Re: [swinog] are you also seeing more ssh attacks ?
Hi, On Mon, Jul 02, 2018 at 12:25:13PM +0200, Manuel Schweizer wrote: > Not seeing what you are seeing, but I can really recommend Fail2Ban if you > are not using it already. Seconded. Even if we do not allow "plain password" authentication on the Jumphost (it's using PIN + LinOTP tokens), if only to keep the noice in the logs down and to annoy the brute-forcers a bit :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] are you also seeing more ssh attacks ?
Good morning, Manuel Schweizer writes: > Hey Tobi > > Not seeing what you are seeing, but I can really recommend Fail2Ban if > you are not using it already. while the idea of fail2ban is good, I would actually recommend sshguard instead of fail2ban. If you are not using a recent version of fail2ban, it does not handle IPv6 at all and thus does not throttle IPv6 based attacks. For that reason we switched to sshguard, a smaller and leaner dynamic blocker that fully supports IPv6 and has a variety of backends, including nftables. Best, Nico -- Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] are you also seeing more ssh attacks ?
> On 2 Jul 2018, at 11:42, Jeroen Massar wrote: > If you have to run a jumpbox style host: For SSH, it is also heavily > suggested to disable any form of password-auth, that way, only public > key authentication is accepted and guess what the scanner scripts do not > support as they do not have a key which thus makes guessing impossible... +1 for "jumphosts" as an alternative to VPNs. I can highly recommend Teleport - https://gravitational.com/teleport/ - as a potential jumphost. It is an SSH CA with 2FA out of the box, and if you need it the enterprise (paid for) version will integrate with various authentication endpoints (SAML, etc). There are other features which are very suitable to out-of-band management (e.g. run Teleport as as node on a Raspberry Pi behind NAT on an OOB connection from a third party; it will connect out to your Teleport jumphost, allowing you to "get behind the NAT"). Disclosure: I gave a ~10 minute "lightning talk" at UKNOF about Teleport, but I am not getting paid by them ;) Slides: http://faelix.link/uknof40 Video: https://www.youtube.com/watch?v=l-fYg0B7c00=9=PLjzK5ZtLlc91p159dFRC7EpEvWuCWSOPw=0s fail2ban on a jumphost is an excellent idea - lock your bastion down as much as you can. Marek Isalski Technical Director, Faelix Limited, https://faelix.net/ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] are you also seeing more ssh attacks ?
Hey Jeroen > A single IP will only hit you a few times... typically below the > threshold of standard fail2ban or other alarm bells. > The distributed scanner will keep on trying by using another IP from > their vast botnet... Well, from experience I cannot confirm that at all. Apparently, there are still a lot of script kiddies out there or less sophisticated attacks going on. Fail2Ban sure helps with those. If you want to use it in a more aggressive way you can also combine port knocking with fail2ban and ban source IPs the first time they "misbehave". > The big question: Why is that SSH port open to the world ? :) Depends on the use case. I second your opinion when it comes to best-practices but I am also running a couple servers with SSH open to the world because I don't have, need or want an extra jump host at that location to access a single system for example. So there are reasons. Cheers, Manuel -- Manuel Schweizer cloudscale.ch AG Venusstrasse 29 CH-8050 Zürich Fon: +41 44 55 222 55 Fax: +41 44 55 222 56 Web: https://www.cloudscale.ch ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] are you also seeing more ssh attacks ?
On 2018-07-02 12:25, Manuel Schweizer wrote: > Hey Tobi > > Not seeing what you are seeing, but I can really recommend Fail2Ban if you > are not using it already. [..] > Failed attempts will now be logged and source IPs will be banned after > several failed attempts. Which is quite useless with the distributed scanners that exist have existed for the last few years. A single IP will only hit you a few times... typically below the threshold of standard fail2ban or other alarm bells. The distributed scanner will keep on trying by using another IP from their vast botnet... The big question: Why is that SSH port open to the world ? :) Greets, Jeroen ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] are you also seeing more ssh attacks ?
Hey Tobi Not seeing what you are seeing, but I can really recommend Fail2Ban if you are not using it already. It's as simple as: *** snip 8< *** # Install fail2ban apt install fail2ban # Set log level to VERBOSE in sshd daemon to catch failed logins for existing accounts as well cat >> /etc/ssh/sshd_config <8 snap *** Failed attempts will now be logged and source IPs will be banned after several failed attempts. Cheers, Manuel -- Manuel Schweizer cloudscale.ch AG Venusstrasse 29 CH-8050 Zürich Fon: +41 44 55 222 55 Fax: +41 44 55 222 56 Web: https://www.cloudscale.ch > On 2 Jul 2018, at 11:42, Jeroen Massar wrote: > > On 2018-07-02 11:25, Tobias Oetiker wrote: >> Good Morning >> >> are you running an ssh daemon on non standard ports to avoid some of the >> drive-by-scanning ? we have been doing that for quite some time now with >> great reduction of scanning noise ... > > I suggest running SSH always behind white-list only firewalls. > > That, and otherwise use a VPN to get in to a fixed-IP so that one is in > the whitelist. > > Providing an 'open over IPv6 only', or "SSH via Tor" is also a > reasonable technique there. > > > If you have to run a jumpbox style host: For SSH, it is also heavily > suggested to disable any form of password-auth, that way, only public > key authentication is accepted and guess what the scanner scripts do not > support as they do not have a key which thus makes guessing impossible... > > for OpenSSH: > UsePAM no > PasswordAuthentication no > ChallengeResponseAuthentication no > > Do have working pubkeys on the box first :) > > >> since yesterday this has changed >> ... we are getting a lot of connection attempts ... >> >> are you seeing this too ? is someone actively looking for ssh across the >> whole port range or is this 'personal' ? > > There are more and more "Internet scanning" services, especially since > people realized the amount of data that Shodan shows, every company is > having their own scanning boxes. > > Next to that of course, there are thousands of kiddies running the > default scripts just trying random username/passwords. > > Whitelisting is the best trick in the toolchest. > > Greets, > Jeroen > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] are you also seeing more ssh attacks ?
On 2018-07-02 11:25, Tobias Oetiker wrote: > Good Morning > > are you running an ssh daemon on non standard ports to avoid some of the > drive-by-scanning ? we have been doing that for quite some time now with > great reduction of scanning noise ... I suggest running SSH always behind white-list only firewalls. That, and otherwise use a VPN to get in to a fixed-IP so that one is in the whitelist. Providing an 'open over IPv6 only', or "SSH via Tor" is also a reasonable technique there. If you have to run a jumpbox style host: For SSH, it is also heavily suggested to disable any form of password-auth, that way, only public key authentication is accepted and guess what the scanner scripts do not support as they do not have a key which thus makes guessing impossible... for OpenSSH: UsePAM no PasswordAuthentication no ChallengeResponseAuthentication no Do have working pubkeys on the box first :) > since yesterday this has changed > ... we are getting a lot of connection attempts ... > > are you seeing this too ? is someone actively looking for ssh across the > whole port range or is this 'personal' ? There are more and more "Internet scanning" services, especially since people realized the amount of data that Shodan shows, every company is having their own scanning boxes. Next to that of course, there are thousands of kiddies running the default scripts just trying random username/passwords. Whitelisting is the best trick in the toolchest. Greets, Jeroen ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] are you also seeing more ssh attacks ?
Good Morning are you running an ssh daemon on non standard ports to avoid some of the drive-by-scanning ? we have been doing that for quite some time now with great reduction of scanning noise ... since yesterday this has changed ... we are getting a lot of connection attempts ... are you seeing this too ? is someone actively looking for ssh across the whole port range or is this 'personal' ? cheers tobi -- Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland www.oetiker.ch t...@oetiker.ch +41 62 775 9902 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] GDPR / DSGVO and 'whois' domain data
On 2018-07-02 09:45, Benoit Panizzon wrote: [..] > Also, such domains usually quite quickly get a bad reputation as hiding > the whois data is something the 'bad guys' do. Also it becomes a bit > more difficult, to verify if a domain is legit or not to decide upon > well crafted phishing emails. Or to contact the owner in case of > security incidents. Bad guys just provide false data (and the privacy hiding things) Hence, whois is mostly useless, even though that false data might be able to correlate multiple domains (which is a feature that is lost now) As RIPE is clearly demonstrating though, throwaway addresses and emails are totally okay to have in RIPE whois Currently "good guys" will publish one of these: https:///.well-known/security.txt e.g.: https://www.google.com/.well-known/security.txt https://unfix.org/.well-known/security.txt etc. as per the _draft_: https://tools.ietf.org/html/draft-foudil-securitytxt-03 https://github.com/securitytxt/security-txt and (as usual)not everybody is happy with it: https://news.ycombinator.com/item?id=15416198 Many folks also publish it directly as /security.txt; I have a default location in nginx to cover them and put it everywhere (with try_files one can try to per-vhost edition and then fall back to a generic one). .oO(Yes, the Internet is HTTPS now, everything else is futile... new Internet users on the block do not know what whois is, let alone what it was useful for; problem reports are automated nowadays, few still actually read/act upon abuse@ or security@ addresses...) [..] > So I asked Gandi for how the GDPR exactly forces them to hide their > customer's whois data. I haven't got a reply to this yet. Nothing forces them to do so, they are just covering their behinds. By blocking it they do not have to deal too much with GDPR, thus it is the path of least difficulty (read: money). [..] > If I get the whois data for some well known domains like: > > microsoft.com > google.com > swiss.com > credit-suisse.com > > NONE has 'privacy protect' activated. None of those are private individuals. Greets, Jeroen ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] GDPR / DSGVO and 'whois' domain data
> If I get the whois data for some well known domains like: > > microsoft.com > google.com > swiss.com > credit-suisse.com > > NONE has 'privacy protect' activated. I only see the registrar's contact details for all domains. Seems to be standard for com Domain since last few weeks. https://www.golem.de/news/dsgvo-icann-verliert-gerichtsstreit-ueber-whois-daten-1806-134717.html It's not the same, but nice to know: https://nextcloud01.cloud42.ch/index.php/s/cAbYANCM4gAgBSz -- Web: https://markusritzmann.ch Twitter: @RitzmannMarkus signature.asc Description: OpenPGP digital signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] GDPR / DSGVO and 'whois' domain data
Dear Swinogers. I run a couple of .com and .ch domains, which are registered via Gandi.net About one week ago, Gandi activated 'privacy protect' on my .com domains, hiding all my contact data in the whois output, without me asking them to do so. They sent an email though, that they would do so because of the GDPR. I asked them how GDPR entitles them to do so, in my opinion the GDPR aims for more transparency and thus, this is contra productive. Also, such domains usually quite quickly get a bad reputation as hiding the whois data is something the 'bad guys' do. Also it becomes a bit more difficult, to verify if a domain is legit or not to decide upon well crafted phishing emails. Or to contact the owner in case of security incidents. I told Gandi about my concerns, but only got the reply that they were forced to hide whois contact information on all domains registered via their service because of GDPR. Having the contact data published now is optional and has to be activated manually by the domain owner. This surely is not the case, as my .ch domains registered with gandi still show my complete contact. So I asked Gandi for how the GDPR exactly forces them to hide their customer's whois data. I haven't got a reply to this yet. So I wonder if somebody on this list knows the background why gandi acts this way and if other registrars do the same. If I get the whois data for some well known domains like: microsoft.com google.com swiss.com credit-suisse.com NONE has 'privacy protect' activated. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog