Re: ssh testing - fail2ban
Derek Smithies wrote, On 12/03/10 10:16: yes yes, this is security by obscurity, (which is a poor form security), but it is a start in the right direction. It will cut down on the number of attacks on your box. I suggest using fail2ban or something similar. It allows 5 failed ssh connections then firewalls off that source IP for a time. Works well on horse. horse:/var/log# iptables -L Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- 203.167.214.38 anywhere DROP all -- 16.102.7.91 anywhere RETURN all -- anywhere anywhere ... Or if this is something you'll do more in the future then look at a proper VPN setup. -- Craig Falconer
Re: ssh testing
On Fri, Mar 12, 2010 at 11:23 AM, Steve Holdoway wrote: > On Fri, 2010-03-12 at 11:17 +1300, Jim Cheetham wrote: >> and a key is around 700 typeable characters ... set up keys, not >> passwords! > ... or passphrases, not passwords? Well, you probably should be using passphrases instead of passwords in many places. Passphrases work well for login, for example, and a passphrase of equivalent entropy to a complex password is generally much much easier to remember. As a quick aside, here's a nice method: grab random numbers from random.org, and look them up on a wordlist using the diceware.com method ... #!/bin/sh # diceware ... generate a passphrase by combining RANDOM.ORG # with the diceware method, on the Beale wordlist WORDS=${1:-5} RANDOM='http://www.random.org/integers/?num=5&min=1&max=6&col=5&base=10&format=plain&rnd=new' for i in $(seq 1 $WORDS) do FIVEd6=$(/usr/bin/GET $RANDOM | tr -d '\t') grep $FIVEd6 $HOME/stash/docs/beale.wordlist.asc done $ diceware 55112 spits 61243 toni 14544 boot 56251 tamer 15221 broad (Beware whenever you see variable names like "FIVEd6" ... you are dealing with a roleplayer, possibly a D&Der ... lol) However, joking aside ... while a passphrase may be a few times longer than a password, it's still nothing compared with a key. Put a decent passphrase on the private key, sure ... but that's not anything to do with what the server sees on ssh login. And even that is slightly undone by Ubuntu's helpful key agent, that autoloads everything in ~/.ssh and offers to remember that long passphrase for you ... -jim
Re: ssh testing
On Fri, 2010-03-12 at 11:17 +1300, Jim Cheetham wrote: > s, > and a key is around 700 typeable characters ... set up keys, not > passwords! ... or passphrases, not passwords? -- Steve Holdoway http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 signature.asc Description: This is a digitally signed message part
Re: ssh testing
On Fri, Mar 12, 2010 at 10:59 AM, Steve Holdoway wrote: > For a couple of weeks away, I wouldn't bother with the obscurity bit in > that way, rather just disable root login so they have to guess the user > account and password before denyhosts closes them out. Things that are set up "for a couple of weeks" tend to stay enabled for far longer than intended! You're right that in Rob's example he doesn't need to set up Fort Knox, but I'd strongly suggest that the minimum bar should be "username & key" instead of "username & password". I haven't done much research on the matter, I only keep half an eye on attempts across my servers seeing as denyhosts works well, but I have never noticed anyone even attempting to crack in with "username & key". Considering that a password is around 8-10 typeable characters, and a key is around 700 typeable characters ... set up keys, not passwords! -jim
Re: ssh testing
On Fri, Mar 12, 2010 at 10:16 AM, Derek Smithies wrote: > In addition to the deny hosts approach, I would move the ssh port to > somewhere else. > ... > yes yes, this is security by obscurity, (which is a poor form security), but You are right that it cuts down attacks, because the great majority of bot attacks don't bother doing anything except port 22. I have only one server not running on port 22, and it basically gets zero scans (in the period Aug 23 2009 to today). However, if you don't remember that you have done this, it reduces your own ability to connect to your own machine. It is not "discoverable" and may lead you to waste lots of your own time trying to debug a non-existent problem. A well-configured ssh service isn't going to let an attacker in. Well-configured can mean a lot of things, but includes at least "no passwords, only keys", "only named users", "never root" and "security updated quickly from a reputable source". Adding "blacklist on unsuccessful attempts" helps to prevent your machine wasting resources. I don't agree that "well-configured" means "on a different port", except possibly in some formally documented environments. And given that most of those are internal networks where the very existence of attack traffic is a great problem -- in other words, if someone is even trying to attack port 22, you'd rather know about it than just ignore it -- I tend to think it's more of a distraction than a benefit. There is a place for "on a different port"; if you don't want to pay any attention to the security of your servers (i.e. you don't watch log exceptions) and you only have (a small number, e.g. one) machine you are responsible for, then it's a reasonably effective way to be slightly more comfortable when ignoring the operations of your machine. -jim (who admits to having one machine running ssh on a non-standard port. But only one machine ...)
Re: ssh testing
On Fri, 2010-03-12 at 10:24 +1300, Jim Cheetham wrote: > On Thu, Mar 11, 2010 at 9:55 PM, Steve Holdoway > wrote: > > no - still being prompted for a password... > > Steve, I hope you're testing with ssh -v so you can see all the > methods the ssh server is advertising. > > Rob, I hope you've set "PasswordAuthentication no" in > /etc/ssh/sshd_config (and restarted sshd). I also hope that you have > whitelisted places you know you might be connecting from in > /etc/hosts.allow :-) > > Hads, you're right that a connection attempt denied by sshd can move > on to the next authentication method, which often means that you get > asked for a password. However, denyhosts logs IP addresses in > /etc/hosts.deny, and sshd is usually compiled to look at tcpwrappers, > so people who have failed to login too many times will eventually get > no ACK from sshd at all. > > -jim I'm as risk averse as the next person - probably more than some having fought hackers since the interweb was invented in my role as a sysadm. However... For a couple of weeks away, I wouldn't bother with the obscurity bit in that way, rather just disable root login so they have to guess the user account and password before denyhosts closes them out. This is a pretty huge block for any prospective hacker, especially if you chose your login carefully off the bottom of the common account names list. In fact, outside a corporate environment, I'd say it's all you need(*). Yes, some may say that you need to take distributed hack attempts into account but... well, risk is a subjective viewpoint, and mine is that it's an acceptable one to take - even more so if you use a dynamic dns service and can persuade your router to acquire a new IP address on a regular basis. The bit about password authentication is ok if you're going to use your own lappie, but if you're going to borrow a pc to check stuff, then carrying around your private key is going to be a real pain. Use of internet cafes brings up a new list of potential security issues, of course. BTW, if you are taking a lappie with you, then I'd set OpenVPN up and restrict the ssh server to listen only on that subnet. Cheers, Steve (*) at the moment! -- Steve Holdoway http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 signature.asc Description: This is a digitally signed message part
Re: ssh testing
On Thu, Mar 11, 2010 at 9:55 PM, Steve Holdoway wrote: > no - still being prompted for a password... Steve, I hope you're testing with ssh -v so you can see all the methods the ssh server is advertising. Rob, I hope you've set "PasswordAuthentication no" in /etc/ssh/sshd_config (and restarted sshd). I also hope that you have whitelisted places you know you might be connecting from in /etc/hosts.allow :-) Hads, you're right that a connection attempt denied by sshd can move on to the next authentication method, which often means that you get asked for a password. However, denyhosts logs IP addresses in /etc/hosts.deny, and sshd is usually compiled to look at tcpwrappers, so people who have failed to login too many times will eventually get no ACK from sshd at all. -jim
Re: ssh testing
Hi, In addition to the deny hosts approach, I would move the ssh port to somewhere else. The firewall should open some other port (a random number you like and can remember, say 4242) and port forward that to port 22 of the recipient box. Consequently, anyone who checks port 22 of every ip address won't get a response back from your box and will move on. yes yes, this is security by obscurity, (which is a poor form security), but it is a start in the right direction. It will cut down on the number of attacks on your box. If you edit (on the box making the link) the .ssh/config file you can add entries like: Host dereksbox.dyndns.org port 4242 which means that you can do ssh dereksbox.dyndns.org and not have to specify the port in use. Otherwise, it is ssh -p 4242 dereksbox.dyndns.org Cheers, Derek. On Fri, 12 Mar 2010, Steve Holdoway wrote: On Fri, 2010-03-12 at 00:56 +1300, Hadley Rich wrote: On Thu, 2010-03-11 at 21:55 +1300, Steve Holdoway wrote: no - still being prompted for a password... A denied or not allowed user will still get prompted for a password, it will just never work. hads Denyhosts adds addresses to /etc/hosts.deny. This will drop the connection before password requests iirc. Steve -- Derek Smithies Ph.D. IndraNet Technologies Ltd. ph +64 3 365 6485 Web: http://www.indranet-technologies.com/ "How did you make it work??" "Oh, the usual, get everything right".
Re: ssh testing
On Fri, 2010-03-12 at 00:56 +1300, Hadley Rich wrote: > On Thu, 2010-03-11 at 21:55 +1300, Steve Holdoway wrote: > > no - still being prompted for a password... > > A denied or not allowed user will still get prompted for a password, it > will just never work. > > hads > Denyhosts adds addresses to /etc/hosts.deny. This will drop the connection before password requests iirc. Steve
Re: ssh testing
On Thu, 2010-03-11 at 21:55 +1300, Steve Holdoway wrote: > no - still being prompted for a password... A denied or not allowed user will still get prompted for a password, it will just never work. hads -- http://nicegear.co.nz New Zealand's Open Source Hardware Supplier
Re: ssh testing
On Thu, 2010-03-11 at 21:38 +1300, Robert Fisher wrote: > Steve Holdoway wrote: > >> yup, getting a response now (: > >> > >> Steve > >> > > If you're going to leave port 22 open, then I'd install something like > > denyhosts, and disable root login over ssh. If you're taking a lappie > > with you then installing certificates would allow you to disable > > passowrd logins completely. > > > Good advice (I did not know about denyhosts but now I think I have it > set up OK - I have done some tests here.) > > If you are still there tonight before I go to bed you might like to try > again - you should be denied. > > Rob no - still being prompted for a password...
Re: ssh testing
Steve Holdoway wrote: yup, getting a response now (: Steve If you're going to leave port 22 open, then I'd install something like denyhosts, and disable root login over ssh. If you're taking a lappie with you then installing certificates would allow you to disable passowrd logins completely. Good advice (I did not know about denyhosts but now I think I have it set up OK - I have done some tests here.) If you are still there tonight before I go to bed you might like to try again - you should be denied. Rob
Re: ssh testing
On Thu, 2010-03-11 at 20:35 +1300, Steve Holdoway wrote: > On Thu, 2010-03-11 at 20:16 +1300, Robert Fisher wrote: > > Steve Holdoway wrote: > > > > > Getting no response from that ssh on port 22 on that ip address from > > > Diamond Harbour... ): > > > > > > Steve > > > > > > > > Could you try again please Steve - PC was off for a little while. > > > > Rob > yup, getting a response now (: > > Steve > If you're going to leave port 22 open, then I'd install something like denyhosts, and disable root login over ssh. If you're taking a lappie with you then installing certificates would allow you to disable passowrd logins completely. Steve
Re: ssh testing
On Thu, 2010-03-11 at 20:16 +1300, Robert Fisher wrote: > Steve Holdoway wrote: > > > Getting no response from that ssh on port 22 on that ip address from > > Diamond Harbour... ): > > > > Steve > > > > > Could you try again please Steve - PC was off for a little while. > > Rob yup, getting a response now (: Steve
Re: ssh testing
Steve Holdoway wrote: Getting no response from that ssh on port 22 on that ip address from Diamond Harbour... ): Steve Could you try again please Steve - PC was off for a little while. Rob
Re: ssh testing
On Thu, 2010-03-11 at 20:00 +1300, Robert Fisher wrote: > I am going on holiday soon and want to have ssh access to my desktop PC > at home. > > I have tested from another PC at home and it works fine... > > rob...@dell-d410:~$ ssh 192.168.10.13 > rob...@192.168.10.13's password: > > rob...@beast:~$ logout > Connection to 192.168.10.13 closed. > > On my IPCop box I have port forwarded port 22 to 192.168.10.13 (I am > sure I have done this before) > > If I try from the same PC to our static home IP address I get > > rob...@dell-d410:~$ ssh 60.234.134.181 > rob...@60.234.134.181's password: > Permission denied, please try again. > rob...@60.234.134.181's password: > > Should I be able to do this? (Connect to a local machine using our home > external address) > > If someone is able tonight we could perhaps change my password and test > it from outside. > Getting no response from that ssh on port 22 on that ip address from Diamond Harbour... ): Steve
ssh testing
I am going on holiday soon and want to have ssh access to my desktop PC at home. I have tested from another PC at home and it works fine... rob...@dell-d410:~$ ssh 192.168.10.13 rob...@192.168.10.13's password: rob...@beast:~$ logout Connection to 192.168.10.13 closed. On my IPCop box I have port forwarded port 22 to 192.168.10.13 (I am sure I have done this before) If I try from the same PC to our static home IP address I get rob...@dell-d410:~$ ssh 60.234.134.181 rob...@60.234.134.181's password: Permission denied, please try again. rob...@60.234.134.181's password: Should I be able to do this? (Connect to a local machine using our home external address) If someone is able tonight we could perhaps change my password and test it from outside.