Subject: Newbie with ssh-server running... Hacking attempts againstme...

JD wrote:
[color=blue]
> On Sun, 11 May 2008 20:08:35 +0200, Sebastian G. wrote:
>[color=green]
>> JD wrote:
>>[color=darkred]
>>> You trust things more than I would if I suspected a successful compromise.[/color]
>>
>> The kernel is always the ultimate authority in the system. If it decides
>> that root isn't the ueber-privileged user any more, it can enforce various
>> limitations. One is that the kernel's logging facility is completely
>> isolated, and all privileges that root could use to get access to kernel
>> memory or compromising the kernel are removed. That is, root might still
>> overwrite the privileges of any user, can change the system time, can debug
>> other processes, can read disks in raw mode etc. but he can't load any
>> drivers, do any kernel debugging, change the RTC time, write to the disk in
>> raw mode, or bypass access checks on the kernel's files and objects.[/color]
>
> I understand what you mean now. We just differ on our definitions.[/color]


I didn't claim that this model or approach is perfect or even a good idea.
But it's a non-theoretical productive OS where in a certain configuration
there simply is no ultimately powerful principal, and root is merely a
normal user with some privileges to manage non-system stuff.

On 2008-05-10 19:07:30 -0400, Santa Claus <free_presents@greenland> said:
[color=blue]
> Dear NG,
>
> Subject: Newbie with ssh-server running... Hacking attempts against
> me... I hope this question is appropriate - My log says:[/color]


- Use a non-standard SSH port immediately. I haven't used tcp/22 on any
of my servers in years.

- You sounded like you can code in PERL. Write a script that changes
your SSH port each day, or according to some date calculation you
invent to a non-standard port and promulgate the port information
inside your enterprise - this is easier than you think it is to do.

- Consider rolling your hosts behind a firewall that can use knockd or
something similar implementing a "knock, knock" protocol. This way, no
ports need to be open unless you send the properly formatted packets to
the right TCP ports in the right sequence in the right amount of time,
then the port "opens up". I use my own algorithm with ICMP packets that
contain cryptographic data that verifies to a limited degree the origin
of the sender.

- Be careful what information you share with the public in NG's and
other places about your problem.

- If you're using OS/X desktops, consider installing Little Snitch on
them for some added security.

/dmfh

--
_ __ _
__| |_ __ / _| |_ 01100100 01101101
/ _` | ' \| _| ' \ 01100110 01101000
\__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx

On May 11, 7:33 am, Santa Claus <free_presents@greenland> wrote:[color=blue]
> darkog wrote:[color=green]
> > There is an iptables trick you can use to easily address these
> > attacks. Google it. These attacks are very common. Anyone that is
> > running an Internet facing SSH server on port 22 will see these
> > regularly.[/color]
>
> Something like this:[url]http://www.newartisans.com/blog_files/tricks.with.iptables.php[/url]
>
> ?
> ** Posted fromhttp://www.teranews.com**[/color]

sure. even this might help.

[url]http://forums.theplanet.com/lofiversion/index.php/t57628.html[/url]

you have to test it to make sure it works. also make sure the "--
limit" switch is actually available to you. on some systems, i
remember i have had to recompile iptables to get it.

as has been posted, it's an automated/scripted attack. probably with
goal to gain access to box and use it to send SPAM. the logic being
that there is probably someone out there in WWW-land that is using one
of those weak username/password combos.

if you want to keep this internet facing, will you also want to keep
up to date with openssh security updates otherwise the attack vector
expands to successful use of an openssh exploit/vulrenability.

Digital Mercenary For Honor wrote:[color=blue]
> On 2008-05-10 19:07:30 -0400, Santa Claus <free_presents@greenland> said:
>[color=green]
>> Dear NG,
>>
>> Subject: Newbie with ssh-server running... Hacking attempts against
>> me... I hope this question is appropriate - My log says:[/color]
>
>
> - Use a non-standard SSH port immediately. I haven't used tcp/22 on any
> of my servers in years.[/color]

Yes, I read that's a really good idea...
[color=blue]
> - You sounded like you can code in PERL. Write a script that changes[/color]

I can code i many languages - though not really in Perl - I want to
learn it however...
[color=blue]
> your SSH port each day, or according to some date calculation you invent
> to a non-standard port and promulgate the port information inside your
> enterprise - this is easier than you think it is to do.[/color]

Great idea... This could be my first real perl-project, after having
done some tutorials... It sounds like I can do that (I think it should
be easy in perl)...
[color=blue]
> - Consider rolling your hosts behind a firewall that can use knockd or
> something similar implementing a "knock, knock" protocol. This way, no
> ports need to be open unless you send the properly formatted packets to
> the right TCP ports in the right sequence in the right amount of time,
> then the port "opens up". I use my own algorithm with ICMP packets that
> contain cryptographic data that verifies to a limited degree the origin
> of the sender.[/color]

Wow... Great idea - exactly what I was looking for... Thanks a lot...
[color=blue]
> - Be careful what information you share with the public in NG's and
> other places about your problem.[/color]

I know... I believe nobody should even be able to see my IP when posting
through teranews...
[color=blue]
> - If you're using OS/X desktops, consider installing Little Snitch on
> them for some added security.[/color]

Thanks... I'll consider that...


** Posted from [url]http://www.teranews.com[/url] **