Re: [SSHd] Limiting access from authorized IP's
cpghost wrote: On Fri, 18 Apr 2008 13:46:48 -0500 Paul Schmehl [EMAIL PROTECTED] wrote: Let me clarify. When I use the term host, I'm referring to what many would call a personal workstation or personal computer. If you have more than one person who has shell access to a computer, then you no longer have a host. You have a server. Sure, you may not think of it that way, but that's what it is. Servers are a completely different ballgame, and the decisions you make regarding protecting them have everything to do with who has access to what. The servers that I referenced in my post have one person with root access - me - and one user - the owners. No one else has access. So, it's a great deal easier for me to lock down the boxes than it is, for example, here at work, where *many* people have shell access and more than one have root access through sudo or even su. Sorry for bikeshedding here, since it's just a matter of terminology, but... Hosts used to be multi-user machines for a long time, and actually still are. Most RFCs, including newer ones, refer to hosts and mean nodes on the net. They don't care whether the hosts are workstations used by a single or few user(s), or big multi-user machines with hundreds of shell accounts. Server is merely the role a program assumes when it waits passively for requests from clients. Servers run on hosts, regardless of the number of users on those hosts (ranging from 0 to very high). Obviously, the security implications vary considerably if you have to host many user accounts, esp. on hosts used by mission critical server programs. ;) And of course, the bikeshed has to be painted... red! :) Regards, -cpghost. Try this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] joe@home ip Simon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] It looks like AllowHosts is not available with the version of SSH that comes with FreeBSD. This works: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] man hosts.allow ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Wojciech Puchar wrote: this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] It looks like AllowHosts is not available with the version of SSH that comes with FreeBSD. This works: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] man hosts.allow Now that would really confuse things. We're not talking tcp wrappers here, or at least we weren't. man sshd_config --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: [SSHd] Limiting access from authorized IP's
Gilles wrote: Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? I tend to use a firewall anyway so thats what works best for me, on machine that I dont firewall, /etc/hosts.allow (which is TCP-wrappers) is a good quick and easy solution. Its very much a whatever works best for you type question. 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd $ pkg_info | grep -i ssh = Nada. How come? ssh is part of the base system. Its also in ports so you can have a more recent version if you like or so you have have things like the ssh hpn patches (http://www.psc.edu/networking/projects/hpn-ssh/) etc etc. Vince Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Hi Gilles, ssh is part of the base system, not an installed port (by default anyway) so you won't see it with pkg_info which will only list installed packages. The config file is /etc/ssh/sshd_config. To limit connections, you should be using the firewall. I do use hosts.allow too, but the firewall is your primary defence. hth, Gary On Fri, 18 Apr 2008 10:51:45 +0200 Gilles [EMAIL PROTECTED] wrote: Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd $ pkg_info | grep -i ssh = Nada. How come? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 10:51:45 Gilles wrote: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? hosts.allow == TCP wrapper. I recommend firewall, with hosts.allow backup. In the event the firewall gets disabled, hosts.allow takes over. Note though, that with setups like this, you will have to call someone to add your IP to the lists, when your IP changes or you're on a location you didn't think you'd need access from. I personally prefer sshd to be world accessible and block scans, since I consider being locked out of the machines a security risk as well... 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd It's not a port, comes with the base system. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[SSHd] Limiting access from authorized IP's
Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd $ pkg_info | grep -i ssh = Nada. How come? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Hi, Gilles wrote: Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? You can limit the access using one of the packet filters available, ipfw(8), ipf(8) or pf(4). 2. Although it's up and running, I can't find SSHd in the list of installed apps: sshd(8) is part of the base system, which is a FreeBSD patched version of OpenSSH. Although, you can find some ports of bulk OpenSSH in /usr/ports/security. Pedro ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Mel wrote: On Friday 18 April 2008 10:51:45 Gilles wrote: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? hosts.allow == TCP wrapper. I recommend firewall, with hosts.allow backup. In the event the firewall gets disabled, hosts.allow takes over. Note though, that with setups like this, you will have to call someone to add your IP to the lists, when your IP changes or you're on a location you didn't think you'd need access from. I personally prefer sshd to be world accessible and block scans, since I consider being locked out of the machines a security risk as well... Some additional thoughts: If you want to control which users can connect from which IP addresses, use the AllowUsers, etc. statements in sshd_config. That's the big advantage of doing it at that level. If you're not going to get that granular, I'd stick with the advice others have already given. Also, some of us are convinced that we further reduce our risk from scanning by turning off password access and forcing the use of keys. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 19:14:49 +1000 Gary Newcombe [EMAIL PROTECTED] wrote: ssh is part of the base system, not an installed port (by default anyway) so you won't see it with pkg_info which will only list installed packages. The config file is /etc/ssh/sshd_config. To limit connections, you should be using the firewall. I do use hosts.allow too, but the firewall is your primary defence. I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. If you're running syslogd on 514/tcp (because it installs that way be default) and you're not running a syslogd server, then that is an error on your part [1]. If you're running cupsd listening on 631/tcp, but you're not running a print server, then that's an error [2]. Secondly, for those services that you *must* have publicly available, research what protections are available (e.g. mod_security for apache, hosts.allow for other services.) Read the man pages. Learn to lock down your box properly. Then, spend your time and attention on the services that *are* exposed (because they have to be) and make sure you have those fully patched and properly configured. Never, ever, ever, run a service that you do not intend to use and have it listening on a port! Those are the doors hackers use to get in. Firewalls are too often crutches for people that don't want to learn how to properly maintain a host. If *everyone* knew how to properly configure and maintain a host, even enterprise firewalls would be completely unnecessary. To the OP, you *must* run sshd to remotely access your box. There are several things you can (and should) do. 1) Don't allow root logins (that is now the default configuration) 2) Only allow protocol 2 (now also the default) 3) Consider not allowing any logins and requiring cert exchange instead [3] 4) Consider using ChallengeResponseAuthentication (see [3]) 5) Consider running sshd on a different port [4] 6) Consider using /etc/hosts.allow to restrict access [1] # grep syslogd /etc/rc.conf syslogd_flags=-b 127.0.0.1 # sockstat | grep syslogd root syslogd850 4 dgram /var/run/log root syslogd850 5 dgram /var/run/logpriv root syslogd850 6 udp4 127.0.0.1:514 *:* [2] # grep -i LISTEN /usr/local/etc/cups/cupsd.conf # Only listen for connections from the local machine. Use unix sockets and disable ip completely when possible. #Listen localhost:631 Listen /var/run/cups.sock # sockstat | grep cupsd root cupsd 6208 3 stream /var/run/cups.sock root cupsd 6208 4 udp4 *:631 *:* (If anyone knows how to disable the udp port as well, let me know.) [3] man (5) sshd_config - see AuthorizedKeysFile, ChallengeResponseAuthentication [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd sshd_program=/usr/sbin/sshd # path to sshd, if you want a different one. sshd_flags= # Additional flags for sshd. man (8) sshd -p port flag -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Paul Schmehl wrote: I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. On the whole I agree with you -- you should be able to view a firewall as a luxury rather than a necessity on a well configured server. However there is one rather nasty loophole that you can block with a firewall which otherwise is pretty impossible to deal with, at least on FreeBSD machines. It's all to do with the weak routing model -- that is, a network packet to an IP on one of a host's interfaces will be accepted on *any* interface on that host[*]. So even though you protect services that are not meant to be for public consumption by binding them to the loopback address, some one can still send you a spoofed packet to 127.0.0.1 that arrives on your external network i/f /and it will let you connect to the service bound to the loopback/ The attacker has to have access to the same layer 2 network as your host, but sending the spoofed packet is as simple as tweaking the routing table. See eg: http://seclists.org/bugtraq/2001/Mar/0042.html Blocking this sort of attack against the loopback address can be done with the following 3 line PF firewall config. Extending this to back-end networks etc. is left as an exercise for the student: scrub in all pass all antispoof log quick for lo0 Cheers, Matthew [*] Which is not without its legitimate uses, as anyone who as ever configured a load balancer using DSR mode will attest. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: [SSHd] Limiting access from authorized IP's
On Fri, Apr 18, 2008 at 8:59 AM, Matthew Seaman [EMAIL PROTECTED] wrote: Paul Schmehl wrote: I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. On the whole I agree with you -- you should be able to view a firewall as a luxury rather than a necessity on a well configured server. However there is one rather nasty loophole that you can block with a firewall which otherwise is pretty impossible to deal with, at least on FreeBSD machines. It's all to do with the weak routing model -- that is, a network packet to an IP on one of a host's interfaces will be accepted on *any* interface on that host[*]. So even though you protect services that are not meant to be for public consumption by binding them to the loopback address, some one can still send you a spoofed packet to 127.0.0.1 that arrives on your external network i/f /and it will let you connect to the service bound to the loopback/ The attacker has to have access to the same layer 2 network as your host, but sending the spoofed packet is as simple as tweaking the routing table. See eg: http://seclists.org/bugtraq/2001/Mar/0042.html Blocking this sort of attack against the loopback address can be done with the following 3 line PF firewall config. Extending this to back-end networks etc. is left as an exercise for the student: scrub in all pass all antispoof log quick for lo0 Cheers, Matthew [*] Which is not without its legitimate uses, as anyone who as ever configured a load balancer using DSR mode will attest. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW Not to detour this conversation too much, I hope, but I'm in a different situation, and this is going to be an issue for me. I'm putting together a box that's going to be a router for our company, using BGP to give access to our T1 and frac DS3. That's all it should be doing, it will have no other services. It'll be in our server room, though, so I won't have to get at it from anywhere, except perhaps home, and even that could be avoided by simply traveling the 10 miles to work. So, I'm wondering how to lock it down - I'm even contemplating eliminating any MTA and sshd, and just running the routing daemon, but sshd is just so useful that it's hard to do without, and eliminating the MTA denies me the goodness of the periodic reports. 'Casting syslog to my internal syslog host is also problematic, but possible, I suppose. Then there's the problem of managing and monitoring the thing once it's installed. Being able to use mrtg/cacti/something to query SNMP would be extraordinarily useful, as we will be paying extra for bandwidth above our fractional rate on the DS3, and also to monitor the health of the box. I haven't found any good guides for this, but I do have Security Power Tools, Mastering FreeBSD and OpenBSD Security, and a couple of other books, including one on OpenBSD and PF, but haven't teased out all that I need from them regarding doing this in a sane/secure manner. At any rate, locking down ssh access is one of my concerns, for sure, so this discussion is helpful. Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Kurt Buff wrote: On Fri, Apr 18, 2008 at 8:59 AM, Matthew Seaman [EMAIL PROTECTED] wrote: At any rate, locking down ssh access is one of my concerns, for sure, so this discussion is helpful. Wouldn't turning off password based logins and using public and private keys (with a strong password) for ssh logins do the trick? if you limit yourself based on IP addresses, its inevitable that you will need access from an IP NOT on your exemption list at some time (like when you are on vacation, at relatives, etc). Using keys to authenticate ssh sessions has worked very well for me. if you are concerned about the brute force attempts (which cant work without the private key which you put a strong password on), you can use something like denyhosts to block those hosts from even connecting. hth Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting [EMAIL PROTECTED] wrote: sshd(8) is part of the base system, which is a FreeBSD patched version of OpenSSH. Although, you can find some ports of bulk OpenSSH in /usr/ports/security. I don't have a firewall on that host because there's already a NAT router connecting the LAN to the Net. I'll just add the following to /etc/ssh/sshd_config, and restart the service: AllowHosts 192.168.0 82.x.x.x BTW, is the SSHd that comes with the system good enough, or should I upgrade to what's in /usr/ports/security/ssh2? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Fri, Apr 18, 2008 at 04:59:07PM +0100, Matthew Seaman wrote: Paul Schmehl wrote: I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. On the whole I agree with you -- you should be able to view a firewall as a luxury rather than a necessity on a well configured server. However there is one rather nasty loophole that you can block with a firewall which otherwise is pretty impossible to deal with, at least on FreeBSD machines. It's all to do with the weak routing model -- that is, a network packet to an IP on one of a host's interfaces will be accepted on *any* interface on that host[*]. So even though you protect services that are not meant to be for public consumption by binding them to the loopback address, some one can still send you a spoofed packet to 127.0.0.1 that arrives on your external network i/f /and it will let you connect to the service bound to the loopback/ The attacker has to have access to the same layer 2 network as your host, but sending the spoofed packet is as simple as tweaking the routing table. See eg: http://seclists.org/bugtraq/2001/Mar/0042.html Blocking this sort of attack against the loopback address can be done with the following 3 line PF firewall config. Extending this to back-end networks etc. is left as an exercise for the student: scrub in all pass all antispoof log quick for lo0 Cheers, Matthew [*] Which is not without its legitimate uses, as anyone who as ever configured a load balancer using DSR mode will attest. I don't think that it's enough to say that this is the only case where a firewall is useful. Modern firewalls can do simple DOS protection, and on a multi-user system, they can prevent services from being started by your users. Egress firewalls on servers can stop unprivileged user compromises from wreaking havoc on external hosts. I'm sure that are other circumstances where a firewall is useful. Now I believe that there are other ways to address the above requirements, but they may require tradeoffs. mac_portacl allows restricting binding of ports (though I've never actually heard of anyone using it--this alone may be a reason ot go with a more tride-and-true solution.) This, however, requires compiling a custom kernel, which may be undesirable for other reasons. Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Hi, Gilles wrote: I don't have a firewall on that host because there's already a NAT router connecting the LAN to the Net. I don't know your setup, but I'm pretty sure you can run the packet filter on your host anyway. You don't need to configure NAT to run your host firewall. I'll just add the following to /etc/ssh/sshd_config, and restart the service: AllowHosts 192.168.0 82.x.x.x OK! BTW, is the SSHd that comes with the system good enough, or should I upgrade to what's in /usr/ports/security/ssh2? For me base system ssh works like a sharm. IMO, you only want to upgrade if you need a specific feature that is not available on system SSH. Pedro ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
Paul Schmehl wrote: I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. Yes, in a world where nothing ever breaks, all system administrators never make dumb mistakes, and no one ever breaks into your box to install services that you certainly wouldn't approve of, the defense-in-depth techniques being discussed here are pretty much a waste of time. Alas, alack, my machines prove every couple of years that they don't live in such a world. Must be me. ;-) If *everyone* knew how to properly configure and maintain a host, even enterprise firewalls would be completely unnecessary. And if you've got users on your network Oh, my, users do the darnedest things. As one little example: My firewall blocks outbound traffic to port 25 from all those pesky workstations to anywhere other than the local SMTP servers. Why? Makes me worry just a bit less about some Windows box pumping spam out to the world due to an unfortunate choice made by a user. I doubt there's an enterprise in the world where every user both knows enough about host security *and* is disciplined enough to apply that knowledge every minute of every day. But then, I'm the guy who takes the time to put on his seatbelt each and every time he starts the car, despite never, not once, having to actually use it in 3 decades of driving. Firewalls are too often crutches for people that don't want to learn how to properly maintain a host. Now that, on the other hand, I can completely agree with. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 16:53:49 Paul Schmehl wrote:
I see this statement all the time, and I wonder why. What does a firewall
on an individual host accomplish?
...
Firewalls are for preventing access to running services. By definition, if
you are running a service, you want it to be accessed.
That's your assumption.
First of all, firewalls are for preventing unwanted connections, this is not
necessarily the same as access to running services.
Prime examples: cable modem and windows hosts broadcast spam on an ISP's
network, ping floods. User scans [1], vulnerability scans, open relay
scanners, spammers fall into running services category.
So firewalls are
self-defeating or completely useless at the host level **unless** you don't
know what you're doing.
Or, when you do know what you're doing and don't see the firewall as a single
entity but as a node in the security tree, where tools like grok come in as
well.
For an individual host it makes a great deal more sense to only run those
services you intend to use ***and keep them up to date and properly
configured***.
It is an illusion to think that the patch always comes before the exposure.
Secondly, pending the ammount of services you offer, this can be a full task
and especially for the hobby category, it is more time-efficient to shut
off any unauthorized traffic to begin with.
Say, some webapp allows uploading a file and executing it. It is then quite
easy to add a daemon to your server, that you have not configured. With a
firewall in default block mode, this daemon does not receive connections.
Even when the patch is released before exposure, you could be, say sleeping
and it can be too late. For some this is paranoia, for others common sense.
Firewalls are too often crutches for people that don't want to learn how to
properly maintain a host.
Or save time, till it can be properly done. You're also assuming that you have
full control over installed software. The hobby case you mention or a
hosting environment this isn't always reality.
# sockstat | grep cupsd
root cupsd 6208 3 stream /var/run/cups.sock
root cupsd 6208 4 udp4 *:631 *:*
Sure,
block in proto udp from any to any port 631
Works for nfs and rpc as well :)
[4] # grep sshd /etc/defaults/rc.conf
sshd_enable=NO# Enable sshd
No? Surely you're not using inetd? sshd has tcp wrapper support built in, so
you can set everything from /etc/ssh/sshd_config, including the port and
using tcp wrappers. So in the event, inetd is vulnerable, sshd won't be.
[1]
# cat /etc/pf/grok-ssh.conf
file /var/log/auth.log {
type ssh-illegal-user {
match = Invalid user %USERNAME% from %IP%;
threshold = 5; # 5 hits ...
key = %IP%;# from a single ip ...
interval = 60; # in 1 minutes
reaction = /sbin/pfctl -t scans -Tadd %IP%;
};
type ssh-scan-possible {
match = Did not receive identification string from %IP%;
threshold = 3;
interval = 60;
reaction = /sbin/pfctl -t scans -Tadd %IP%;
};
};
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 13:18:44 -0400 Jon Radel [EMAIL PROTECTED] wrote: Paul Schmehl wrote: I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. Yes, in a world where nothing ever breaks, all system administrators never make dumb mistakes, and no one ever breaks into your box to install services that you certainly wouldn't approve of, the defense-in-depth techniques being discussed here are pretty much a waste of time. Alas, alack, my machines prove every couple of years that they don't live in such a world. Must be me. ;-) If *everyone* knew how to properly configure and maintain a host, even enterprise firewalls would be completely unnecessary. And if you've got users on your network Oh, my, users do the darnedest things. As one little example: My firewall blocks outbound traffic to port 25 from all those pesky workstations to anywhere other than the local SMTP servers. Why? Makes me worry just a bit less about some Windows box pumping spam out to the world due to an unfortunate choice made by a user. I doubt there's an enterprise in the world where every user both knows enough about host security *and* is disciplined enough to apply that knowledge every minute of every day. Let me clarify. When I use the term host, I'm referring to what many would call a personal workstation or personal computer. If you have more than one person who has shell access to a computer, then you no longer have a host. You have a server. Sure, you may not think of it that way, but that's what it is. Servers are a completely different ballgame, and the decisions you make regarding protecting them have everything to do with who has access to what. The servers that I referenced in my post have one person with root access - me - and one user - the owners. No one else has access. So, it's a great deal easier for me to lock down the boxes than it is, for example, here at work, where *many* people have shell access and more than one have root access through sudo or even su. But then, I'm the guy who takes the time to put on his seatbelt each and every time he starts the car, despite never, not once, having to actually use it in 3 decades of driving. Well, that was the point I was trying to make. A firewall might be analagous to a big rubber bumper that surrounds your car. *If* you get it, it provides some protection, but you *still* have to be able to use the doors, open the hood and the trunk, carry passengers, etc. So, why do you wear your seatbelt? Because it provides protection *even when* the bumpers fail. We think about security from the outside in when we should be thinking about security from the inside out. The firewall should be the *last* thing you think about *after* you've already taken all the precautions you can to make the firewall completely unnecessary. In today's world, all too often, people think they can not patch, not run antivirus, not do this, not do that, and everything will be fine because the firewall is protecting them. It's foolish and a false sense of security. What we *should* be doing is making sure the door locks function correctly (going back to the car analogy), the seats are properly anchored, the engine is properly maintained, the hood is properly closed, etc., etc. and *then* check to see if the bumper is in place. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 20:30:53 +0200 Mel [EMAIL PROTECTED] wrote: On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. That's your assumption. First of all, firewalls are for preventing unwanted connections, this is not necessarily the same as access to running services. Prime examples: cable modem and windows hosts broadcast spam on an ISP's network, ping floods. User scans [1], vulnerability scans, open relay scanners, spammers fall into running services category. They don't fall into the category of services that you authorized or approved of. Keep in mind, we're talking about *hosts*, individual workstations if you will, not enterprises. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. It is an illusion to think that the patch always comes before the exposure. It's a worse illusion to believe the firewall is going to help. If the service is exposed and compromised, the firewall wouldn't be blocking it anyway. Furthermore, if the host is compromised, the firewall is one of the first things that will be disabled. Secondly, pending the ammount of services you offer, this can be a full task and especially for the hobby category, it is more time-efficient to shut off any unauthorized traffic to begin with. Say, some webapp allows uploading a file and executing it. It is then quite easy to add a daemon to your server, that you have not configured. With a firewall in default block mode, this daemon does not receive connections. Even when the patch is released before exposure, you could be, say sleeping and it can be too late. For some this is paranoia, for others common sense. Again, the firewall is providing a false sense of security in exactly the scenario you propose. Where do you think hacker's daemons are running these days? **On the ports that you can't close on the firewall**. [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd No? Surely you're not using inetd? I haven't used inetd in years. I'm not sure why you think I would be. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 09:15:41 -0700 Kurt Buff [EMAIL PROTECTED] wrote: Not to detour this conversation too much, I hope, but I'm in a different situation, and this is going to be an issue for me. I'm putting together a box that's going to be a router for our company, using BGP to give access to our T1 and frac DS3. That's all it should be doing, it will have no other services. It'll be in our server room, though, so I won't have to get at it from anywhere, except perhaps home, and even that could be avoided by simply traveling the 10 miles to work. So, I'm wondering how to lock it down - I'm even contemplating eliminating any MTA and sshd, and just running the routing daemon, but sshd is just so useful that it's hard to do without, and eliminating the MTA denies me the goodness of the periodic reports. Just have the MTA listen on localhost or on a unix socket. It can still send the reports that way but can't be attacked from outside (excepting the limited case that Matthew referred to.) 'Casting syslog to my internal syslog host is also problematic, but possible, I suppose. Well, you *should* be remote syslogging any critical machines like that, but that doesn't mean the host itself has to listen for incoming syslog messages. WRT SSH, if it's a real concern, only allow access from your internal network. Then use a publicly accessible machine to tunnel through to it. (But lock it down as well. Attackers can come from the inside of your network just as easily as they can from outside.) Then there's the problem of managing and monitoring the thing once it's installed. Being able to use mrtg/cacti/something to query SNMP would be extraordinarily useful, as we will be paying extra for bandwidth above our fractional rate on the DS3, and also to monitor the health of the box. If you're wanting to do this from foreign networks (not your own), then set up ssl and logins (.htaccess or httpd.conf, local or ldap, pam, whatever your have available) for the web interface. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 20:53:37 Paul Schmehl wrote: --On Friday, April 18, 2008 20:30:53 +0200 Mel [EMAIL PROTECTED] wrote: On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. That's your assumption. First of all, firewalls are for preventing unwanted connections, this is not necessarily the same as access to running services. Prime examples: cable modem and windows hosts broadcast spam on an ISP's network, ping floods. User scans [1], vulnerability scans, open relay scanners, spammers fall into running services category. They don't fall into the category of services that you authorized or approved of. Keep in mind, we're talking about *hosts*, individual workstations if you will, not enterprises. Well, I don't particularly like someone using my bandwidth to find out if I changed my mailserver config to such that I would now be an open relay, every 10-20 minutes for weeks on end, so I want it to be over with at the TCP level, not at the daemon level. Individual hosts are exactly the target for these scans. Same with the webserver, there are a great number of requests that seperate a scan from a legitimate user. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. It is an illusion to think that the patch always comes before the exposure. It's a worse illusion to believe the firewall is going to help. If the service is exposed and compromised, the firewall wouldn't be blocking it anyway. In a targetted scenario, this is correct. However, scans precede the attack and one example I gave with grok, you can limit the chances that the attacker gets the information he needs to exploit the bug he's looking for. Furthermore, if the host is compromised, the firewall is one of the first things that will be disabled. That would require root. So there's something else wrong in the chain, or it is one of those unfortunate services that run as root. Secondly, pending the ammount of services you offer, this can be a full task and especially for the hobby category, it is more time-efficient to shut off any unauthorized traffic to begin with. Say, some webapp allows uploading a file and executing it. It is then quite easy to add a daemon to your server, that you have not configured. With a firewall in default block mode, this daemon does not receive connections. Even when the patch is released before exposure, you could be, say sleeping and it can be too late. For some this is paranoia, for others common sense. Again, the firewall is providing a false sense of security in exactly the scenario you propose. Where do you think hacker's daemons are running these days? **On the ports that you can't close on the firewall**. I'm curious which those are. [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd No? Surely you're not using inetd? I haven't used inetd in years. I'm not sure why you think I would be. Well, since sshd_enable is set to no, I assumed inetd would be where you've started it. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 21:37:45 +0200 Mel [EMAIL PROTECTED] wrote: [4] # grep sshd /etc/defaults/rc.conf sshd_enable=NO# Enable sshd No? Surely you're not using inetd? I haven't used inetd in years. I'm not sure why you think I would be. Well, since sshd_enable is set to no, I assumed inetd would be where you've started it. Aw, I got it. You apparently didn't notice that I grepped /etc/*defaults*/rc.conf. (I don't set any flags for sshd, so I wouldn't have anything except enable in /etc/rc.conf.) -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting [EMAIL PROTECTED] wrote: (snip) Seems like I didn't do it right: /etc/ssh/sshd_config: [...] AllowHosts 192.168.0 82.227.x.x # /etc/rc.d/sshd restart Stopping sshd. Starting sshd. /etc/ssh/sshd_config: line 119: Bad configuration option: AllowHosts /etc/ssh/sshd_config: terminating, 1 bad configuration options Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
--On Saturday, April 19, 2008 00:12:41 +0200 Gilles [EMAIL PROTECTED] wrote: On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting [EMAIL PROTECTED] wrote: (snip) Seems like I didn't do it right: /etc/ssh/sshd_config: [...] AllowHosts 192.168.0 82.227.x.x # /etc/rc.d/sshd restart Stopping sshd. Starting sshd. /etc/ssh/sshd_config: line 119: Bad configuration option: AllowHosts /etc/ssh/sshd_config: terminating, 1 bad configuration options I don't see an AllowHosts option in man (5) sshd_config. There's AllowGroups, AllowTcpForwarding, AllowUsers, but no AllowHosts. If you want to restrict sshd logins by host, you can use AllowUsers like this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] etc., etc. The list is space-separated on a single line. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 13:46:48 -0500 Paul Schmehl [EMAIL PROTECTED] wrote: Let me clarify. When I use the term host, I'm referring to what many would call a personal workstation or personal computer. If you have more than one person who has shell access to a computer, then you no longer have a host. You have a server. Sure, you may not think of it that way, but that's what it is. Servers are a completely different ballgame, and the decisions you make regarding protecting them have everything to do with who has access to what. The servers that I referenced in my post have one person with root access - me - and one user - the owners. No one else has access. So, it's a great deal easier for me to lock down the boxes than it is, for example, here at work, where *many* people have shell access and more than one have root access through sudo or even su. Sorry for bikeshedding here, since it's just a matter of terminology, but... Hosts used to be multi-user machines for a long time, and actually still are. Most RFCs, including newer ones, refer to hosts and mean nodes on the net. They don't care whether the hosts are workstations used by a single or few user(s), or big multi-user machines with hundreds of shell accounts. Server is merely the role a program assumes when it waits passively for requests from clients. Servers run on hosts, regardless of the number of users on those hosts (ranging from 0 to very high). Obviously, the security implications vary considerably if you have to host many user accounts, esp. on hosts used by mission critical server programs. ;) And of course, the bikeshed has to be painted... red! :) Regards, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SSHd] Limiting access from authorized IP's
At 18:17 18/04/2008 -0500, Paul Schmehl wrote: If you want to restrict sshd logins by host, you can use AllowUsers like this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] It looks like AllowHosts is not available with the version of SSH that comes with FreeBSD. This works: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
