ssh security questions - Mandriva

This is a discussion on ssh security questions - Mandriva ; Hi all. I am running 2008.1 with all patches. I occasionally see a pop-up from the firewall such as IP 207.xx.xx.xx is connecting to SSH. Since nobody else is allowed to use SSH except me from another machine (and no ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: ssh security questions

  1. ssh security questions

    Hi all. I am running 2008.1 with all patches.

    I occasionally see a pop-up from the firewall such as IP 207.xx.xx.xx is
    connecting to SSH. Since nobody else is allowed to use SSH except me
    from another machine (and no other machine is turned on right now), I am
    concerned.

    I an confused because in the firewall config, I selected the option to
    "Log firewall messages in system logs". I cannot find these items logged
    anywhere. I have checked /var/logs/messages, auth, system, warning,
    etc., etc. Where are they hiding?

    2nd part of this question - I have disabled ssh and sshd and
    sshd-xinetd in the system services menu (stopped, on-boot unchecked,
    start-when requested unchecked) and only turn them on when I need to
    use them. Does that keep me fairly safe from ssh hackers?

    Thanks,

    JimR

  2. Re: ssh security questions

    On Sat, 14 Jun 2008 15:59:25 -0400, JimR wrote:
    > Hi all. I am running 2008.1 with all patches.
    >
    > I occasionally see a pop-up from the firewall such as IP 207.xx.xx.xx is
    > connecting to SSH. Since nobody else is allowed to use SSH except me
    > from another machine (and no other machine is turned on right now), I am
    > concerned.


    Popups are from the fact that you did not disable interactive firewall
    in the firewall setup section.

    > I an confused because in the firewall config, I selected the option to
    > "Log firewall messages in system logs". I cannot find these items logged
    > anywhere. I have checked /var/logs/messages, auth, system, warning,
    > etc., etc. Where are they hiding?


    Guessing you would see them by doing a
    grep Shorewall /var/log/messages

    That should work for about anytime except just after Sunday around 4am
    or any Sunday you login if you installed anacron.

    If so, then
    zcat /var/log/messages*.gz | grep Shorewall would show messages
    which are compressed.


    > 2nd part of this question - I have disabled ssh and sshd and
    > sshd-xinetd in the system services menu (stopped, on-boot unchecked,
    > start-when requested unchecked) and only turn them on when I need to
    > use them. Does that keep me fairly safe from ssh hackers?


    Fairly safe.

    Your firewall is your defence from attack attempts from the Internet.
    Most of those will be from script kiddies.
    Your black hats are trying to exploit systems via the applications
    you execute on your system when browsing.

    Common attacks there are from java/javascript.

    Your first line of defense solution to those would be adding the
    NoScript Add On to Firefox.

    To reduce the window of exploit opportunity via cracked ad/web servers,
    I would recommend privoxy.
    Another point of entry to close is disable Universal Plug and Play in
    your router if it has one. Then add your router to privoxy's user.action file.

    ================================================== ======================
    privoxy.txt version 2.1

    Crackers are cracking systems and routers from application's data
    files like Realplayer, flash, Internet Explorer,... running on the pc using
    java, javascript, activeX, silverlight, etc.

    They have cracked ad servers to distribute/run malware.

    I hard code Opendns.org nameservers on pc just in case my router gets
    cracked and black hat DNS ip get set. Opendns also blocks known
    malware sites.

    Opendns nameservers are 208.67.222.222 and 208.67.220.220.
    See https://www.opendns.com

    javascript malware runs on linux and micro$oft and may be used to
    crack your router. Latest jre from java.sun.com installs a jexec
    linux service/daemon to allow java to execute. I disabled that pretty quick.


    http://www.haveyougotwoods.com/archi...ters-only.aspx

    I suggest installing privoxy and the NoScript Add On in Firefox.

    Details of hijacked 24/7 ad server emerge
    http://www.networkworld.com/news/200...ed-247-ad.html

    “In mid-year 2007, studies showed there were nearly 30,000 new
    infected web pages being created every day."
    http://finjan.com/Pressrelease.aspx?...Lan=1819&lan=3

    Shape-shifting malware hits the web
    http://itnews.com.au/News/76128,shap...s-the-web.aspx

    I suggest using privoxy to block ads. http://www.privoxy.org/
    and access to your router from the pc.

    If you want to play with privoxy, Mandriva Linux install instructions here
    http://groups.google.com/group/alt.o...6245f3f5fab041
    has a bunch of sites already added to +block in user.action.
    You may want to add your router's ip under { +block } to prevent malware
    cracks of your router while surfing.

    Another extensive action file found here
    http://www.neilvandyke.org/privoxy-rules/

    Adding NoScript Add On to firefox http://noscript.net/getit
    It's Options --> Advanced Untrusted
    lets you set a few restrictions for Untrusted Sites.
    I have all boxes checked for Untrusted sites.

    #***************** start privoxy.txt *********************************

    click up a terminal

    su - root
    urpmi --wget privoxy --auto

    You might consider getting a copy of my user.actions:
    cp /etc/privoxy/user.action /etc/privoxy/user.action_orig
    Copy my user.aciton script into /etc/privoxy/user.action from
    http://groups.google.com/group/alt.o...6245f3f5fab041

    You may want to add your router's ip under { +block }
    in /etc/privoxy/user.action to prevent malware cracks of your router
    while surfing.

    service privoxy restart
    exit
    exit

    In firefox,
    Edit->Preference->Advanced
    Click Network tab
    Connection
    Settings button

    click Manual proxy configuration:
    HTTP Proxy: 127.0.0.1 Port: 8118
    SSL Proxy: 127.0.0.1 Port: 8118
    Be sure to clear the "No Proxy for" box
    Click OK
    Click Close

    #********************* end privoxy.txt **************************

    I'll recommend not using Internet Explorer or Outlook Express.
    Use third party apps. Firefox, Thunderbird for example.

    I strongly recommend Firefox with the NoScript Add On.
    Black Hats have are using a lot of Java* tricks to exploit systems.

    My NoScript Option settings.
    General
    check box Left clicking on NoScript toobar button
    Radio button Base 2nd level Domains
    check box Automatically reload affected pages when permissions change
    Whitelist
    I added file:// for my local index.html file
    Plugins
    All boxes checked except Collapse blocked objects
    Appearance
    No changes by me.
    Notifications
    Everything checked except Audio Feedback
    Did set Hide After at 5 seconds
    Advanced
    Untrusted
    Everything checked except Hide

  3. Re: ssh security questions

    On 2008-06-14, JimR wrote:
    > Hi all. I am running 2008.1 with all patches.
    >
    > 2nd part of this question - I have disabled ssh and sshd and
    > sshd-xinetd in the system services menu (stopped, on-boot unchecked,
    > start-when requested unchecked) and only turn them on when I need to
    > use them. Does that keep me fairly safe from ssh hackers?


    To be safe from hackers using ssh.. I think ..

    1) Make sure you always get and apply the latest security updates immediately.
    (as you seem to do)
    2) Make sure root cant log in.
    3) Make sure every account on your server either disallows login or has
    a strong password. (or maybe force certificate logins only and keep
    certificate somewhere handy, personally I dont do this.)
    4) If possible run sshd on a high port (I abit of security via obscurity
    but I've found it very effective personally. There is usually no
    activity at all on the port I use unless it's me)

    My sshd server is on about 90% of the time, and I've never noticed
    anyone sniffing around it when I've looked in the logs.
    (Although maybe I should set up some IDS to be on the safe side). Good
    point..

    5) Install an IDS package of some kind.
    6) Look at port triggering/port knocking (some people think it adds no
    additional security , others love it)

    Lordy

  4. Re: ssh security questions

    On Sat, 14 Jun 2008 15:59:25 -0400, JimR wrote:

    > Hi all. I am running 2008.1 with all patches.
    >
    > I occasionally see a pop-up from the firewall such as IP 207.xx.xx.xx is
    > connecting to SSH. Since nobody else is allowed to use SSH except me
    > from another machine (and no other machine is turned on right now), I am
    > concerned.
    >
    > I an confused because in the firewall config, I selected the option to
    > "Log firewall messages in system logs". I cannot find these items logged
    > anywhere. I have checked /var/logs/messages, auth, system, warning,
    > etc., etc. Where are they hiding?
    >
    > 2nd part of this question - I have disabled ssh and sshd and
    > sshd-xinetd in the system services menu (stopped, on-boot unchecked,
    > start-when requested unchecked) and only turn them on when I need to
    > use them. Does that keep me fairly safe from ssh hackers?
    >


    Just pick a new port. When I used standard port I got brute forced all
    the time. Also I disabled passwords and only use keys. And no root login.


    CL


  5. Re: ssh security questions

    Bit Twister wrote:
    > #***************** start privoxy.txt *********************************
    >
    > click up a terminal
    >
    > su - root
    > urpmi --wget privoxy --auto
    >
    > You might consider getting a copy of my user.actions:
    > cp /etc/privoxy/user.action /etc/privoxy/user.action_orig


    > Copy my user.aciton script into /etc/privoxy/user.action from


    Bit Twister, there is a typographical error in the line above:
    user.aciton -> user.action

    Also, I noticed there was no reference to Neil Van Dyke's Privoxy
    action file in your privoxy.txt. I don't care very much whether
    there is or not, but sometimes I notice things while reading, so I
    mentioned it in case the omission was inadvertent.

  6. Re: ssh security questions

    On Sat, 14 Jun 2008 21:30:27 -0700, Scott B. wrote:
    >
    > Bit Twister, there is a typographical error in the line above:
    > user.aciton -> user.action


    Fixed, thank you.

    > Also, I noticed there was no reference to Neil Van Dyke's Privoxy
    > action file in your privoxy.txt.


    Yes there was about line 48.
    Another extensive action file found here
    http://www.neilvandyke.org/privoxy-rules/

  7. Re: ssh security questions

    Bit Twister wrote:
    >
    > On Sat, 14 Jun 2008 15:59:25 -0400, JimR wrote:
    >> Hi all. I am running 2008.1 with all patches.
    >>
    >> I occasionally see a pop-up from the firewall such as IP 207.xx.xx.xx is
    >> connecting to SSH. Since nobody else is allowed to use SSH except me
    >> from another machine (and no other machine is turned on right now), I am
    >> concerned.

    >
    > Popups are from the fact that you did not disable interactive firewall
    > in the firewall setup section.
    >
    >> I an confused because in the firewall config, I selected the option to
    >> "Log firewall messages in system logs". I cannot find these items logged
    >> anywhere. I have checked /var/logs/messages, auth, system, warning,
    >> etc., etc. Where are they hiding?

    >
    > Guessing you would see them by doing a
    > grep Shorewall /var/log/messages
    >

    {snip}
    That was pretty much the point of my first question. Those messages are
    *not* appearing in /var/log/messages. grep Shorewall /var/log/messages
    yields nothing. Nor is there anything logged at all under anything in
    /var/log/*

    Thanks,
    JimR

  8. Re: ssh security questions

    On Sun, 15 Jun 2008 23:45:42 -0400, JimR wrote:

    > That was pretty much the point of my first question. Those messages are
    > *not* appearing in /var/log/messages. grep Shorewall /var/log/messages
    > yields nothing. Nor is there anything logged at all under anything in
    > /var/log/*


    Well, had you done a grep shorewall /var/log/messages they would not
    show up. I was just checking.

    I know have to guess Shorewall is not running. Let's get some facts to
    work with.

    click up a terminal, and show us the output from the following:

    su - root
    chkconfig --list shorewall
    echo $SECURE_LEVEL

  9. Re: ssh security questions

    On Sun, 15 Jun 2008 23:45:42 -0400, JimR wrote:

    > That was pretty much the point of my first question. Those messages are
    > *not* appearing in /var/log/messages. grep Shorewall /var/log/messages
    > yields nothing. Nor is there anything logged at all under anything in


    The grep command is case sensetive (without the -i option). Try copying
    and pasting "grep Shorewall /var/log/syslog" and see if that shows anything.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  10. Re: ssh security questions

    Bit Twister wrote:
    >
    > On Sun, 15 Jun 2008 23:45:42 -0400, JimR wrote:
    >
    >> That was pretty much the point of my first question. Those messages are
    >> *not* appearing in /var/log/messages. grep Shorewall /var/log/messages
    >> yields nothing. Nor is there anything logged at all under anything in
    >> /var/log/*

    >
    > Well, had you done a grep shorewall /var/log/messages they would not
    > show up. I was just checking.
    >
    > I know have to guess Shorewall is not running. Let's get some facts to
    > work with.
    >
    > click up a terminal, and show us the output from the following:
    >
    > su - root
    > chkconfig --list shorewall
    > echo $SECURE_LEVEL


    OK, let's simplify this.

    I inspect the log with tail /var/log/messages .

    I go to the other computer and perform ssh from there to the Mandriva
    machine. On the Mandriva machine, I see the interactive popup stating
    that the other computer is connecting to ssh.

    I inspect the log again with tail /var/log/messages.

    There are *no new entries* since the time 15 seconds ago when I
    inspected it. Nor in any of the other logs under /var/logs/* .

    So when I check the box in MCC that says to log firewall messages to
    system logs, and it apparently does nothing, is this a bug in MCC?

    Thanks,

    JimR

    PS - to answer your suggestions, here is the output.

    [root@xxxxxx log]# chkconfig --list shorewall
    shorewall 0ff 1ff 2n 3n 4n 5n 6ff
    [root@xxxxxx log]# echo $SECURE_LEVEL
    2
    [root@xxxxxx log]#

  11. Re: ssh security questions

    On Tue, 17 Jun 2008 00:49:31 -0400, JimR wrote:
    >
    > OK, let's simplify this.
    >
    > I inspect the log with tail /var/log/messages .


    As an fyi, you can use tail -f /var/log/messages to watch the log in
    real time. Ctl c to abort the tail -f


    > I go to the other computer and perform ssh from there to the Mandriva
    > machine. On the Mandriva machine, I see the interactive popup stating
    > that the other computer is connecting to ssh.


    Normally allowed connects are not logged.

    > So when I check the box in MCC that says to log firewall messages to
    > system logs, and it apparently does nothing, is this a bug in MCC?


    Mine logs so we will need to drill farther into what you have.

    > [root@xxxxxx log]# chkconfig --list shorewall
    > shorewall 0ff 1ff 2n 3n 4n 5n 6ff
    > [root@xxxxxx log]# echo $SECURE_LEVEL
    > 2


    Ok, I run 3 with interactive off.

    get back into your root terminal and show us the output from the following:

    cd /etc/shorewall

    grep -i log *

    service shorewall restart

    grep -v '#' rules

    cat rules.drakx

+ Reply to Thread