Need for new openSUSE users - Suse

This is a discussion on Need for new openSUSE users - Suse ; If you intend to make a connection with ssh from the outside world, many people will tell you to place ssh on a different port. I personaly think that is security through obscurity. You will however get a LOT of ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 25

Thread: Need for new openSUSE users

  1. Need for new openSUSE users

    If you intend to make a connection with ssh from the outside world, many
    people will tell you to place ssh on a different port. I personaly think
    that is security through obscurity. You will however get a LOT of people
    trying to enter your port.

    This in itself is not a real problem. However it looks lousy on your
    logfiles.

    So what _I_ do is use blockhosts:
    http://www.aczoom.com/cms/blockhosts/download
    I just install the RPM and then I edit both /etc/blockhosts.cfg and
    /etc/hosts.allow

    The first I add/change the following lines:
    COUNT_THRESHOLD = 3
    LOGFILES = [ "/var/log/messages", ]

    The second I add the following lines:

    # permanent whitelist addresses - these should always be allowed access
    ALL: 127.0.0.1 : allow
    ALL: 192.168. : allow
    ALL: 194.109.21. : allow
    #---- BlockHosts Additions
    #---- BlockHosts Additions
    sshd : ALL: spawn /usr/bin/blockhosts.py & : allow

    This is everything. What I do is first do a `sudo tail -f
    /var/log/messages` (followed by a |ccze) and then do the rest, so that I
    can see the moment the thing goes online.

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  2. Re: Need for new openSUSE users

    On 2008-09-10, houghi wrote:
    > If you intend to make a connection with ssh from the outside world, many
    > people will tell you to place ssh on a different port. I personaly think
    > that is security through obscurity. You will however get a LOT of people
    > trying to enter your port.
    >
    > This in itself is not a real problem. However it looks lousy on your
    > logfiles.
    >
    > So what _I_ do is use blockhosts:
    > http://www.aczoom.com/cms/blockhosts/download
    > I just install the RPM and then I edit both /etc/blockhosts.cfg and
    > /etc/hosts.allow
    >
    > The first I add/change the following lines:
    > COUNT_THRESHOLD = 3
    > LOGFILES = [ "/var/log/messages", ]
    >
    > The second I add the following lines:
    >
    > # permanent whitelist addresses - these should always be allowed access
    > ALL: 127.0.0.1 : allow
    > ALL: 192.168. : allow
    > ALL: 194.109.21. : allow
    > #---- BlockHosts Additions
    > #---- BlockHosts Additions
    > sshd : ALL: spawn /usr/bin/blockhosts.py & : allow
    >
    > This is everything. What I do is first do a `sudo tail -f
    > /var/log/messages` (followed by a |ccze) and then do the rest, so that I
    > can see the moment the thing goes online.


    This is what I do, too. I learned this probably from you a couple of
    years back

    There's one more thing I do here: I make it start at boot by cron.

    --
    Vahis
    http://waxborg.servepics.com
    Congressman Wilson has an expression:
    "You can teach them to type, but you can't teach them to grow tits."

  3. Re: Need for new openSUSE users

    Vahis wrote:
    > This is what I do, too. I learned this probably from you a couple of
    > years back
    >
    > There's one more thing I do here: I make it start at boot by cron.


    Why do you start it at boot by cron? There is no need for that. Each
    connection will speak to hosts.allow and that will trigger the program.
    That is the nice thing of this program, it is live.

    This means that there is no need to run it each minute. The disadvatages
    of running it each minute is that sometimes you get several hundred
    tries during a minute, so you miss those and sometimes you run the
    program unnneeded as there are no attacks.

    Running it (or something else) is cleaning up afterwards. That is
    re-active. This what I do is pro-active.

    Anyway, the reason I posted it was because I suddenly saw many of them
    coming in since I went back to ccze instead of using multitail.

    At this moment there are 114 hosts blocked. Yesterday there were 201. In
    my logfiles there where 3005 invalid users trials. The worst offenders
    and their amount of trials:

    547 62.168.59.67
    524 82.246.63.90
    213 87.252.127.133
    197 88.208.244.159
    142 131.178.6.7


    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  4. Re: Need for new openSUSE users

    houghi wrote:
    > Vahis wrote:
    >> This is what I do, too. I learned this probably from you a couple of
    >> years back
    >>
    >> There's one more thing I do here: I make it start at boot by cron.

    >
    > Why do you start it at boot by cron? There is no need for that. Each
    > connection will speak to hosts.allow and that will trigger the program.
    > That is the nice thing of this program, it is live.


    I prefer something that runs each minute rather than on-demand since
    that leaves a door open for a DoS attack. At least on server machines.

  5. Re: Need for new openSUSE users

    On 2008-09-11 00:05, houghi wrote:
    > If you intend to make a connection with ssh from the outside world, many
    > people will tell you to place ssh on a different port. I personaly think
    > that is security through obscurity. You will however get a LOT of people
    > trying to enter your port.
    >
    > This in itself is not a real problem. However it looks lousy on your
    > logfiles.
    >
    > So what _I_ do is use blockhosts:
    > http://www.aczoom.com/cms/blockhosts/download
    > I just install the RPM and then I edit both /etc/blockhosts.cfg and
    > /etc/hosts.allow
    >
    > The first I add/change the following lines:
    > COUNT_THRESHOLD = 3
    > LOGFILES = [ "/var/log/messages", ]
    >
    > The second I add the following lines:
    >
    > # permanent whitelist addresses - these should always be allowed access
    > ALL: 127.0.0.1 : allow
    > ALL: 192.168. : allow
    > ALL: 194.109.21. : allow
    > #---- BlockHosts Additions
    > #---- BlockHosts Additions
    > sshd : ALL: spawn /usr/bin/blockhosts.py & : allow
    >
    > This is everything. What I do is first do a `sudo tail -f
    > /var/log/messages` (followed by a |ccze) and then do the rest, so that I
    > can see the moment the thing goes online.
    >
    > houghi


    I have china,korea,Turkey blocked on all low ports, and a huge list of
    other netblocks or IPaddresses I have to many attacks from.

    But the thing that protect me most is the change of sshd_config:
    PasswordAuthentication no


    So even if they guess user and password they don't get in without my private keys.

    I have my keys in my mobile so I can get in from remote machines by just untar
    them to the account I use.

    Since I use PHP, I also make sure the webserver can't run commands like wget and
    curl to download scripts in case of a bad written form, and I use a /tmp mounted
    with noexec, just to stop the most common rootkits.

    You can't be too careful this days :-]

    /bb


  6. Re: Need for new openSUSE users

    Nikos Chantziaras wrote:
    > I prefer something that runs each minute rather than on-demand since
    > that leaves a door open for a DoS attack. At least on server machines.


    Each machine that is online with a service is a server machine. Say that
    somebody wants to DoS you. They will launch thousands of attacks at the
    same time.

    With my way, these thousands will be blocked after the thrid or fourth
    attempt, leaving all the others blocked.

    With your way, these thousands will be all still trying to enter and not
    be blocked for a minute. (OK, 30 seconds on average)

    So my way will get the adaptation of the hosts.allow (or hosts.deny if
    you prefere that) file some 30 seconds sooner, blocking the attempts 30
    seconds sooner.

    Also you need to understand what this does and why you use it. It is NOT
    an extra security layer. It is to keep your logfiles clean.
    If security is something you are after and/or DoS attacks on your ssh
    port, then you need to start to blockk all IP adresses and only
    whitelist those that you need (not want, need).

    Then you will have most likely only a few internal IP adresses and a few
    external ones. At a company where you have servers, I would expect you
    to have a hardware router who does part of this and a dedicated firewall
    who will deal with the rest. (Or a combination of both)

    Just take a look at your logfiles with as root `grep "Invalid user"
    /var/log/messages` and see how many attepts there are. Then figure out
    how many of each IP adress there are. With me it is 4 as a maximum from
    now on.

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  7. Re: Need for new openSUSE users

    bb wrote:
    > But the thing that protect me most is the change of sshd_config:
    > PasswordAuthentication no


    Please understand that what I proposed is NOT protection. It is to keep
    logfiles cleaner. It won't protect you from anything.

    I would sugesting that for ssh you start whitelisting, instead of
    blacklisting. Also the countries you named are for this type just as
    avarage as any other country.

    These are attacks by sombies, not by dedicated machines. They can be
    anywhere in the world.

    For ssh security (and network security in general) you need other tools,
    because this isn't about security.

    Perhaps it is better to start a new thread about that.

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  8. Re: Need for new openSUSE users

    On 2008-09-11 11:19, houghi wrote:
    > bb wrote:
    >> But the thing that protect me most is the change of sshd_config:
    >> PasswordAuthentication no

    >
    > Please understand that what I proposed is NOT protection. It is to keep
    > logfiles cleaner. It won't protect you from anything.
    >
    > I would sugesting that for ssh you start whitelisting, instead of
    > blacklisting. Also the countries you named are for this type just as
    > avarage as any other country.
    >
    > These are attacks by sombies, not by dedicated machines. They can be
    > anywhere in the world.
    >
    > For ssh security (and network security in general) you need other tools,
    > because this isn't about security.
    >
    > Perhaps it is better to start a new thread about that.
    >
    > houghi


    ahhh, I did not read careful (again) :-)

    ok, I can't use whitelisting since I have friends that use my machine
    as tunnel and they move around a bit, but you are right, that should be best.

    /bb

  9. Safe ssh (was: Need for new openSUSE users)

    bb wrote:
    > ok, I can't use whitelisting since I have friends that use my machine
    > as tunnel and they move around a bit, but you are right, that should be best.


    There used to be a list somewhere where the IP adresses can be found for
    both providers and countries. I believe somewhere on IANA.net Those you
    can use to whitelist whatever you desire. e.g. if you know they only use
    5 different providers, look up what their ranges are and add those. If
    you know they only use then in a certain country, add those.

    What I used can most likely be used on top of whatever you are using.

    Now some theoretical mindgame. I remember a time where we had to gave
    telnet connections to the server. Don't ask, it had to be telnet.

    So what we used was s-key. You would get a list of pass phrases that you
    used and that opend the connection. Once the phrase was used, it would
    become useless.

    An other option would be a website where they enter their login and
    password and that will whitelist that certain IP adress. That way they
    can still connect from any machine.

    Obviously one thing does not exclude the other and they can be used next
    to each other.

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  10. Re: Need for new openSUSE users

    Why not use the recently added rate limiting, as seen (on openSUSE 11.0)
    in /etc/sysconfig/SuSEfirewall2 lines 414-422?

    (and, of course, adding PermitRootLogin no, MaxAuthTries, and other
    appropriate entries to /etc/ssh/sshd_config.)

  11. Re: Need for new openSUSE users

    Gary Gapinski wrote:
    > Why not use the recently added rate limiting, as seen (on openSUSE 11.0)
    > in /etc/sysconfig/SuSEfirewall2 lines 414-422?
    >
    > (and, of course, adding PermitRootLogin no, MaxAuthTries, and other
    > appropriate entries to /etc/ssh/sshd_config.)


    First and formost, could tell me what the hell you are replying to? I
    have no idea if you are posting a new post or if this is a reply to
    whatever.

    Secondly, if you think it is a good idea, please elaborate. I looked at
    those lines and I saw niothing that had anything to do with what this
    tread is talking about.

    Thridly, this thread is not about securing ssh or re-configuring ssh. It
    could just as well be about ftp or any other login service.

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  12. Re: Need for new openSUSE users

    On 2008-09-11, houghi wrote:
    > Vahis wrote:
    >> This is what I do, too. I learned this probably from you a couple of
    >> years back
    >>
    >> There's one more thing I do here: I make it start at boot by cron.

    >
    > Why do you start it at boot by cron? There is no need for that. Each
    > connection will speak to hosts.allow and that will trigger the program.
    > That is the nice thing of this program, it is live.
    >
    > This means that there is no need to run it each minute. The disadvatages
    > of running it each minute is that sometimes you get several hundred
    > tries during a minute, so you miss those and sometimes you run the
    > program unnneeded as there are no attacks.


    I don't run it more than once at boot. Then it's alive and works just
    fine

    I've always thought that it needs to be started.
    It says this in the readme file:

    After the configuration is as you want it (see next section for
    Configuration), then run this program manually, usually as root:
    blockhosts.py --verbose
    (use --dry-run if you don't want any output file to be updated).

    So I've always done those steps after the initial install.
    Then I've added it to be executed at boot.

    Then I've forgotten about it, now this came back to me as I assembled
    the new machine and installed it again. Of course I didn't remember how
    to do it so I took my notes and did exactly as before.
    >
    > Running it (or something else) is cleaning up afterwards. That is
    > re-active. This what I do is pro-active.
    >
    > Anyway, the reason I posted it was because I suddenly saw many of them
    > coming in since I went back to ccze instead of using multitail.
    >
    > At this moment there are 114 hosts blocked. Yesterday there were 201. In
    > my logfiles there where 3005 invalid users trials. The worst offenders
    > and their amount of trials:
    >
    > 547 62.168.59.67
    > 524 82.246.63.90
    > 213 87.252.127.133
    > 197 88.208.244.159
    > 142 131.178.6.7


    Here's mine at the moment:
    ALL: 217.128.11.25 : deny
    ALL: 66.29.9.56 : deny
    ALL: 60.248.103.66 : deny
    ALL: 216.152.253.2 : deny
    ALL: 202.115.22.252 : deny
    ALL: 193.95.206.99 : deny
    ALL: 219.149.211.50 : deny
    ALL: 121.52.211.138 : deny
    ALL: 210.83.70.203 : deny
    ALL: 125.141.229.73 : deny
    ALL: 218.108.0.68 : deny
    ALL: 83.19.86.92 : deny
    ALL: 194.176.119.202 : deny


    --
    Vahis
    http://waxborg.servepics.com
    Congressman Wilson has an expression:
    "You can teach them to type, but you can't teach them to grow tits."

  13. Re: Need for new openSUSE users

    houghi wrote:
    > First and formost, could tell me what the hell you are replying to? I
    > have no idea if you are posting a new post or if this is a reply to
    > whatever.


    Your initial post starting the thread:

    Message-ID:

    was that to which I replied.

    Note the headers in my reply, particularly the In-Reply-To, References,
    and Subject headers:

    Path: uni-berlin.de!individual.net!not-for-mail
    From: Gary Gapinski
    Newsgroups: alt.os.linux.suse
    Subject: Re: Need for new openSUSE users
    Date: Thu, 11 Sep 2008 12:56:32 -0400
    Organization: We've heard of it
    Lines: 5
    Message-ID: <6it0tlFdgueU1@mid.individual.net>
    References:
    Mime-Version: 1.0
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    X-Trace: individual.net S2zrQtHZzNA4iG1VYoQsKQbbG9k/ExIEvQAD/eEqxlOpVBXlfi
    Cancel-Lock: sha1:URagHPeDp/l3Q1ktRxmGPzbf0X8=
    User-Agent: Thunderbird 2.0.0.14 (X11/20080421)
    In-Reply-To:

    Perhaps your news reader (slrn?) does not thread properly? My reply, its
    referent, and your rejoinder, look properly threaded in my news reader
    (Thunderbird). Perhaps worthy of note, this message is in reply to
    Message-ID: , which contained the
    References but not the In-Reply-To header.

    I believe http://tools.ietf.org/html/rfc2076#section-3.6 is pertinent
    here, and in turn http://tools.ietf.org/html/rfc822#section-4.6.2.


    >
    > Secondly, if you think it is a good idea, please elaborate. I looked at
    > those lines and I saw niothing that had anything to do with what this
    > tread is talking about.


    SuSEfirewall2 now allows an easy way to specify rate limiting for
    arbitrary protocols. Rather than bolting on some additional software,
    one may wish to try specifying (e.g., for ssh) that rate limiting is to
    be applied by modifying the /etc/sysconfig/SuSEfirewall2 configuration file.

    One can, for example, observe line 416 and then change line 422 to read

    FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"

    which will cause SSH TCP connect attempts (TCP SYNs to port 22),
    originating anywhere, in excess of 3 within the prior 60 seconds, to be
    dropped. This works quite well against brute force attacks.

    Due to a shortcoming in the script, I think that ssh should _not_ also
    appear in FW_CONFIGURATIONS_EXT.

    Lines 414-422 are, at least on my openSUSE v11 system, as follows:

    # Example:
    # Allow max three ssh connects per minute from the same IP address:
    # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"
    #
    # The special value _rpc_ is recognized as protocol and means that dport is
    # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
    # details.
    #
    FW_SERVICES_ACCEPT_EXT=""

    which, while perhaps less than totally obvious, seems as well not
    entirely devoid of information.

    >
    > Thridly, this thread is not about securing ssh or re-configuring ssh. It
    > could just as well be about ftp or any other login service.


    The thread, which you started, seemed to address blocking unwanted
    network connections, using ssh as an example. Rate limiting based on
    iptables' "recent" capability seemed pertinent, and protocol agnostic,
    particularly since Herr Nussel has been kind enough to make it very
    easily configurable using the standard openSUSE firewall (see
    http://archive.cert.uni-stuttgart.de.../msg00005.html
    for more context).

  14. Re: Need for new openSUSE users

    On Thu, 11 Sep 2008, in the Usenet newsgroup alt.os.linux.suse, in article
    , bb wrote:

    > houghi wrote:


    >> If you intend to make a connection with ssh from the outside world,
    >> many people will tell you to place ssh on a different port. I
    >> personaly think that is security through obscurity.


    Are you replacing authentication with knowing the right port? If you
    still require proper authentication, whether username/password, or
    RSA key, or similar, then this isn't "security through obscurity" - it's
    _ADDING_ more layers.

    >> You will however get a LOT of people trying to enter your port.


    s/people/zombies and skript-kiddiez/

    >> This in itself is not a real problem. However it looks lousy on your
    >> logfiles.


    whitelists

    >> So what _I_ do is use blockhosts:
    >> http://www.aczoom.com/cms/blockhosts/download


    yet another log watcher.

    >I have china,korea,Turkey blocked on all low ports, and a huge list of
    >other netblocks or IPaddresses I have to many attacks from.


    [compton ~]$ zgrep -c CN IP.ADDR/stats/[ALR]* | grep -v :0
    IP.ADDR/stats/APNIC.gz:1472
    [compton ~]$ zgrep -c KR IP.ADDR/stats/[ALR]* | grep -v :0
    IP.ADDR/stats/APNIC.gz:628
    IP.ADDR/stats/ARIN.gz:1
    [compton ~]$ zgrep -c TR IP.ADDR/stats/[ALR]* | grep -v :0
    IP.ADDR/stats/RIPE.gz:270
    [compton ~]$

    So, China has 1472 network IPv4 blocks, Korea has 629, and Turkey 270.
    Not many of those are adjacent, so that going to be a lot of rules - or
    are you depending on rDNS?

    [compton ~]$ zgrep CN IP.ADDR/stats/APNIC.gz | cut -d' ' -f2 | cut -d'.'
    -f1 | sort -n | uniq -c | column
    43 58 34 117 68 124 1 167 75 210
    34 59 36 118 40 125 1 168 41 211
    38 60 70 119 1 134 1 169 64 218
    86 61 27 120 1 159 4 192 41 219
    27 114 43 121 1 161 1 198 16 220
    14 115 25 122 1 162 321 202 63 221
    50 116 44 123 1 166 95 203 64 222
    [compton ~]$ ^CN^KR
    zgrep KR IP.ADDR/stats/APNIC.gz | cut -d' ' -f2 | cut -d'.' -f1 | sort -n
    | uniq -c | column
    15 58 8 120 1 141 1 161 83 210
    6 59 26 121 1 143 3 163 85 211
    1 60 23 122 4 147 2 164 10 218
    17 61 18 123 3 150 10 165 2 219
    23 114 27 124 2 152 4 166 10 220
    14 115 16 125 1 154 8 168 8 221
    14 116 1 128 1 155 2 169 7 222
    10 117 1 129 1 156 24 192
    12 118 1 134 1 157 35 202
    20 119 1 137 1 158 64 203
    [compton ~]$ zgrep TR IP.ADDR/stats/RIPE.gz | cut -d' ' -f2 | cut -d'.'
    -f1 | sort -n | uniq -c | column
    5 62 7 81 1 86 18 91 23 194
    11 77 3 82 2 87 4 92 38 195
    4 78 1 83 2 88 15 93 30 212
    6 79 3 84 4 89 4 94 22 213
    7 80 9 85 1 90 40 193 10 217
    [compton ~]$

    First octet of the IP address ranges and number of blocks they have,
    for China, Korea, and Turkey. That would be one shed-load of rules.
    I find it easier to whitelist - only three lines in the firewall script
    rather than several thousand. But it's your CPU cycles - not mine.

    Old guy

  15. Re: Need for new openSUSE users

    Vahis wrote:
    > I've always thought that it needs to be started.
    > It says this in the readme file:
    >
    > After the configuration is as you want it (see next section for
    > Configuration), then run this program manually, usually as root:
    > blockhosts.py --verbose
    > (use --dry-run if you don't want any output file to be updated).


    This only needs to be done once. This is to search yourlogfile and adds
    everything that is already there. No need to do it later as each thing
    will be added automatically.

    >> 547 62.168.59.67
    >> 524 82.246.63.90
    >> 213 87.252.127.133
    >> 197 88.208.244.159
    >> 142 131.178.6.7

    >
    > Here's mine at the moment:



    As I did the step above after a long time, I have some more. :-D

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  16. Re: Need for new openSUSE users

    Gary Gapinski wrote:
    > Your initial post starting the thread:
    >
    > Message-ID:
    >
    > was that to which I replied.


    And how should I know that, unless I look it up?

    > Perhaps your news reader (slrn?) does not thread properly?


    Oh, it does. It is just very common to quote corretly and not have the
    need to look and search. And I do know what the RFCs are. If you are so
    wise to know them as well, I am sure that you know that common curtosy
    on Usenet is to first lurk and then follow the generic rules of that
    group.

    In this group, the rule is to quote correctly. The correct way obviously
    is to quote inline and remove excessive text.

    > SuSEfirewall2 now allows an easy way to specify rate limiting for
    > arbitrary protocols. Rather than bolting on some additional software,
    > one may wish to try specifying (e.g., for ssh) that rate limiting is to
    > be applied by modifying the /etc/sysconfig/SuSEfirewall2 configuration file.


    I did not know that. Explaining that in your first posting might have
    helped.

    > One can, for example, observe line 416 and then change line 422 to read


    And here the confusion starts. The following line with me is on line 452

    > FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"
    >
    > which will cause SSH TCP connect attempts (TCP SYNs to port 22),
    > originating anywhere, in excess of 3 within the prior 60 seconds, to be
    > dropped. This works quite well against brute force attacks.
    >
    > Due to a shortcoming in the script, I think that ssh should _not_ also
    > appear in FW_CONFIGURATIONS_EXT.
    >
    > Lines 414-422 are, at least on my openSUSE v11 system, as follows:


    And on my openSUSE 11.0 they are on different lines. It is very common
    that different people have different orders

    > which, while perhaps less than totally obvious, seems as well not
    > entirely devoid of information.


    I almost never go and read files, unless I have to be there. It is nice
    to know somebody does. It is indeed a nice way to block floods. The
    difference is that my way will block the IP adress for a certain amount
    of time, while I think this will block things for 60 seconds. After the
    60 seconds, the counter starts again. At least that is how I read it.

    >> Thridly, this thread is not about securing ssh or re-configuring ssh. It
    >> could just as well be about ftp or any other login service.

    >
    > The thread, which you started, seemed to address blocking unwanted
    > network connections, using ssh as an example.


    As I had no idea what you were refering to (some lines in some files,
    while my did not read anything like that in those lines) I was just guessing.

    So please quote properly, don't asume that what you see is the same as
    what I see and elaborate.

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  17. Re: Need for new openSUSE users

    Moe Trin wrote:
    > Are you replacing authentication with knowing the right port? If you
    > still require proper authentication, whether username/password, or
    > RSA key, or similar, then this isn't "security through obscurity" - it's
    > _ADDING_ more layers.


    To me those two are the same. Adding an other layer is the same as
    security through obscurity. It could be that you and the whole world
    things tat what I think is wrong. It is however how I think, so let's
    not discuss it. ;-)

    >>> You will however get a LOT of people trying to enter your port.

    >
    > s/people/zombies and skript-kiddiez/


    Also all the same. I stand way above them. ;-D

    >>> This in itself is not a real problem. However it looks lousy on your
    >>> logfiles.

    >
    > whitelists


    No idea what you mean here.

    >>> So what _I_ do is use blockhosts:
    >>> http://www.aczoom.com/cms/blockhosts/download

    >
    > yet another log watcher.


    No, it isn't. The first time it does loook at your logfiles, after that
    it looks at your connections. You could put the logfiles in /dev/null
    for all it cares (although I have no idea how it will cope with the
    first run)

    > So, China has 1472 network IPv4 blocks, Korea has 629, and Turkey 270.
    > Not many of those are adjacent, so that going to be a lot of rules - or
    > are you depending on rDNS?


    And then there are exceptions on some of them as well. I know of a
    Belgian company who had a C range and moved to Luxembourg and took the
    range with them, so that became an exception. I am sure if I know of
    such a case, it won't be the only one.

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  18. Re: Need for new openSUSE users

    houghi wrote:
    > If you intend to make a connection with ssh from the outside world, many
    > people will tell you to place ssh on a different port. I personaly think
    > that is security through obscurity. You will however get a LOT of people
    > trying to enter your port.


    Security through obscurity IS a valid security mechanism. Sometimes
    it's not the best mechanism. Arguably you can look at a password
    as a security through obscurity scheme.

    >
    > This in itself is not a real problem. However it looks lousy on your
    > logfiles.


    ??? With nothing listening on port 22, you could just drop
    those messages right?

    >
    > So what _I_ do is use blockhosts:
    > http://www.aczoom.com/cms/blockhosts/download
    > I just install the RPM and then I edit both /etc/blockhosts.cfg and
    > /etc/hosts.allow
    >
    > The first I add/change the following lines:
    > COUNT_THRESHOLD = 3
    > LOGFILES = [ "/var/log/messages", ]
    >
    > The second I add the following lines:
    >
    > # permanent whitelist addresses - these should always be allowed access
    > ALL: 127.0.0.1 : allow
    > ALL: 192.168. : allow
    > ALL: 194.109.21. : allow
    > #---- BlockHosts Additions
    > #---- BlockHosts Additions
    > sshd : ALL: spawn /usr/bin/blockhosts.py & : allow
    >
    > This is everything. What I do is first do a `sudo tail -f
    > /var/log/messages` (followed by a |ccze) and then do the rest, so that I
    > can see the moment the thing goes online.


    So using blockhosts you can prevent attacks after 3 failed attepts within
    a period of time (if your messages are rotated for example, could
    be a relatively short period of time).

    Granted, most of the attacks are by bots... and it's VERY likely
    that their 1st 3 attempts will fail and blockhosts will work.

    But... they could get lucky....

    I'd use blockhosts TOGETHER with moving your port to an obscure
    location. That seems to be the wisest solution.

    Some might find having sshd spawn a python program to be
    disconcerting.

  19. Re: Need for new openSUSE users

    Chris Cox wrote:
    > Security through obscurity IS a valid security mechanism. Sometimes
    > it's not the best mechanism. Arguably you can look at a password
    > as a security through obscurity scheme.


    I do not call it a security mechanism. But let's not discuss it.

    >> This in itself is not a real problem. However it looks lousy on your
    >> logfiles.

    >
    > ??? With nothing listening on port 22, you could just drop
    > those messages right?


    With nothing listening on 22, there won't be any messages (on 22)

    > So using blockhosts you can prevent attacks after 3 failed attepts within
    > a period of time (if your messages are rotated for example, could
    > be a relatively short period of time).


    No, they do not prevent attacks. They keep your logfiles tidy.

    > Granted, most of the attacks are by bots... and it's VERY likely
    > that their 1st 3 attempts will fail and blockhosts will work.


    Indeed.

    > But... they could get lucky....


    Indeed, that is why I keep hammering that this is NOT a security
    feature. It is security through obscurity at best.

    > I'd use blockhosts TOGETHER with moving your port to an obscure
    > location. That seems to be the wisest solution.


    Obviously, because blockhosts is NOT a security feature and should not
    be seen as such.

    > Some might find having sshd spawn a python program to be
    > disconcerting.


    Some might find a connection disconcerning. ;-)

    houghi
    --
    You can have my keyboard ...
    if you can pry it from my dead, cold, stiff fingers

  20. Re: Need for new openSUSE users

    Chris Cox wrote:
    >houghi wrote:


    >> If you intend to make a connection with ssh from the outside
    >> world, many people will tell you to place ssh on a different
    >> port. I personaly think that is security through obscurity. You
    >> will however get a LOT of people trying to enter your port.


    >Security through obscurity IS a valid security mechanism.
    >Sometimes it's not the best mechanism. Arguably you can look at a
    >password as a security through obscurity scheme.


    Only if you have weak passwords.

    Obscurity "works" by making changes to a few things so that they are
    not obvious. But for a small, finite set of possibilities, obscurity
    fails to provide security; especially when the bad guesses don't
    carry a penalty.

    The other option available, which works in part through obscurity,
    is port-knocking. A packet is sent to a high-port, resulting in the
    nominal ssh port being opened for a few seconds thereafter, to the
    source IP address of the knocking packet. Ports around the knock
    port should serve to un-knock; i.e. close the ssh port; frustrating
    port scans. Similarly, use several ports that have to be knocked in
    a secret sequence to open the ssh port.

    But port-knocking and similar obscurity can't be secret if the
    upstream is capable of sniffing activity; able to eaves-drop.

    Intelligence can be gathered not just from the content of the
    packets, but also from the timing and the paths.

    Complexity is also no substitute for security. Complex
    authentication is difficult to prove secure mathematically. Every
    part of the process introduces possible vulnerabilities.

    Security is a process. If the aim is to minimise log file sizes
    then that could frustrate future penetration analysis. Knowing the
    source-IP range of legitimate users is very useful at limiting ssh
    opens; but attempts to open the port from elsewhere ought still be
    logged as a dropped-packet at the firewall.

    Identification of the "bad guys" from such activity can be useful in
    e.g. also blacklisting SMTP access.
    --
    /"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
    \ / ASCII ribbon campaign | Science is the belief in
    X against HTML mail | the ignorance of the experts.
    / \ and postings | -- Richard Feynman

+ Reply to Thread
Page 1 of 2 1 2 LastLast