Re: How do I prevent unauthorized ssh login attempts?
Andreas Wider?e Andersen [EMAIL PROTECTED] writes: How can I stop these attempts or block them - or even recognize them? I do not have IPF installed. There are several packages which could help, the one I prefer is a simple pf rule set which tracks the number of connection attempts per time unit and puts the too-chatty ones in a doghouse list of addresses. One way to do it is described at http://home.nuug.no/~peter/pf/en/bruteforce.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
How do I prevent unauthorized ssh login attempts?
I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: myserver.domain.com login failures: Apr 25 20:00:19 myserver sshd[57810]: Invalid user staff from 65.171.74.26 Apr 25 20:00:22 myserver sshd[57812]: Invalid user sales from 65.171.74.26 Apr 25 20:00:24 myserver sshd[57814]: Invalid user recruit from 65.171.74.26 Apr 25 20:00:26 myserver sshd[57816]: Invalid user alias from 65.171.74.26 Apr 25 20:00:28 myserver sshd[57818]: Invalid user office from 65.171.74.26 Apr 25 20:00:30 myserver sshd[57820]: Invalid user samba from 65.171.74.26 Apr 25 20:00:32 myserver sshd[57822]: Invalid user tomcat from 65.171.74.26 Apr 25 20:00:34 myserver sshd[57824]: Invalid user webadmin from 65.171.74.26 Apr 25 20:00:36 myserver sshd[57826]: Invalid user spam from 65.171.74.26 Apr 25 20:00:38 myserver sshd[57828]: Invalid user virus from 65.171.74.26 Apr 25 20:00:41 myserver sshd[57830]: Invalid user cyrus from 65.171.74.26 Apr 25 20:00:43 myserver sshd[57832]: Invalid user oracle from 65.171.74.26 Apr 25 20:00:45 myserver sshd[57834]: Invalid user michael from 65.171.74.26 Apr 25 20:00:47 myserver sshd[57836]: Invalid user ftp from 65.171.74.26 Apr 25 20:00:49 myserver sshd[57838]: Invalid user test from 65.171.74.26 Apr 25 20:00:51 myserver sshd[57840]: Invalid user webmaster from 65.171.74.26 Apr 25 20:00:53 myserver sshd[57842]: Invalid user postmaster from 65.171.74.26 Apr 25 20:00:56 myserver sshd[57844]: Invalid user postfix from 65.171.74.26 Apr 25 20:00:57 myserver sshd[57846]: Invalid user postgres from 65.171.74.26 Apr 25 20:00:59 myserver sshd[57848]: Invalid user paul from 65.171.74.26 Apr 25 20:01:04 myserver sshd[57852]: Invalid user guest from 65.171.74.26 Apr 25 20:01:06 myserver sshd[57854]: Invalid user admin from 65.171.74.26 Apr 25 20:01:08 myserver sshd[57856]: Invalid user linux from 65.171.74.26 Apr 25 20:01:11 myserver sshd[57858]: Invalid user user from 65.171.74.26 Apr 25 20:01:13 myserver sshd[57860]: Invalid user david from 65.171.74.26 How can I stop these attempts or block them - or even recognize them? I do not have IPF installed. Thanks for your help. Best regards, Andreas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
On Thursday 26 April 2007, Andreas Widerøe Andersen said: I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: myserver.domain.com login failures: Apr 25 20:00:19 myserver sshd[57810]: Invalid user staff from 65.171.74.26 Apr 25 20:00:22 myserver sshd[57812]: Invalid user sales from 65.171.74.26 Apr 25 20:00:24 myserver sshd[57814]: Invalid user recruit from 65.171.74.26 Apr 25 20:00:26 myserver sshd[57816]: Invalid user alias from 65.171.74.26 Apr 25 20:00:28 myserver sshd[57818]: Invalid user office from 65.171.74.26 Apr 25 20:00:30 myserver sshd[57820]: Invalid user samba from 65.171.74.26 Apr 25 20:00:32 myserver sshd[57822]: Invalid user tomcat from 65.171.74.26 Apr 25 20:00:34 myserver sshd[57824]: Invalid user webadmin from 65.171.74.26 Apr 25 20:00:36 myserver sshd[57826]: Invalid user spam from 65.171.74.26 Apr 25 20:00:38 myserver sshd[57828]: Invalid user virus from 65.171.74.26 Apr 25 20:00:41 myserver sshd[57830]: Invalid user cyrus from 65.171.74.26 Apr 25 20:00:43 myserver sshd[57832]: Invalid user oracle from 65.171.74.26 Apr 25 20:00:45 myserver sshd[57834]: Invalid user michael from 65.171.74.26 Apr 25 20:00:47 myserver sshd[57836]: Invalid user ftp from 65.171.74.26 Apr 25 20:00:49 myserver sshd[57838]: Invalid user test from 65.171.74.26 Apr 25 20:00:51 myserver sshd[57840]: Invalid user webmaster from 65.171.74.26 Apr 25 20:00:53 myserver sshd[57842]: Invalid user postmaster from 65.171.74.26 Apr 25 20:00:56 myserver sshd[57844]: Invalid user postfix from 65.171.74.26 Apr 25 20:00:57 myserver sshd[57846]: Invalid user postgres from 65.171.74.26 Apr 25 20:00:59 myserver sshd[57848]: Invalid user paul from 65.171.74.26 Apr 25 20:01:04 myserver sshd[57852]: Invalid user guest from 65.171.74.26 Apr 25 20:01:06 myserver sshd[57854]: Invalid user admin from 65.171.74.26 Apr 25 20:01:08 myserver sshd[57856]: Invalid user linux from 65.171.74.26 Apr 25 20:01:11 myserver sshd[57858]: Invalid user user from 65.171.74.26 Apr 25 20:01:13 myserver sshd[57860]: Invalid user david from 65.171.74.26 How can I stop these attempts or block them - or even recognize them? I do not have IPF installed. Thanks for your help. Best regards, Andreas Check out denyhosts, it's in the tree. It works well for me and is easy to set up. Beech -- --- Beech Rintoul - Port Maintainer - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.freebsd.org/releases/6.2R/announce.html --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
On 4/26/07, Arek Czereszewski [EMAIL PROTECTED] wrote: Andreas Widerøe Andersen wrote: I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: [...] Run sshd on other port. And say about this your ssh users. Can I change the ssh port on a live server somehow without getting locked out? The server is on a remote co-location a flight away from me. /Andreas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
On 4/26/07, Andreas Widerøe Andersen [EMAIL PROTECTED] wrote: I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: myserver.domain.com login failures: Apr 25 20:00:19 myserver sshd[57810]: Invalid user staff from 65.171.74.26 [snip] Apr 25 20:01:13 myserver sshd[57860]: Invalid user david from 65.171.74.26 How can I stop these attempts or block them - or even recognize them? I do not have IPF installed. In my home server, I put SSH on a higher port and use public key to authenticate. This should get you rid of those messages... Thanks for your help. Hope this helps, Best regards, Andreas -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
On 4/26/07, Andreas Widerøe Andersen [EMAIL PROTECTED] wrote: On 4/26/07, Arek Czereszewski [EMAIL PROTECTED] wrote: Andreas Widerøe Andersen wrote: I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: [...] Run sshd on other port. And say about this your ssh users. Can I change the ssh port on a live server somehow without getting locked out? The server is on a remote co-location a flight away from me. Yes you can. SSH will keep your connection active until you log out, then you can log in using the new port /Andreas -- Pietro Cerutti - ASCII Ribbon Campaign - against HTML e-mail and proprietary attachments www.asciiribbon.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
On Thu, 26 Apr 2007, Pietro Cerutti wrote: On 4/26/07, Andreas Wider??e Andersen [EMAIL PROTECTED] wrote: On 4/26/07, Arek Czereszewski [EMAIL PROTECTED] wrote: Andreas Wider??e Andersen wrote: I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: [...] Run sshd on other port. And say about this your ssh users. Can I change the ssh port on a live server somehow without getting locked out? The server is on a remote co-location a flight away from me. Yes you can. SSH will keep your connection active until you log out, then you can log in using the new port I will add the fact you will want to keep the current connection live and test after you make the change with a new connection. That way if the new connection fails, you still have a foot in the door.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
On 4/26/07, Duane Hill [EMAIL PROTECTED] wrote: On Thu, 26 Apr 2007, Pietro Cerutti wrote: On 4/26/07, Andreas Widerøe Andersen [EMAIL PROTECTED] wrote: On 4/26/07, Arek Czereszewski [EMAIL PROTECTED] wrote: Andreas Widerøe Andersen wrote: I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: [...] Run sshd on other port. And say about this your ssh users. Can I change the ssh port on a live server somehow without getting locked out? The server is on a remote co-location a flight away from me. Yes you can. SSH will keep your connection active until you log out, then you can log in using the new port I will add the fact you will want to keep the current connection live and test after you make the change with a new connection. That way if the new connection fails, you still have a foot in the door. Thanks! I got it working without having to fly out to the server. :-) Let's see if this will prevent the unauthorized sshd login attempts. Cheers, Andreas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
In response to Andreas Widerøe Andersen [EMAIL PROTECTED]: I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: myserver.domain.com login failures: Apr 25 20:00:19 myserver sshd[57810]: Invalid user staff from 65.171.74.26 Apr 25 20:00:22 myserver sshd[57812]: Invalid user sales from 65.171.74.26 Apr 25 20:00:24 myserver sshd[57814]: Invalid user recruit from 65.171.74.26 Apr 25 20:00:26 myserver sshd[57816]: Invalid user alias from 65.171.74.26 Apr 25 20:00:28 myserver sshd[57818]: Invalid user office from 65.171.74.26 Apr 25 20:00:30 myserver sshd[57820]: Invalid user samba from 65.171.74.26 Apr 25 20:00:32 myserver sshd[57822]: Invalid user tomcat from 65.171.74.26 Apr 25 20:00:34 myserver sshd[57824]: Invalid user webadmin from 65.171.74.26 Apr 25 20:00:36 myserver sshd[57826]: Invalid user spam from 65.171.74.26 Apr 25 20:00:38 myserver sshd[57828]: Invalid user virus from 65.171.74.26 Apr 25 20:00:41 myserver sshd[57830]: Invalid user cyrus from 65.171.74.26 Apr 25 20:00:43 myserver sshd[57832]: Invalid user oracle from 65.171.74.26 Apr 25 20:00:45 myserver sshd[57834]: Invalid user michael from 65.171.74.26 Apr 25 20:00:47 myserver sshd[57836]: Invalid user ftp from 65.171.74.26 Apr 25 20:00:49 myserver sshd[57838]: Invalid user test from 65.171.74.26 Apr 25 20:00:51 myserver sshd[57840]: Invalid user webmaster from 65.171.74.26 Apr 25 20:00:53 myserver sshd[57842]: Invalid user postmaster from 65.171.74.26 Apr 25 20:00:56 myserver sshd[57844]: Invalid user postfix from 65.171.74.26 Apr 25 20:00:57 myserver sshd[57846]: Invalid user postgres from 65.171.74.26 Apr 25 20:00:59 myserver sshd[57848]: Invalid user paul from 65.171.74.26 Apr 25 20:01:04 myserver sshd[57852]: Invalid user guest from 65.171.74.26 Apr 25 20:01:06 myserver sshd[57854]: Invalid user admin from 65.171.74.26 Apr 25 20:01:08 myserver sshd[57856]: Invalid user linux from 65.171.74.26 Apr 25 20:01:11 myserver sshd[57858]: Invalid user user from 65.171.74.26 Apr 25 20:01:13 myserver sshd[57860]: Invalid user david from 65.171.74.26 How can I stop these attempts or block them - or even recognize them? I do not have IPF installed. One possibility: http://www.potentialtech.com/cms/node/16 -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
At 8:34a -0400 on 26 Apr 2007, Bill Moran wrote: In response to Andreas Widerøe Andersen [EMAIL PROTECTED]: I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my daily security run output: myserver.domain.com login failures: Apr 25 20:00:19 myserver sshd[57810]: Invalid user staff from 65.171.74.26 [similar lines snipped] How can I stop these attempts or block them - or even recognize them? I do not have IPF installed. One possibility: http://www.potentialtech.com/cms/node/16 I'm a noob to *BSD, so I'm not sure if not having IPF installed means you still have another firewall option. If you do, I'd say following Bill's [sp]age advice is best for your system security overall. If you don't have a firewall, another option would be to disallow ssh password logins. i.e. only allow login via public/private key authentication. This is a server side option, so 'man sshd_config' and look for the PasswordAuthentication option. You'll still get the Invalid user... warning messages, but short of wasting your bandwidth and (log) diskspace, they'll be useless cracker attempts. (And if you're looking for how to create public/private keys, 'man ssh-keygen'.) In general, utilizing public/private keys for remote authentication is /much/ more secure than passwords. HTH, Kevin___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
At 11:22a -0400 on 26 Apr 2007, Hal wrote: On Apr 26, 2007, at 8:34 AM, Kevin Hunter wrote: In general, utilizing public/private keys for remote authentication is /much/ more secure than passwords. There is some debate about which is more secure public/private keys or username/password. Yep, thank you for that reminder. :-) I suppose we now know what I'm arguing! With public/private keys anyone who has access to your machine has access to any machine your machine has a key on. Without a passphrase, I'd agree. The key word that I made sure to put in was 'remote'. With passphrases, it becomes a two-step authentication, one locally to unlock the private key, and one remotely to at least confirm that you have the other half of the key. The other thing that I personally like about public/private key combinations is that for the more lazy of us, we don't always check the fingerprint matches. If I decide to log on to a remote machine to which I've not logged directly on before (e.g. a company NFS- shared home directory), then I can be assured that I'm not falling victim to a man-in-the-middle attack; I can blindly accept the fingerprint, and if it hangs, I can guess that I'm in the middle of an attack attempt, and try another avenue to get where I'm going. With username/password protection is only as strong as your password. But your password is needed. Yep. I agree. So... Use a firewall which limits access to only machines you are willing to let in. Yep. I agree. See Bill's page about limiting number of connections per time frame as well. Use hosts.allow to further restrict access to ssh. Yep. I agree. Change the ssh port to something not generally known. This I place into the category of security-through-obscurity, which I don't find a particularly comforting method. So it adds a single extra layer, but if a cracker is worth her/his salt, it's easily discovered and, in my opinion, not worth the extra effort it takes me to type -p PORT everytime. (Yes, I could use an alias or some such, but that's still extra thought-power that I'd rather place elsewhere.) In sshd_config use the AllowUsers parameter to allow specific users to have access to ssh. Yep. I agree. I think that in the end, those who are security conscious, such as presumably you and me, the specifics of how we do it become largely a moot point or highly dependent on what it is that we're securing. My personal preference is to follow the 80/20 rule. I don't have 100% of my time to devote to doing the exact right thing. But I do have 20% of my time to devote to doing 80% of the exact right thing. If/ when that becomes a problem, I'll reevaluate my approach. On that note, you may know better than I do: is there a web page or blog somewhere that coalesces all the different things that should be done/are currently best-practice to secure a system? Especially to a *BSD noob? Thanks, Kevin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: How do I prevent unauthorized ssh login attempts?
On Thu, Apr 26, 2007, Kevin Hunter wrote: At 11:22a -0400 on 26 Apr 2007, Hal wrote: On Apr 26, 2007, at 8:34 AM, Kevin Hunter wrote: In general, utilizing public/private keys for remote authentication is /much/ more secure than passwords. There is some debate about which is more secure public/private keys or username/password. Yep, thank you for that reminder. :-) I suppose we now know what I'm arguing! With public/private keys anyone who has access to your machine has access to any machine your machine has a key on. Without a passphrase, I'd agree. The key word that I made sure to put in was 'remote'. With passphrases, it becomes a two-step authentication, one locally to unlock the private key, and one remotely to at least confirm that you have the other half of the key. As a rule, we restrict systems to public/private key access with secure shell. On a few systems where people claim they need to use username/password authentication, we restrict access using tcp wrappers to specific systems. One of the biggest problems I see is how to handle things like cron jobs and automatic updates securely without opening up the can of worms of identities without pass phrases. Using rsync modules, restricted to specific hosts is very useful as it permits fine grained control by directory and IP address, and can be done in many cases over insecure channels as updates of existing files with rsync only transmits pieces of the files, not the whole thing. Many of the things we use this for aren't very sensitive information, djbdns data files, postfix configuration, and such. We also use XMLRPC with https to control some things such as running make in the /etc/postfix directory where we have the Makefile set up to rebuild anything necessary as changes are made. We have an XMLRPC server (written in python not php thank you very much :-), which is accessible under the normal Apache restricted security. This server has a limited set of procedures than can do things like restrict access based on the IP address of the client. This server can then make an XMLRPC call to another XMLRPC server running with root priviledges on localhost to do the processing. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 ``People from East Germany have found the West so confusing. It's so much easier when you have only one party.'' -- Linus Torvalde, Linux Expo Canada when asked about confusion over many Linux distributions. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
