Subject: Newbie with ssh-server running... Hacking attempts againstme... - SSH

This is a discussion on Subject: Newbie with ssh-server running... Hacking attempts againstme... - SSH ; JD wrote: > On Sun, 11 May 2008 20:08:35 +0200, Sebastian G. wrote: > >> JD wrote: >> >>> You trust things more than I would if I suspected a successful compromise. >> >> The kernel is always the ultimate ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 24 of 24

Thread: Subject: Newbie with ssh-server running... Hacking attempts againstme...

  1. Re: Subject: Newbie with ssh-server running... Hacking attemptsagainst me...

    JD wrote:

    > On Sun, 11 May 2008 20:08:35 +0200, Sebastian G. wrote:
    >
    >> JD wrote:
    >>
    >>> You trust things more than I would if I suspected a successful compromise.

    >>
    >> The kernel is always the ultimate authority in the system. If it decides
    >> that root isn't the ueber-privileged user any more, it can enforce various
    >> limitations. One is that the kernel's logging facility is completely
    >> isolated, and all privileges that root could use to get access to kernel
    >> memory or compromising the kernel are removed. That is, root might still
    >> overwrite the privileges of any user, can change the system time, can debug
    >> other processes, can read disks in raw mode etc. but he can't load any
    >> drivers, do any kernel debugging, change the RTC time, write to the disk in
    >> raw mode, or bypass access checks on the kernel's files and objects.

    >
    > I understand what you mean now. We just differ on our definitions.



    I didn't claim that this model or approach is perfect or even a good idea.
    But it's a non-theoretical productive OS where in a certain configuration
    there simply is no ultimately powerful principal, and root is merely a
    normal user with some privileges to manage non-system stuff.

  2. Re: Subject: Newbie with ssh-server running... Hacking attempts against me...

    On 2008-05-10 19:07:30 -0400, Santa Claus said:

    > Dear NG,
    >
    > Subject: Newbie with ssh-server running... Hacking attempts against
    > me... I hope this question is appropriate - My log says:



    - Use a non-standard SSH port immediately. I haven't used tcp/22 on any
    of my servers in years.

    - You sounded like you can code in PERL. Write a script that changes
    your SSH port each day, or according to some date calculation you
    invent to a non-standard port and promulgate the port information
    inside your enterprise - this is easier than you think it is to do.

    - Consider rolling your hosts behind a firewall that can use knockd or
    something similar implementing a "knock, knock" protocol. This way, no
    ports need to be open unless you send the properly formatted packets to
    the right TCP ports in the right sequence in the right amount of time,
    then the port "opens up". I use my own algorithm with ICMP packets that
    contain cryptographic data that verifies to a limited degree the origin
    of the sender.

    - Be careful what information you share with the public in NG's and
    other places about your problem.

    - If you're using OS/X desktops, consider installing Little Snitch on
    them for some added security.

    /dmfh

    --
    _ __ _
    __| |_ __ / _| |_ 01100100 01101101
    / _` | ' \| _| ' \ 01100110 01101000
    \__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx


  3. Re: Subject: Newbie with ssh-server running... Hacking attemptsagainst me...

    On May 11, 7:33 am, Santa Claus wrote:
    > darkog wrote:
    > > There is an iptables trick you can use to easily address these
    > > attacks. Google it. These attacks are very common. Anyone that is
    > > running an Internet facing SSH server on port 22 will see these
    > > regularly.

    >
    > Something like this:http://www.newartisans.com/blog_file...h.iptables.php
    >
    > ?
    > ** Posted fromhttp://www.teranews.com**


    sure. even this might help.

    http://forums.theplanet.com/lofivers...hp/t57628.html

    you have to test it to make sure it works. also make sure the "--
    limit" switch is actually available to you. on some systems, i
    remember i have had to recompile iptables to get it.

    as has been posted, it's an automated/scripted attack. probably with
    goal to gain access to box and use it to send SPAM. the logic being
    that there is probably someone out there in WWW-land that is using one
    of those weak username/password combos.

    if you want to keep this internet facing, will you also want to keep
    up to date with openssh security updates otherwise the attack vector
    expands to successful use of an openssh exploit/vulrenability.





  4. Re: Subject: Newbie with ssh-server running... Hacking attempts againstme...

    Digital Mercenary For Honor wrote:
    > On 2008-05-10 19:07:30 -0400, Santa Claus said:
    >
    >> Dear NG,
    >>
    >> Subject: Newbie with ssh-server running... Hacking attempts against
    >> me... I hope this question is appropriate - My log says:

    >
    >
    > - Use a non-standard SSH port immediately. I haven't used tcp/22 on any
    > of my servers in years.


    Yes, I read that's a really good idea...

    > - You sounded like you can code in PERL. Write a script that changes


    I can code i many languages - though not really in Perl - I want to
    learn it however...

    > your SSH port each day, or according to some date calculation you invent
    > to a non-standard port and promulgate the port information inside your
    > enterprise - this is easier than you think it is to do.


    Great idea... This could be my first real perl-project, after having
    done some tutorials... It sounds like I can do that (I think it should
    be easy in perl)...

    > - Consider rolling your hosts behind a firewall that can use knockd or
    > something similar implementing a "knock, knock" protocol. This way, no
    > ports need to be open unless you send the properly formatted packets to
    > the right TCP ports in the right sequence in the right amount of time,
    > then the port "opens up". I use my own algorithm with ICMP packets that
    > contain cryptographic data that verifies to a limited degree the origin
    > of the sender.


    Wow... Great idea - exactly what I was looking for... Thanks a lot...

    > - Be careful what information you share with the public in NG's and
    > other places about your problem.


    I know... I believe nobody should even be able to see my IP when posting
    through teranews...

    > - If you're using OS/X desktops, consider installing Little Snitch on
    > them for some added security.


    Thanks... I'll consider that...


    ** Posted from http://www.teranews.com **

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2