(Where) should I report breakin attempts? - SSH

This is a discussion on (Where) should I report breakin attempts? - SSH ; Greetings. In article , Nico Kadel-Garcia wrote: >> I sometimes visit places which use ancient computers or dumb >> terminals with no USB or memory stick port. Cutting off password >> access is not an option. > > Can you ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 28 of 28

Thread: (Where) should I report breakin attempts?

  1. Re: (Where) should I report breakin attempts?

    Greetings.

    In article , Nico
    Kadel-Garcia wrote:
    >> I sometimes visit places which use ancient computers or dumb
    >> terminals with no USB or memory stick port. Cutting off password
    >> access is not an option.

    >
    > Can you set up OPIE or another similar one-time-password setup? I used to
    > find it very useful in a particularly poor security environment, to force
    > an additional user-specific one-time-password step before accepting their
    > real password from offisite.


    I don't think it's worth the trouble. My machine is a single-user system
    (just me) and my password is a long string of random characters.

    Regards,
    Tristan

    --
    _
    _V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
    / |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
    (7_\\ http://www.nothingisreal.com/ >< To finish what you

  2. Re: (Where) should I report breakin attempts?

    On Thu, 08 Jun 2006 03:53:25 +0100, Tristan Miller wrote:

    >Greetings.
    >
    >In article <7hee82ptfamjnglu39g0f40o91fa76hfsg@4ax.com>, Grant wrote:
    >
    >> On Wed, 07 Jun 2006 14:44:58 -0500, ibuprofin@painkiller.example.tld (Moe
    >> Trin) wrote:
    >>
    >> [locking out roughly by region]
    >>
    >> I ran a check of ssh login attempts to (closed) port 22 here since
    >> last September:
    >>
    >> ~# ls -rt /var/log/messages.*.gz |xargs zcat |grep "DPT=22 "| \
    >> sed 's/^.*SRC=\([0-9.]*[^ ]\).*$/\1/'|sortip|uniq|xargs -n 1 ccfind|\
    >> awk '{split($0,k,":");print k[3]}'|sort|uniq -c|sort -nr|head -10
    >> 226 China
    >> 109 Korea, South
    >> 91 United States
    >> 48 Taiwan
    >> 22 Japan
    >> 17 India
    >> 17 Hong Kong
    >> 11 Germany
    >> 8 Thailand
    >> 7 France

    >
    >Ooh, pretty. I want to do the same thing; what are sortip and ccfind and
    >where does one get them?


    sortip:
    #!/bin/sh
    # sort by numeric IP address
    # --Laurenz Albe on A.O.L.S. Wed, 9 Mar 2005 16:00:37 +0000 (UTC)
    #
    sort -t. -n -k1,1 -k2,2 -k3,3 -k4,4

    ccfind: a demo 'ad hoc' query script to ip2c-server, which is part of
    junkview project, see: GPLv2

    Some awk and bash scripts for iptables log monitoring.

    Grant.
    --
    But Linux grew from humble and stupid roots.

    Linus -- lkml 24 Apr 2006

  3. Re: (Where) should I report breakin attempts?

    dagon@dagon.net (Mark Rafn) writes:

    >>>>Make sure your passwords are stong. And then forget about it.


    >>> I'd say make sure you allow only keyed SSH access and no password access
    >>> and then forget about it.


    >Dave (from the UK) wrote:
    >>Ignoring the obvious problem of someone cracking your password, which if
    >>it strong will not happen, is keyed ssh actually any more secure in
    >>practice?


    >Kinda, maybe. Both long PKs and decent passwords are good enough to
    >withstand dictionary attacks, especially if you limit attempts per minute.
    >However, public key connections are somewhat resistant to things like
    >keystroke monitors.


    >Say you're using portaputty from a USB dongle: a keystroke grabber might get
    >your key passphrase and everything you type during your session, including
    >your password if you used sudo or the root password if you used su. But
    >they still don't have your key, and can't ssh in with just your (or root's)
    >password).


    Look, if you have a keystroke monitor, then whoever installed it can
    install a rogue ssh as well, and capture everything, including your private
    key.
    Sure they can ssh in with just your or root's password, sinc ethey also
    have your private key, and teh password that protects it.

    >--
    >Mark Rafn dagon@dagon.net


  4. Re: (Where) should I report breakin attempts?


    "Unruh" wrote in message
    news:e68hob$5h6$1@nntp.itservices.ubc.ca...

    > Look, if you have a keystroke monitor, then whoever installed it can
    > install a rogue ssh as well, and capture everything, including your
    > private
    > key.
    > Sure they can ssh in with just your or root's password, sinc ethey also
    > have your private key, and teh password that protects it.


    They *can*, but it seems less likely. I've never seen a report of someone
    successfully doing that.



  5. Re: (Where) should I report breakin attempts?

    >
    >>>> I'd say make sure you allow only keyed SSH access and no password access
    >>>> and then forget about it.

    >
    >>Dave (from the UK) wrote:
    >>>Ignoring the obvious problem of someone cracking your password, which if
    >>>it strong will not happen, is keyed ssh actually any more secure in
    >>>practice?


    >dagon@dagon.net (Mark Rafn) writes:
    >>Kinda, maybe. Both long PKs and decent passwords are good enough to
    >>withstand dictionary attacks, especially if you limit attempts per minute.
    >>However, public key connections are somewhat resistant to things like
    >>keystroke monitors.


    Unruh wrote:
    >Look, if you have a keystroke monitor, then whoever installed it can
    >install a rogue ssh as well, and capture everything, including your private
    >key.


    It's theoretically possible for anything to happen if you're running on a
    compromised machine. HOWEVER, I assert that there exist many more systems
    with a simple non-specific keylogger than there are systems with the much
    greater sophistication needed to trick you into thinking you're running your
    build of ssh off the dongle when you're really running the hacked version.

    That's the "kinda, maybe" part. I think it does make a class of attacks
    harder, and I assert that it's a class which is not uncommon in the wild. It
    does NOT close any theoretical attacks that I know of.
    --
    Mark Rafn dagon@dagon.net

  6. Re: (Where) should I report breakin attempts?

    On Wed, 07 Jun 2006 02:06:31 +0100, Tristan Miller wrote:

    > Greetings.
    >
    > Most of the time my computers are behind a router/firewall that blocks port
    > 22, but occasionally I unblock it if I'm going somewhere and need to log
    > into my machines remotely. Whenever I do this I notice in
    > my /var/log/messages that some script kiddie is repeatedly connecting via
    > ssh and trying to guess usernames. The IP changes every time so I'm not
    > sure if it's just one guy using hijacked machines or different people.


    I see as you have a few options;

    1. Use Key-login
    2. Use a different port
    3. Use IPTABLES to block all connections after x number of failed
    connections.

    It would be best to use all 3 of these options and then you would really
    be securing your system.


    --

    Regards
    Robert

    Smile... it increases your face value!


    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  7. Re: (Where) should I report breakin attempts?

    Robert wrote:
    > On Wed, 07 Jun 2006 02:06:31 +0100, Tristan Miller wrote:
    >
    >> Greetings.
    >>
    >> Most of the time my computers are behind a router/firewall that blocks port
    >> 22, but occasionally I unblock it if I'm going somewhere and need to log
    >> into my machines remotely. Whenever I do this I notice in
    >> my /var/log/messages that some script kiddie is repeatedly connecting via
    >> ssh and trying to guess usernames. The IP changes every time so I'm not
    >> sure if it's just one guy using hijacked machines or different people.

    >
    > I see as you have a few options;
    >
    > 1. Use Key-login
    > 2. Use a different port
    > 3. Use IPTABLES to block all connections after x number of failed
    > connections.
    >
    > It would be best to use all 3 of these options and then you would really
    > be securing your system.
    >
    >


    FYI I am running my ssh server on a nonstandard port (way up high), and
    set the only authentication method allowed to be PubkeyAuthentication.
    In 6 months with this config, not one break in attempt has been detected.


  8. Re: (Where) should I report breakin attempts?

    >> 3. Use IPTABLES to block all connections after x number of failed connections.

    not advisable, its setting yourself up for denial of service.

    john

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2