you post, they did not succeed in authenticating (logging in), so they did not have a suitable password. If your passwords are good, you should be reasonably safe. > BTW I require ssh v2 connections. Make sure you've got the latest-and-greatest version of OpenSSH installed (3.x something). Require strong ciphers. Disable anything that even mentions "rhosts". For maximum security, disable password authentication and require public/private keys. > I've read a little here and there about "monkey in the middle" attacks on > ssh, but don't you have to be on the same subnet? All that is required for a man-in-the-middle attack is that the attacker be in a position to intercept and replace communications in both directions. Being on the same subnet as one of the parties may or may not enable this. A good explanation (complete with diagram) of the concept of a man-in-the-middle attack can be found on this webpage: http://www.sm.luth.se/csee/courses/smd/102/lek5/lek5.html Here is another, specifically about SSH: http://www.vandyke.com/solutions/ssh_overview/ssh_overview_threats.html -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
ssh and security
Hi, I have a RH7.2 machine that has had everything that's not being used shut off from day one: Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on (xxx.xxx.xxx.xxx): (The 1543 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh 25/tcp opensmtp 80/tcp openhttp 443/tcpopenhttps 3306/tcp openmysql 1/tcp opensnet-sensor-mgmt (Port 1 is the Webmin package which uses https.) But last night I got this in /var/log/messages: Feb 12 20:00:37 xxx sshd(pam_unix)[18540]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72.153.69 user=xx Feb 12 20:00:55 xxx sshd(pam_unix)[18540]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72 .153.69 user=xx Where the user in question was a user that was being used to ssh into this machine remotely, and the IP traces back to a Venezualean ISP. So somehow s/he got the username. Has anyone seen anything like this before? BTW I require ssh v2 connections. I've read a little here and there about "monkey in the middle" attacks on ssh, but don't you have to be on the same subnet? * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
