hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
 
[20070116] More fighting ssh password guessing attempts (Updated)
About one year ago (coincidence?) there was some discussion about how to protect your server against ssh password guessing, see elsewhere in my blog. Apparently the topic came up again, for ssh and other services this time, and quite a number of people chimed in and mentioned their preferred solutions to the same old problem. Solutions fall into three categories: administrative settings, logfile-parsing, and PAM-based solutions.

Administrative policies to using password-less ssh logins only is something that needs some adjusting from users.

Most of the mentioned programs parse logfiles and then act on them. Among them are fail2ban, denyhost and a similar script, OSsec, blockhosts and a shell-based approach by Rhialto.

The latter post also mentions going the PAM way, which hooks right into the authentication framework and can detect repeated authentication failures best - at the place where they get detected first. This is implemented by the anti-bruteforce PAM module in pkgsrc/security/pam-af.

I guess that's some food for thoughts, and a lot of programs to do the job. Let's see what comes up in Jan 2008 for this topic... :-)

Update: Elad Efrat wrote me to tell that server site log parsing may not be such a good idea as it has a potential to open up for some nasty attacks, see this thread on the fulldisclosuer list. You've been warned!

[Tags: , , , , ]



[20061123] ssshfs success (Updated)
I've taken the existance of ssshfs as a reason for upgrading my kernel from the netbsd-4 branch (which will go through re-birth from -current soon anyways) to today's -current, and played with ssshfs a bit. As I didn't want to upgrade the full userland of the machine, I had to do a bit of a dance to get things going in src/obj/destdir, but after
  • chroot .../src/obj/destdir
  • cd .../src/obj/destdir/dev ; sh MAKEDEV all puffs
  • cd .../src/share/examples/puffs/ssshfs ; make
  • ./ssshfs i@remotemachine:/path/to/my/home /mnt
things work fine, and I can access my $HOME on the remote machine just like a local file (esp. from outside the chroot):
miyu% df | grep destdir
puffs:ssshfs  0 0 0   100%    /usr/src/obj/destdir/mnt
miyu% cd /usr/src/obj/destdir/mnt
miyu% ls
AdobeFnt.lst    OS                  bin     public_html
Desktop         OpenOffice.org1.1.0 in      tmp
...
miyu% ls -l .cshrc
-rw-r--r--  1 39068  2000  4706 Jun 16 01:01 .cshrc
miyu% head -2 .cshrc
# Default .cshrc fuer Solaris, Irix, ...
#
miyu% md5 .cshrc
MD5 (.cshrc) = 2ad1d2606a5678f312709a388376c2e5
miyu% ls -l test
ls: test: No such file or directory
miyu% date >test
miyu% ls -l test
-rw-r--r--  1 39068  2000  29 Nov 23 01:19 test
miyu% cat test
Thu Nov 23 01:19:36 MET 2006
miyu% vi test
miyu% cat test
Thu Nov 23 01:19:36 MET 2006
foobar
hubertf was here
miyu% rm test
miyu% cat test
cat: test: No such file or directory
miyu% 
Neat! I've found one bug when running stat(2) -- e.g. via ls -l -- on a symlink. ssshfs then hangs and the mounting process needs to be ^Cd, but I'm sure this is not a major problem.

Update: The cause of the hang was identified: I tried this against Solaris 9, which has a sshd that only supports the SFTP File Transport Protocol Version2, but to properly handle symlinks Version 3 is needed. A check for the protocol version was added, to indicate the case can't be handled.

[Tags: , ]



[20061123] Digest: ssshfs, NAMP VMware image, Segvguard, BSDtalk and a daemonic bag
OK, I'm too lazy to put this into separate items, so here's the stuff from today in one digest:
  • There was some progress on puffs, the userland filesystem stemming from last year's Google SoC, some time ago. More example userland filesystems are now available with sysctlfs and ssshfs, see src/share/examples/puffs.

    Rumours say that ssshfs works pretty well, which is a final reason to ditch the (abandoned first cut of the) netbsd-4 branch and make a -current kernel to play with this. BTW, for those wondering what ssshfs is, see ssshfs.c:

     * simple sshfs
     * (silly sshfs?  stupid sshfs?  snappy sshfs?  sucky sshfs?  seven sshfs???)
     * (sante sshfs?  severed (dreams) sshfs?  saucy sshfs?  sauerkraut sshfs?) 

  • People complained that there's no ready-made VMware image with NetBSD available, and this has changed now. The #NetBSD blog points at a NAMP (NetBSD + Apache + MySQL + PostgreSQL + PHP) image that has quite a lot of software installed in 187MB size. See the arudius homepage for more information on NAMP.

  • Elad, chief security hacker of NetBSD's infrastructure has proposed to add PaX Segvguard as yet another building stone in NetBSD's security architecture:
         PaX Segvguard monitors the number of segfaults in a program
         per-user, in an attempt to detect on-going exploitation attempts
         and possibly prevent them.  One common attack PaX Segvguard can
         help mitigate is when an attacker tries to brute-force a function
         return address, when wanting to perform a return-to-lib attack.  

    See Elad's proposal for more details! Note that a start of the implementation is already in NetBSD-current, but that this is still work-in-progress.

  • BSDtalk did an interview with pkgsrc developer Johnny Lam (jlam@), it's available in mp3 and ogg.

  • Last, if you don't know what to wish for Xmas, there's something for the average BSD geek: a daemon-themed bag (which is probably not really authorized by the Daemon owner, but well).


[Tags: , , , , , , ]


[20060107] Fighting ssh password guessing attempts (Update #2)
If you've looked in your /var/log/authlog recently, it's likely that you seem something like:
 Dec 11 09:21:50 xxx sshd[15335]: Failed password for root from 220.[...]
 Dec 11 09:21:53 xxx sshd[2720]: Failed password for root from 220.13[...]
 Dec 11 09:21:56 xxx sshd[7260]: Failed password for root from 220.13[...]
 Dec 11 09:22:28 xxx sshd[1762]: Illegal user enterprise from 220.135[...]
 Dec 11 09:22:31 xxx sshd[20415]: Illegal user release from 220.135.88.151
 Dec 11 09:22:34 xxx sshd[2405]: Illegal user release from 220.135.88.151
 Dec 11 09:22:37 xxx sshd[27329]: Illegal user release from 220.135.88.151
 Dec 11 09:22:40 xxx sshd[22310]: Illegal user release from 220.135.88.151 
While I know that NetBSD will withstand those annoying attempts as long as accounts are protected by good passwords (or even better, SSH keys), I sometimes wish to lock out people doing those attempts.

And there's help, in the form of a blog article (found via the #NetBSD Community Blog) describing how to use pop-before-smtp and IPfilter to firewall those people into eternity. (As far as I understand, the pop-before-smtp thing is mostly used to emulate 'tail -f', so I dare saying the meat of that article could be rewritten to only use tools that come with NetBSD. Any takers? Send URL! :)

Update: Ian Spray has taken the challenge and made a version that only uses tools that come with NetBSD. See his blog entry!

Update #2: Geert also brought this variant to my attention, which convers IPFilter, PF and IPFW (For FreeBSD, obviously). He found it in the BSDWiki.

[Tags: , , , ]



[20050910] LDAP addition: storing SSH keys in LDAP
As response to my recent LDAP link, Eric Auge wrote me that he has's maintaining a patch for OpenSSH, which allow public key retrieval from an LDAP directory. There's even a patch for pkgsrc for it. Now I just need to find time to finish my Kerberos book and move to the LDAP book...

[Tags: , ]


[20050512] The Potential for an SSH Worm
The OpenBSD journal features an article that describes how a SSH worm could use known_hosts files and ssh-keys not protected by passwords to spread. The article is a summary on a MIT article about protecting against such an attack that was also recently addressed by security guru Bruce Schneier. Maybe it's really time to password-protect ssh-keys and start using ssh agent!

[Tags: , ]


[20050312] Article: Secure Batch Email with UUCP and SSH
Christophe Prevotaux describes how to move email back and forth using the Unix-to-Unix-Copy system over Secure Shell, which may be quite handy for larger periods of disconnected operation, e.g. when you're on a journey and only have Internet access every now and then. While the article primarily describes the setup of UUCP and Postfix on FreeBSD, there should be enough information in there to make it usable on NetBSD (as the article says). Now if this would include details for a decent mailer ...

[Tags: , , , ]


Tags: , 2bsd, 3com, 501c3, 64bit, acl, acls, acm, acorn, acpi, acpitz, adobe, Advocacy, advocacy, advogato, aes, afs, aiglx, aio, airport, alereon, alex, alix, alpha, altq, am64t, amazon, amd64, anatomy, ansible, apache, apm, apple, arkeia, arla, arm, art, Article, Articles, ascii, asiabsdcon, asterisk, asus, atf, ath, atheros, atmel, audio, audiocodes, autoconf, avocent, avr32, aws, axigen, backup, banners, basename, bash, bc, beaglebone, benchmark, bigip, bind, blackmouse, bldgblog, blog, blogs, blosxom, bluetooth, bonjour, books, boot, boot-z, bootprops, bozohttpd, bs2000, bsd, bsdca, bsdcan, bsdcertification, bsdcg, bsdforen, bsdfreak, bsdmac, bsdmagazine, bsdnexus, bsdstats, bsdtalk, bsdtracker, bug, build.sh, busybox, buttons, bzip, c-jump, c99, cafepress, callweaver, camera, candy, capabilities, card, carp, cars, cauldron, ccc, ccd, cd, cddl, cdrom, cdrtools, cebit, centrino, cephes, cert, certification, cfs, cgd, cgf, checkpointing, china, cisco, cloud, clt, cobalt, coccinelle, codian, colossus, common-criteria, community, compat, compiz, compsci, concept04, config, console, contest, copyright, core, cortina, coverity, cpu, cradlepoint, cray, crosscompile, crunchgen, cryptography, csh, cu, cuneiform, curses, curtain, cuwin, cvs, cvs-digest, cvsup, cygwin, daemon, daemonforums, daimer, danger, darwin, data, date, dd, debian, debugging, dell, desktop, devd, devfs, devotionalia, df, dfd_keeper, dhcp, dhcpcd, dhcpd, dhs, diezeit, digest, digests, dilbert, dirhash, disklabel, distcc, dmesg, Docs, Documentation, donations, draco, dracopkg, dragonflybsd, dreamcast, dri, driver, drivers, drm, dsl, dst, dtrace, dvb, ec2, eclipse, eeepc, eeepca, ehci, ehsm, eifel, elf, em64t, Embedded, embedded, emips, emulate, encoding, envsys, eol, espresso, etcupdate, etherip, euca2ools, eucalyptus, eurobsdcon, eurosys, Events, exascale, ext3, f5, facebook, falken, fan, fatbinary, features, fefe, ffs, filesystem, fileysstem, firefox, firewire, fireworks, flag, flash, flashsucks, flickr, flyer, fmslabs, force10, fortunes, fosdem, fpga, freebsd, freedarwin, freescale, freex, freshbsd, friendlyAam, friendlyarm, fritzbox, froscamp, fsck, fss, fstat, ftp, ftpd, fujitsu, fun, fundraising, funds, funny, fuse, fusion, g4u, g5, galaxy, games, gcc, gdb, gentoo, geode, getty, gimstix, git, gnome, google, google-soc, gpio, gpl, gprs, gracetech, gre, groff, groupwise, growfs, grub, gumstix, guug, gzip, hackathon, hackbench, hal, hanoi, happabsd, Hardware, haze, hdaudio, heat, heimdal, hf6to4, hfblog, hfs, history, hosting, hp, hp700, hpcarm, hpcsh, hpux, html, httpd, hubertf, hurd, i18n, i386, i386pkg, ia64, ian, ibm, ids, ieee, ifwatchd, igd, iij, image, images, imx233, information, init, initrd, install, intel, interix, internet2, io, ioccc, iostat, ipbt, ipfilter, ipmi, ipplug, ipsec, ipv6, irbsd, irc, irix, iscsi, isdn, iso, isp, itojun, jail, jails, japanese, java, javascript, jibbed, jihbed, jobs, jokes, journaling, kame, kauth, kde, kerberos, kergis, kernel, keyboardcolemak, kirkwood, kitt, kmod, kolab, kylin, l10n, landisk, laptop, laptops, law, ld.so, ldap, lehmanns, lenovo, lfs, libc, license, licensing, links, linksys, linux, linuxtag, live-cd, lkm, localtime, locate.updatedb, logfile, logging, logo, logos, lom, lte, lvm, m68k, macmini, macppc, macromedia, magicmouse, mahesha, mail, makefs, malo, mame, manpages, marvell, matlab, maus, mbr95, mbuf, mca, mdns, mediant, mediapack, meetbsd, mercedesbenz, mercurial, mesh, meshcube, mfs, mhonarc, microkernel, microsoft, midi, mini2440, miniroot, minix, mips, mirbsd, missile, mit, mobile-ip, modula3, modules, money, mouse, mp3, mpls, mtftp, mult, multics, multilib, multimedia, music, mysql, named, nas, nat, ncode, ndis, nec, nemo, neo1973, netbook, netboot, netbsd, netbsd.se, nethack, nethence, netksb, netstat, netwalker, networking, neutrino, nforce, nfs, nis, npf, npwr, nroff, nslu2, nspluginwrapper, ntfs-3f, ntp, nullfs, numa, nvi, nvidia, nycbsdcon, office, ofppc, ohloh, olimex, olinuxino, olpc, onetbsd, openat, openbgpd, openblocks, openbsd, opencrypto, opengrok, openmoko, openoffice, openpam, openrisk, opensolaris, openssl, or1k, oracle, oreilly, oscon, osf1, osjb, packages, pad, pae, pam, pan, panasonic, parallels, pascal, patch, patents, pax, paypal, pc532, pc98, pcc, pci, pdf, pegasos, penguin, performance, pexpect, pf, pfsync, pgx32, php, pike, pinderkent, pkg_install, pkg_select, pkgin, pkglint, pkgmanager, pkgsrc, pkgsrc.se, pkgsrcCon, pkgsrccon, Platforms, plathome, pocketsan, podcast, pofacs, politics, polls, polybsd, portability, posix, postinstall, power3, powernow, powerpc, powerpf, pppoe, precedence, preemption, prep, presentations, prezi, Products, products, proplib, protectdrive, proxy, ps, ps3, psp, pthread, ptp, ptyfs, Publications, puffs, pxe, qemu, qnx, qos, qt, quality-management, quine, quote, quotes, r-project, radio, radiotap, raid, raidframe, rants, raptor, raq, raspberrypi, rc.d, readahead, realtime, record, refuse, reiserfs, Release, Releases, releases, releng, reports, resize, restore, ricoh, rijndael, rip, riscos, rng, roadmap, robopkg, robot, robots, roff, rootserver, rotfl, rox, rs6k, rss, ruby, rump, rzip, sa, safenet, san, savin, sbsd, scampi, scheduling, schmonz, sco, screen, script, sdf, sdtemp, secmodel, Security, security, sed, segvguard, seil, sendmail, sfu, sge, sgi, sgimips, sh, sha2, shark, sharp, shisa, shutdown, sidekick, size, slackware, slashdot, slit, smbus, smp, sockstat, soekris, softdep, software, solaris, sony, source, source-changes, spanish, sparc, sparc64, spider, spreadshirt, squid, ssh, sshfs, ssp, stereostream, stickers, studybsd, subfile, sudbury, sudo, summit, sun, sun2, sun3, sunfire, sunpci, support, sus, suse, sushi, susv3, svn, swcrypto, symlinks, sysbench, sysinst, sysjail, syslog, syspkg, systat, systrace, sysupdate, t-shirt, tabs, tanenbaum, tape, tcp, tcp/ip, tcpdrop, tcpmux, tcsh, teamasa, teredo, termcap, terminfo, testdrive, testing, tetris, tex, TeXlive, thecus, theopengroup, thin-client, thinkgeek, thorpej, threads, time, time_t, timecounters, tip, tme, tmp, tmpfs, tnf, toaster, todo, toolchain, top, torvalds, toshiba, touchpanel, training, translation, tso, ttyrec, tulip, tun, tuning, uboot, udf, ufs, ukfs, ums, unetbootin, unicos, unix, updating, upnp, uptime, usb, usenix, useradd, userconf, userfriendly, usermode, usl, utc, utf8, uucp, uvc, uvm, valgrind, vax, vcfe, vcr, veriexec, vesa, video, videos, virtex, vm, vmware, vnd, vobb, voip, voltalinux, vpn, vpnc, vulab, w-zero3, wallpaper, wapbl, wargames, wasabi, webcam, webfwlog, wedges, wgt624v3, wiki, willcom, wimax, window, windows, winmodem, wireless, wizd, wlan, wordle, wpa, wscons, wstablet, X, x.org, x11, x2apic, xbox, xcast, xen, xfree, xfs, xgalaxy, xilinx, xkcd, xlockmore, xmms, xmp, xorg, xscale, youos, youtube, zaurus, zdump, zfs, zlib

'nuff. Grab the RSS-feed, index, or go back to my regular NetBSD page

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 17723216
Copyright (c) Hubert Feyrer