Subject: Newbie with ssh-server running... Hacking attempts againstme... - Firewalls

This is a discussion on Subject: Newbie with ssh-server running... Hacking attempts againstme... - Firewalls ; JD wrote: > I was looking at it in terms of MS and the NT C2 security certification. > If no one can access the server, then it is 100% secured. The more ways > there are to access it, ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 28 of 28

Thread: Subject: Newbie with ssh-server running... Hacking attempts againstme...

  1. Re: Subject: Newbie with ssh-server running... Hacking attemptsagainst me...

    JD wrote:


    > I was looking at it in terms of MS and the NT C2 security certification.
    > If no one can access the server, then it is 100% secured. The more ways
    > there are to access it, the greater the potential for unauthorised access.
    > Higher security usually translates to less user friendly.



    Higher security in terms of discretionary access control only translates to
    higher isolation of user contexts. Within a user context, any application is
    free to do whatever unprivileged action it requires to do its job.

    >> And how should he get the exploit executed on the machine in first place, if
    >> no logon is ever granted to him? This would at least require user
    >> interaction and totally unrelated internet-facing application.

    >
    > How do exploits get executed then? Otherwise they wouldn't be exploits.



    This would limit the attack vector to all protocol action performed before
    login. Unless you're too stupid to implement CRC32 correctly, I'd say this
    is a non-issue.


    > You trust things more than I would if I suspected a successful compromise.



    The kernel is always the ultimate authority in the system. If it decides
    that root isn't the ueber-privileged user any more, it can enforce various
    limitations. One is that the kernel's logging facility is completely
    isolated, and all privileges that root could use to get access to kernel
    memory or compromising the kernel are removed. That is, root might still
    overwrite the privileges of any user, can change the system time, can debug
    other processes, can read disks in raw mode etc. but he can't load any
    drivers, do any kernel debugging, change the RTC time, write to the disk in
    raw mode, or bypass access checks on the kernel's files and objects.

  2. Re: Subject: Newbie with ssh-server running... Hacking attemptsagainst me...

    On Sun, 11 May 2008 20:08:35 +0200, Sebastian G. wrote:

    > JD wrote:
    >
    >> You trust things more than I would if I suspected a successful compromise.

    >
    >
    > The kernel is always the ultimate authority in the system. If it decides
    > that root isn't the ueber-privileged user any more, it can enforce various
    > limitations. One is that the kernel's logging facility is completely
    > isolated, and all privileges that root could use to get access to kernel
    > memory or compromising the kernel are removed. That is, root might still
    > overwrite the privileges of any user, can change the system time, can debug
    > other processes, can read disks in raw mode etc. but he can't load any
    > drivers, do any kernel debugging, change the RTC time, write to the disk in
    > raw mode, or bypass access checks on the kernel's files and objects.


    I understand what you mean now. We just differ on our definitions.

  3. Re: Subject: Newbie with ssh-server running... Hacking attempts againstme...

    Nico Kadel-Garcia wrote:
    > Santa Claus wrote:
    >> Nico Kadel-Garcia wrote:
    >>>>> Have you ever read up on 'zero-day' exploits, and cracking kits?
    >>>>
    >>>> Not really. I'm using:
    >>>>
    >>>> # telnet localhost 22
    >>>> Trying 127.0.0.1...
    >>>> Connected to localhost.
    >>>> Escape character is '^]'.
    >>>> SSH-2.0-OpenSSH_4.7
    >>>> ^C^C
    >>>> Connection closed by foreign host.
    >>>>
    >>>>
    >>>> So its: OpenSSH_4.7p1, OpenSSL 0.9.7l 28 Sep 2006
    >>>>
    >>>>
    >>>> Do I have to worry or upgrade? I just saw on openssh.com that
    >>>> there's a new version: OpenSSH 5.0/5.0p1 released Apr 3, 2008.
    >>>
    >>> You need to stay up to date with patches, not necessarily the primary
    >>> version. They started adding the capability for a chroot cage at
    >>> about 4.7, after years of people like me lobbying and publishing
    >>> patches to provide one.
    >>>
    >>>> I believe(d) that SSH even though it is from 2006, should be pretty
    >>>> secure? Else I can upgrade in the coming days...
    >>>> ** Posted from http://www.teranews.com **
    >>>
    >>> Well, it depends on what you want to do. If you've got people
    >>> accessing your site versus 'sftp', or scp with tools like 'WinSCP',
    >>> you might want to update to version 5.0 and set up a real chroot cage
    >>> to keep them away from the rest of your system.

    >>
    >> Ok. Thanks - I update when I get more time.
    >>
    >> ** Posted from http://www.teranews.com **

    >
    > No sweat. If you need to give user file-access and want an easier, more
    > managable 'chroot' configuration, seriously consider WebDAV over HTTPS.
    > It handles symlinks, which SCP and sftp do not, and has much better
    > resolution over upload, download, and filesystem access.

    any good pointers on how to set it up i tried it once (few months back)
    but couldn't even get a directory listen altough basic authentication
    did work (without https)

  4. Re: Subject: Newbie with ssh-server running... Hacking attempts againstme...

    goarilla <"kevinpaulus|"@|skynet punt> wrote:
    > Nico Kadel-Garcia wrote:
    >> Santa Claus wrote:
    >>> Nico Kadel-Garcia wrote:
    >>>>>> Have you ever read up on 'zero-day' exploits, and cracking kits?
    >>>>>
    >>>>> Not really. I'm using:
    >>>>>
    >>>>> # telnet localhost 22
    >>>>> Trying 127.0.0.1...
    >>>>> Connected to localhost.
    >>>>> Escape character is '^]'.
    >>>>> SSH-2.0-OpenSSH_4.7
    >>>>> ^C^C
    >>>>> Connection closed by foreign host.
    >>>>>
    >>>>>
    >>>>> So its: OpenSSH_4.7p1, OpenSSL 0.9.7l 28 Sep 2006
    >>>>>
    >>>>>
    >>>>> Do I have to worry or upgrade? I just saw on openssh.com that
    >>>>> there's a new version: OpenSSH 5.0/5.0p1 released Apr 3, 2008.
    >>>>
    >>>> You need to stay up to date with patches, not necessarily the
    >>>> primary version. They started adding the capability for a chroot
    >>>> cage at about 4.7, after years of people like me lobbying and
    >>>> publishing patches to provide one.
    >>>>
    >>>>> I believe(d) that SSH even though it is from 2006, should be pretty
    >>>>> secure? Else I can upgrade in the coming days...
    >>>>> ** Posted from http://www.teranews.com **
    >>>>
    >>>> Well, it depends on what you want to do. If you've got people
    >>>> accessing your site versus 'sftp', or scp with tools like 'WinSCP',
    >>>> you might want to update to version 5.0 and set up a real chroot
    >>>> cage to keep them away from the rest of your system.
    >>>
    >>> Ok. Thanks - I update when I get more time.
    >>>
    >>> ** Posted from http://www.teranews.com **

    >>
    >> No sweat. If you need to give user file-access and want an easier,
    >> more managable 'chroot' configuration, seriously consider WebDAV over
    >> HTTPS. It handles symlinks, which SCP and sftp do not, and has much
    >> better resolution over upload, download, and filesystem access.

    > any good pointers on how to set it up i tried it once (few months back)
    > but couldn't even get a directory listen altough basic authentication
    > did work (without https)



    I'm surprised it was difficult. I just read the documentation, and was careful
    to use 'Directory' rather than 'Location' based settings, and it worked from
    the limited documentation built into HTTPD.

  5. Re: Subject: Newbie with ssh-server running... Hacking attemptsagainst me...

    JD wrote:

    > On Sun, 11 May 2008 20:08:35 +0200, Sebastian G. wrote:
    >
    >> JD wrote:
    >>
    >>> You trust things more than I would if I suspected a successful compromise.

    >>
    >> The kernel is always the ultimate authority in the system. If it decides
    >> that root isn't the ueber-privileged user any more, it can enforce various
    >> limitations. One is that the kernel's logging facility is completely
    >> isolated, and all privileges that root could use to get access to kernel
    >> memory or compromising the kernel are removed. That is, root might still
    >> overwrite the privileges of any user, can change the system time, can debug
    >> other processes, can read disks in raw mode etc. but he can't load any
    >> drivers, do any kernel debugging, change the RTC time, write to the disk in
    >> raw mode, or bypass access checks on the kernel's files and objects.

    >
    > I understand what you mean now. We just differ on our definitions.



    I didn't claim that this model or approach is perfect or even a good idea.
    But it's a non-theoretical productive OS where in a certain configuration
    there simply is no ultimately powerful principal, and root is merely a
    normal user with some privileges to manage non-system stuff.

  6. Re: Subject: Newbie with ssh-server running... Hacking attempts against me...

    On 2008-05-10 19:07:30 -0400, Santa Claus said:

    > Dear NG,
    >
    > Subject: Newbie with ssh-server running... Hacking attempts against
    > me... I hope this question is appropriate - My log says:



    - Use a non-standard SSH port immediately. I haven't used tcp/22 on any
    of my servers in years.

    - You sounded like you can code in PERL. Write a script that changes
    your SSH port each day, or according to some date calculation you
    invent to a non-standard port and promulgate the port information
    inside your enterprise - this is easier than you think it is to do.

    - Consider rolling your hosts behind a firewall that can use knockd or
    something similar implementing a "knock, knock" protocol. This way, no
    ports need to be open unless you send the properly formatted packets to
    the right TCP ports in the right sequence in the right amount of time,
    then the port "opens up". I use my own algorithm with ICMP packets that
    contain cryptographic data that verifies to a limited degree the origin
    of the sender.

    - Be careful what information you share with the public in NG's and
    other places about your problem.

    - If you're using OS/X desktops, consider installing Little Snitch on
    them for some added security.

    /dmfh

    --
    _ __ _
    __| |_ __ / _| |_ 01100100 01101101
    / _` | ' \| _| ' \ 01100110 01101000
    \__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx


  7. Re: Subject: Newbie with ssh-server running... Hacking attemptsagainst me...

    On May 11, 7:33 am, Santa Claus wrote:
    > darkog wrote:
    > > There is an iptables trick you can use to easily address these
    > > attacks. Google it. These attacks are very common. Anyone that is
    > > running an Internet facing SSH server on port 22 will see these
    > > regularly.

    >
    > Something like this:http://www.newartisans.com/blog_file...h.iptables.php
    >
    > ?
    > ** Posted fromhttp://www.teranews.com**


    sure. even this might help.

    http://forums.theplanet.com/lofivers...hp/t57628.html

    you have to test it to make sure it works. also make sure the "--
    limit" switch is actually available to you. on some systems, i
    remember i have had to recompile iptables to get it.

    as has been posted, it's an automated/scripted attack. probably with
    goal to gain access to box and use it to send SPAM. the logic being
    that there is probably someone out there in WWW-land that is using one
    of those weak username/password combos.

    if you want to keep this internet facing, will you also want to keep
    up to date with openssh security updates otherwise the attack vector
    expands to successful use of an openssh exploit/vulrenability.





  8. Re: Subject: Newbie with ssh-server running... Hacking attempts againstme...

    Digital Mercenary For Honor wrote:
    > On 2008-05-10 19:07:30 -0400, Santa Claus said:
    >
    >> Dear NG,
    >>
    >> Subject: Newbie with ssh-server running... Hacking attempts against
    >> me... I hope this question is appropriate - My log says:

    >
    >
    > - Use a non-standard SSH port immediately. I haven't used tcp/22 on any
    > of my servers in years.


    Yes, I read that's a really good idea...

    > - You sounded like you can code in PERL. Write a script that changes


    I can code i many languages - though not really in Perl - I want to
    learn it however...

    > your SSH port each day, or according to some date calculation you invent
    > to a non-standard port and promulgate the port information inside your
    > enterprise - this is easier than you think it is to do.


    Great idea... This could be my first real perl-project, after having
    done some tutorials... It sounds like I can do that (I think it should
    be easy in perl)...

    > - Consider rolling your hosts behind a firewall that can use knockd or
    > something similar implementing a "knock, knock" protocol. This way, no
    > ports need to be open unless you send the properly formatted packets to
    > the right TCP ports in the right sequence in the right amount of time,
    > then the port "opens up". I use my own algorithm with ICMP packets that
    > contain cryptographic data that verifies to a limited degree the origin
    > of the sender.


    Wow... Great idea - exactly what I was looking for... Thanks a lot...

    > - Be careful what information you share with the public in NG's and
    > other places about your problem.


    I know... I believe nobody should even be able to see my IP when posting
    through teranews...

    > - If you're using OS/X desktops, consider installing Little Snitch on
    > them for some added security.


    Thanks... I'll consider that...


    ** Posted from http://www.teranews.com **

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2