Re: ssh testing - fail2ban

2010-03-11 Thread Craig Falconer 

Derek Smithies wrote, On 12/03/10 10:16:
yes yes, this is security by obscurity, (which is a poor form security), 
but it is a start in the right direction. It will cut down on the number 
of attacks on your box.


I suggest using fail2ban or something similar.
It allows 5 failed ssh connections then firewalls off that source IP for 
a time.  Works well on horse.


horse:/var/log# iptables -L
Chain fail2ban-ssh (1 references)
target prot opt source   destination
DROP   all  --  203.167.214.38   anywhere
DROP   all  --  16.102.7.91  anywhere
RETURN all  --  anywhere anywhere
...


Or if this is something you'll do more in the future then look at a 
proper VPN setup.



--
Craig Falconer

Re: ssh testing

2010-03-11 Thread Jim Cheetham 
On Fri, Mar 12, 2010 at 11:23 AM, Steve Holdoway  wrote:
> On Fri, 2010-03-12 at 11:17 +1300, Jim Cheetham wrote:
>> and a key is around 700 typeable characters ... set up keys, not
>> passwords!
> ... or passphrases, not passwords?

Well, you probably should be using passphrases instead of passwords in
many places. Passphrases work well for login, for example, and a
passphrase of equivalent entropy to a complex password is generally
much much easier to remember.

As a quick aside, here's a nice method: grab random numbers from
random.org, and look them up on a wordlist using the diceware.com
method ...

#!/bin/sh
# diceware ... generate a passphrase by combining RANDOM.ORG
#  with the diceware method, on the Beale wordlist

WORDS=${1:-5}
RANDOM='http://www.random.org/integers/?num=5&min=1&max=6&col=5&base=10&format=plain&rnd=new'

for i in $(seq 1 $WORDS)
do
FIVEd6=$(/usr/bin/GET $RANDOM | tr -d '\t')
grep $FIVEd6 $HOME/stash/docs/beale.wordlist.asc
done

$ diceware
55112   spits
61243   toni
14544   boot
56251   tamer
15221   broad

(Beware whenever you see variable names like "FIVEd6" ... you are
dealing with a roleplayer, possibly a D&Der ... lol)

However, joking aside ... while a passphrase may be a few times longer
than a password, it's still nothing compared with a key. Put a decent
passphrase on the private key, sure ... but that's not anything to do
with what the server sees on ssh login. And even that is slightly
undone by Ubuntu's helpful key agent, that autoloads everything in
~/.ssh and offers to remember that long passphrase for you ...

-jim

Re: ssh testing

2010-03-11 Thread Steve Holdoway 
On Fri, 2010-03-12 at 11:17 +1300, Jim Cheetham wrote:
> s,
> and a key is around 700 typeable characters ... set up keys, not
> passwords!
... or passphrases, not passwords? 

-- 
Steve Holdoway 
http://www.greengecko.co.nz
MSN: st...@greengecko.co.nz
GPG Fingerprint = B337 828D 03E1 4F11 CB90  853C C8AB AF04 EF68 52E0


signature.asc
Description: This is a digitally signed message part

Re: ssh testing

2010-03-11 Thread Jim Cheetham 
On Fri, Mar 12, 2010 at 10:59 AM, Steve Holdoway  wrote:
> For a couple of weeks away, I wouldn't bother with the obscurity bit in
> that way, rather just disable root login so they have to guess the user
> account and password before denyhosts closes them out.

Things that are set up "for a couple of weeks" tend to stay enabled
for far longer than intended! You're right that in Rob's example he
doesn't need to set up Fort Knox, but I'd strongly suggest that the
minimum bar should be "username & key" instead of "username &
password".

I haven't done much research on the matter, I only keep half an eye on
attempts across my servers seeing as denyhosts works well, but I have
never noticed anyone even attempting to crack in with "username &
key". Considering that a password is around 8-10 typeable characters,
and a key is around 700 typeable characters ... set up keys, not
passwords!

-jim

Re: ssh testing

2010-03-11 Thread Jim Cheetham 
On Fri, Mar 12, 2010 at 10:16 AM, Derek Smithies  wrote:
>  In addition to the deny hosts approach, I would move the ssh port to
> somewhere else.
> ...
> yes yes, this is security by obscurity, (which is a poor form security), but

You are right that it cuts down attacks, because the great majority of
bot attacks don't bother doing anything except port 22. I have only
one server not running on port 22, and it basically gets zero scans
(in the period Aug 23 2009 to today).

However, if you don't remember that you have done this, it reduces
your own ability to connect to your own machine. It is not
"discoverable" and may lead you to waste lots of your own time trying
to debug a non-existent problem.

A well-configured ssh service isn't going to let an attacker in.
Well-configured can mean a lot of things, but includes at least "no
passwords, only keys", "only named users", "never root" and "security
updated quickly from a reputable source". Adding "blacklist on
unsuccessful attempts" helps to prevent your machine wasting
resources.

I don't agree that "well-configured" means "on a different port",
except possibly in some formally documented environments. And given
that most of those are internal networks where the very existence of
attack traffic is a great problem -- in other words, if someone is
even trying to attack port 22, you'd rather know about it than just
ignore it -- I tend to think it's more of a distraction than a
benefit.

There is a place for "on a different port"; if you don't want to pay
any attention to the security of your servers (i.e. you don't watch
log exceptions) and you only have (a small number, e.g. one) machine
you are responsible for, then it's a reasonably effective way to be
slightly more comfortable when ignoring the operations of your
machine.

-jim (who admits to having one machine running ssh on a non-standard
port. But only one machine ...)

Re: ssh testing

2010-03-11 Thread Steve Holdoway 
On Fri, 2010-03-12 at 10:24 +1300, Jim Cheetham wrote:
> On Thu, Mar 11, 2010 at 9:55 PM, Steve Holdoway  
> wrote:
> > no - still being prompted for a password...
> 
> Steve, I hope you're testing with ssh -v so you can see all the
> methods the ssh server is advertising.
> 
> Rob, I hope you've set "PasswordAuthentication no" in
> /etc/ssh/sshd_config (and restarted sshd). I also hope that you have
> whitelisted places you know you might be connecting from in
> /etc/hosts.allow :-)
> 
> Hads, you're right that a connection attempt denied by sshd can move
> on to the next authentication method, which often means that you get
> asked for a password. However, denyhosts logs IP addresses in
> /etc/hosts.deny, and sshd is usually compiled to look at tcpwrappers,
> so people who have failed to login too many times will eventually get
> no ACK from sshd at all.
> 
> -jim

I'm as risk averse as the next person - probably more than some having
fought hackers since the interweb was invented in my role as a sysadm.

However...

For a couple of weeks away, I wouldn't bother with the obscurity bit in
that way, rather just disable root login so they have to guess the user
account and password before denyhosts closes them out. This is a pretty
huge block for any prospective hacker, especially if you chose your
login carefully off the bottom of the common account names list. In
fact, outside a corporate environment, I'd say it's all you need(*).
Yes, some may say that you need to take distributed hack attempts into
account but... well, risk is a subjective viewpoint, and mine is that
it's an acceptable one to take - even more so if you use a dynamic dns
service and can persuade your router to acquire a new IP address on a
regular basis.

The bit about password authentication is ok if you're going to use your
own lappie, but if you're going to borrow a pc to check stuff, then
carrying around your private key is going to be a real pain. Use of
internet cafes brings up a new list of potential security issues, of
course.

BTW, if you are taking a lappie with you, then I'd set OpenVPN up and
restrict the ssh server to listen only on that subnet.

Cheers,

Steve
(*) at the moment!

-- 
Steve Holdoway 
http://www.greengecko.co.nz
MSN: st...@greengecko.co.nz
GPG Fingerprint = B337 828D 03E1 4F11 CB90  853C C8AB AF04 EF68 52E0


signature.asc
Description: This is a digitally signed message part

Re: ssh testing

2010-03-11 Thread Jim Cheetham 
On Thu, Mar 11, 2010 at 9:55 PM, Steve Holdoway  wrote:
> no - still being prompted for a password...

Steve, I hope you're testing with ssh -v so you can see all the
methods the ssh server is advertising.

Rob, I hope you've set "PasswordAuthentication no" in
/etc/ssh/sshd_config (and restarted sshd). I also hope that you have
whitelisted places you know you might be connecting from in
/etc/hosts.allow :-)

Hads, you're right that a connection attempt denied by sshd can move
on to the next authentication method, which often means that you get
asked for a password. However, denyhosts logs IP addresses in
/etc/hosts.deny, and sshd is usually compiled to look at tcpwrappers,
so people who have failed to login too many times will eventually get
no ACK from sshd at all.

-jim

Re: ssh testing

2010-03-11 Thread Derek Smithies 

Hi,
 In addition to the deny hosts approach, I would move the ssh port to 
somewhere else.
 The firewall should open some other port (a random number you like 
and can remember, say 4242) and port forward that  to port 22 of the 
recipient box.
Consequently, anyone who checks port 22 of every ip address won't get a 
response back from your box and will move on.


yes yes, this is security by obscurity, (which is a poor form security), 
but it is a start in the right direction. It will cut down on the number 
of attacks on your box.


If you edit (on the box making the link) the .ssh/config file  you can add
entries like:

Host dereksbox.dyndns.org
port 4242

which means that you can do
ssh dereksbox.dyndns.org
 and not have to specify the port in use.

Otherwise, it is
  ssh -p 4242 dereksbox.dyndns.org

Cheers,

Derek.



On Fri, 12 Mar 2010, Steve Holdoway wrote:


On Fri, 2010-03-12 at 00:56 +1300, Hadley Rich wrote:

On Thu, 2010-03-11 at 21:55 +1300, Steve Holdoway wrote:

no - still being prompted for a password...


A denied or not allowed user will still get prompted for a password, it
will just never work.

hads


Denyhosts adds addresses to /etc/hosts.deny. This will drop the
connection before password requests iirc.

Steve





--
Derek Smithies Ph.D.
IndraNet Technologies Ltd.
ph +64 3 365 6485
Web: http://www.indranet-technologies.com/

"How did you make it work??"
  "Oh, the usual, get everything right".

Re: ssh testing

2010-03-11 Thread Steve Holdoway 
On Fri, 2010-03-12 at 00:56 +1300, Hadley Rich wrote:
> On Thu, 2010-03-11 at 21:55 +1300, Steve Holdoway wrote:
> > no - still being prompted for a password...
> 
> A denied or not allowed user will still get prompted for a password, it
> will just never work.
> 
> hads
> 
Denyhosts adds addresses to /etc/hosts.deny. This will drop the
connection before password requests iirc.

Steve

Re: ssh testing

2010-03-11 Thread Hadley Rich 
On Thu, 2010-03-11 at 21:55 +1300, Steve Holdoway wrote:
> no - still being prompted for a password...

A denied or not allowed user will still get prompted for a password, it
will just never work.

hads

-- 
http://nicegear.co.nz
New Zealand's Open Source Hardware Supplier

Re: ssh testing

2010-03-11 Thread Steve Holdoway 
On Thu, 2010-03-11 at 21:38 +1300, Robert Fisher wrote:
> Steve Holdoway wrote:
> >> yup, getting a response now (:
> >>
> >> Steve
> >>
> > If you're going to leave port 22 open, then I'd install something like
> > denyhosts, and disable root login over ssh. If you're taking a lappie
> > with you then installing certificates would allow you to disable
> > passowrd logins completely.
> > 
> Good advice (I did not know about denyhosts but now I think I have it 
> set up OK - I have done some tests here.)
> 
> If you are still there tonight before I go to bed you might like to try 
> again - you should be denied.
> 
> Rob

no - still being prompted for a password...

Re: ssh testing

2010-03-11 Thread Robert Fisher 

Steve Holdoway wrote:

yup, getting a response now (:

Steve


If you're going to leave port 22 open, then I'd install something like
denyhosts, and disable root login over ssh. If you're taking a lappie
with you then installing certificates would allow you to disable
passowrd logins completely.

Good advice (I did not know about denyhosts but now I think I have it 
set up OK - I have done some tests here.)


If you are still there tonight before I go to bed you might like to try 
again - you should be denied.


Rob

Re: ssh testing

2010-03-10 Thread Steve Holdoway 
On Thu, 2010-03-11 at 20:35 +1300, Steve Holdoway wrote:
> On Thu, 2010-03-11 at 20:16 +1300, Robert Fisher wrote:
> > Steve Holdoway wrote:
> > 
> > > Getting no response from that ssh on port 22 on that ip address from
> > > Diamond Harbour... ):
> > > 
> > > Steve
> > > 
> > > 
> > Could you try again please Steve - PC was off for a little while.
> > 
> > Rob
> yup, getting a response now (:
> 
> Steve
> 
If you're going to leave port 22 open, then I'd install something like
denyhosts, and disable root login over ssh. If you're taking a lappie
with you then installing certificates would allow you to disable
passowrd logins completely.

Steve

Re: ssh testing

2010-03-10 Thread Steve Holdoway 
On Thu, 2010-03-11 at 20:16 +1300, Robert Fisher wrote:
> Steve Holdoway wrote:
> 
> > Getting no response from that ssh on port 22 on that ip address from
> > Diamond Harbour... ):
> > 
> > Steve
> > 
> > 
> Could you try again please Steve - PC was off for a little while.
> 
> Rob
yup, getting a response now (:

Steve

Re: ssh testing

2010-03-10 Thread Robert Fisher 

Steve Holdoway wrote:


Getting no response from that ssh on port 22 on that ip address from
Diamond Harbour... ):

Steve



Could you try again please Steve - PC was off for a little while.

Rob

Re: ssh testing

2010-03-10 Thread Steve Holdoway 
On Thu, 2010-03-11 at 20:00 +1300, Robert Fisher wrote:
> I am going on holiday soon and want to have ssh access to my desktop PC 
> at home.
> 
> I have tested from another PC at home and it works fine...
> 
> rob...@dell-d410:~$ ssh 192.168.10.13
> rob...@192.168.10.13's password:
> 
> rob...@beast:~$ logout
> Connection to 192.168.10.13 closed.
> 
> On my IPCop box I have port forwarded port 22 to 192.168.10.13 (I am 
> sure I have done this before)
> 
> If I try from the same PC to our static home IP address I get
> 
> rob...@dell-d410:~$ ssh 60.234.134.181
> rob...@60.234.134.181's password:
> Permission denied, please try again.
> rob...@60.234.134.181's password:
> 
> Should I be able to do this? (Connect to a local machine using our home 
> external address)
> 
> If someone is able tonight we could perhaps change my password and test 
> it from outside.
> 

Getting no response from that ssh on port 22 on that ip address from
Diamond Harbour... ):

Steve

ssh testing

2010-03-10 Thread Robert Fisher 
I am going on holiday soon and want to have ssh access to my desktop PC 
at home.


I have tested from another PC at home and it works fine...

rob...@dell-d410:~$ ssh 192.168.10.13
rob...@192.168.10.13's password:

rob...@beast:~$ logout
Connection to 192.168.10.13 closed.

On my IPCop box I have port forwarded port 22 to 192.168.10.13 (I am 
sure I have done this before)


If I try from the same PC to our static home IP address I get

rob...@dell-d410:~$ ssh 60.234.134.181
rob...@60.234.134.181's password:
Permission denied, please try again.
rob...@60.234.134.181's password:

Should I be able to do this? (Connect to a local machine using our home 
external address)


If someone is able tonight we could perhaps change my password and test 
it from outside.