[20070116]
|
More fighting ssh password guessing attempts (Updated)
About one year ago (coincidence?) there was some discussion about
how to protect your server against ssh password guessing, see
elsewhere in my blog.
Apparently the topic came up
again,
for ssh and other services this time,
and quite a number of people chimed in and mentioned their preferred
solutions to the same old problem. Solutions fall into three categories:
administrative settings, logfile-parsing, and PAM-based solutions.
Administrative policies to
using password-less ssh logins only is something that needs some adjusting
from users.
Most of the mentioned programs parse logfiles and then act on them.
Among them are
fail2ban,
denyhost and
a similar script,
OSsec,
blockhosts and
a shell-based approach by Rhialto.
The latter post also mentions going the PAM way, which hooks right
into the authentication framework and can detect repeated authentication
failures best - at the place where they get detected first. This is implemented by
the anti-bruteforce PAM module in pkgsrc/security/pam-af.
I guess that's some food for thoughts, and a lot of programs to do the job.
Let's see what comes up in Jan 2008 for this topic... :-)
Update:
Elad Efrat wrote me to tell that server site log parsing may not
be such a good idea as it has a potential to open up for some nasty attacks,
see this thread on the fulldisclosuer list. You've been warned!
[Tags: ids, ipfilter, networking, Security, ssh]
|
[20061123]
|
ssshfs success (Updated)
I've taken the existance of ssshfs as a reason for upgrading
my kernel from the netbsd-4 branch (which will go through
re-birth from -current soon anyways) to today's -current,
and played with ssshfs a bit. As I didn't want to upgrade the
full userland of the machine, I had to do a bit of a dance
to get things going in src/obj/destdir, but after
- chroot .../src/obj/destdir
- cd .../src/obj/destdir/dev ; sh MAKEDEV all puffs
- cd .../src/share/examples/puffs/ssshfs ; make
- ./ssshfs i@remotemachine:/path/to/my/home /mnt
things work fine, and I can access my $HOME on the remote machine
just like a local file (esp. from outside the chroot):
miyu% df | grep destdir
puffs:ssshfs 0 0 0 100% /usr/src/obj/destdir/mnt
miyu% cd /usr/src/obj/destdir/mnt
miyu% ls
AdobeFnt.lst OS bin public_html
Desktop OpenOffice.org1.1.0 in tmp
...
miyu% ls -l .cshrc
-rw-r--r-- 1 39068 2000 4706 Jun 16 01:01 .cshrc
miyu% head -2 .cshrc
# Default .cshrc fuer Solaris, Irix, ...
#
miyu% md5 .cshrc
MD5 (.cshrc) = 2ad1d2606a5678f312709a388376c2e5
miyu% ls -l test
ls: test: No such file or directory
miyu% date >test
miyu% ls -l test
-rw-r--r-- 1 39068 2000 29 Nov 23 01:19 test
miyu% cat test
Thu Nov 23 01:19:36 MET 2006
miyu% vi test
miyu% cat test
Thu Nov 23 01:19:36 MET 2006
foobar
hubertf was here
miyu% rm test
miyu% cat test
cat: test: No such file or directory
miyu%
Neat! I've found one bug when running stat(2) -- e.g. via ls -l --
on a symlink. ssshfs then hangs and the mounting process needs to
be ^Cd, but I'm sure this is not a major problem.
Update:
The cause of the hang was identified: I tried this against
Solaris 9, which has a sshd that only supports
the SFTP File Transport Protocol Version2, but to properly
handle symlinks Version 3 is needed. A check for the
protocol version was added, to indicate the case can't be
handled.
[Tags: puffs, ssh]
|
[20061123]
|
Digest: ssshfs, NAMP VMware image, Segvguard, BSDtalk and a daemonic bag
OK, I'm too lazy to put this into separate items, so here's
the stuff from today in one digest:
- There was some progress on puffs, the userland filesystem
stemming from last year's Google SoC, some time ago.
More example userland filesystems are now available with
sysctlfs and ssshfs, see
src/share/examples/puffs.
Rumours say that ssshfs works pretty well, which is
a final reason to ditch the (abandoned first cut of the) netbsd-4
branch and make a -current kernel to play with this. BTW, for those
wondering what ssshfs is, see
ssshfs.c:
* simple sshfs
* (silly sshfs? stupid sshfs? snappy sshfs? sucky sshfs? seven sshfs???)
* (sante sshfs? severed (dreams) sshfs? saucy sshfs? sauerkraut sshfs?)
- People complained that there's no ready-made VMware image
with NetBSD available, and this has changed now.
The #NetBSD blog
points at a
NAMP (NetBSD + Apache + MySQL + PostgreSQL + PHP)
image that has quite a lot of software installed in
187MB size. See the
arudius homepage
for more information on NAMP.
- Elad, chief security hacker of NetBSD's infrastructure has proposed
to add PaX Segvguard as yet another building stone in NetBSD's
security architecture:
PaX Segvguard monitors the number of segfaults in a program
per-user, in an attempt to detect on-going exploitation attempts
and possibly prevent them. One common attack PaX Segvguard can
help mitigate is when an attacker tries to brute-force a function
return address, when wanting to perform a return-to-lib attack.
See Elad's proposal
for more details! Note that a start of the implementation is
already
in NetBSD-current,
but that this is still work-in-progress.
- BSDtalk
did an interview with
pkgsrc developer Johnny Lam (jlam@), it's available in
mp3 and
ogg.
- Last, if you don't know what to wish for Xmas, there's something
for the average BSD geek: a
daemon-themed bag
(which is probably not really authorized by the Daemon owner,
but well).
[Tags: bsdtalk, images, puffs, Security, segvguard, ssh, vmware]
|
[20060107]
|
Fighting ssh password guessing attempts (Update #2)
If you've looked in your /var/log/authlog recently, it's likely that
you seem something like:
Dec 11 09:21:50 xxx sshd[15335]: Failed password for root from 220.[...]
Dec 11 09:21:53 xxx sshd[2720]: Failed password for root from 220.13[...]
Dec 11 09:21:56 xxx sshd[7260]: Failed password for root from 220.13[...]
Dec 11 09:22:28 xxx sshd[1762]: Illegal user enterprise from 220.135[...]
Dec 11 09:22:31 xxx sshd[20415]: Illegal user release from 220.135.88.151
Dec 11 09:22:34 xxx sshd[2405]: Illegal user release from 220.135.88.151
Dec 11 09:22:37 xxx sshd[27329]: Illegal user release from 220.135.88.151
Dec 11 09:22:40 xxx sshd[22310]: Illegal user release from 220.135.88.151
While I know that NetBSD will withstand those annoying attempts as long
as accounts are protected by good passwords (or even better, SSH keys),
I sometimes wish to lock out people doing those attempts.
And there's help, in the form of a blog article
(found via the #NetBSD Community Blog)
describing
how to use pop-before-smtp and IPfilter
to firewall those people into eternity. (As far as I understand,
the pop-before-smtp thing is mostly used to emulate 'tail -f',
so I dare saying the meat of that article could be rewritten to only
use tools that come with NetBSD. Any takers? Send URL! :)
Update:
Ian Spray has taken the challenge and made a version
that only uses tools that come with NetBSD.
See his blog entry!
Update #2:
Geert also brought
this variant
to my attention, which convers IPFilter, PF and IPFW
(For FreeBSD, obviously). He found it in
the BSDWiki.
[Tags: ipfilter, networking, Security, ssh]
|
[20050910]
|
LDAP addition: storing SSH keys in LDAP
As response to my recent LDAP link, Eric Auge wrote me that
he has's maintaining a
patch for OpenSSH,
which allow public key retrieval from an LDAP directory.
There's even a
patch for pkgsrc for it.
Now I just need to find time to finish my Kerberos book and
move to the LDAP book...
[Tags: ldap, ssh]
|
[20050512]
|
The Potential for an SSH Worm
The OpenBSD journal features an
article
that describes how a SSH worm could use known_hosts files and
ssh-keys not protected by passwords to spread.
The article is a summary on a
MIT article about protecting against such an attack
that was also recently addressed by security guru
Bruce Schneier.
Maybe it's really time to password-protect ssh-keys and
start
using
ssh
agent!
[Tags: Security, ssh]
|
[20050312]
|
Article: Secure Batch Email with UUCP and SSH
Christophe Prevotaux describes how to move email back and forth using
the Unix-to-Unix-Copy system over Secure Shell, which may be quite
handy for larger periods of disconnected operation, e.g. when you're
on a journey and only have Internet access every now and then.
While the article
primarily describes the setup of UUCP and Postfix on FreeBSD,
there should be enough information in there to make it usable
on NetBSD (as the article says). Now if this would include details
for a decent mailer ...
[Tags: Articles, Security, ssh, uucp]
|
|
Tags: ,
2bsd,
34c3,
3com,
501c3,
64bit,
acl,
acls,
acm,
acorn,
acpi,
acpitz,
adobe,
adsense,
Advocacy,
advocacy,
advogato,
aes,
afs,
aiglx,
aio,
airport,
alereon,
alex,
alix,
alpha,
altq,
am64t,
amazon,
amd64,
anatomy,
ansible,
apache,
apm,
apple,
arkeia,
arla,
arm,
art,
Article,
Articles,
ascii,
asiabsdcon,
aslr,
asterisk,
asus,
atf,
ath,
atheros,
atmel,
audio,
audiocodes,
autoconf,
avocent,
avr32,
aws,
axigen,
azure,
backup,
balloon,
banners,
basename,
bash,
bc,
beaglebone,
benchmark,
bigip,
bind,
blackmouse,
bldgblog,
blog,
blogs,
blosxom,
bluetooth,
board,
bonjour,
books,
boot,
boot-z,
bootprops,
bozohttpd,
bs2000,
bsd,
bsdca,
bsdcan,
bsdcertification,
bsdcg,
bsdforen,
bsdfreak,
bsdmac,
bsdmagazine,
bsdnexus,
bsdnow,
bsdstats,
bsdtalk,
bsdtracker,
bug,
build.sh,
busybox,
buttons,
bzip,
c-jump,
c99,
cafepress,
calendar,
callweaver,
camera,
can,
candy,
capabilities,
card,
carp,
cars,
cauldron,
ccc,
ccd,
cd,
cddl,
cdrom,
cdrtools,
cebit,
centrino,
cephes,
cert,
certification,
cfs,
cgd,
cgf,
checkpointing,
china,
christos,
cisco,
cloud,
clt,
cobalt,
coccinelle,
codian,
colossus,
common-criteria,
community,
compat,
compiz,
compsci,
concept04,
config,
console,
contest,
copyright,
core,
cortina,
coverity,
cpu,
cradlepoint,
cray,
crosscompile,
crunchgen,
cryptography,
csh,
cu,
cuneiform,
curses,
curtain,
cuwin,
cvs,
cvs-digest,
cvsup,
cygwin,
daemon,
daemonforums,
daimer,
danger,
darwin,
data,
date,
dd,
debian,
debugging,
dell,
desktop,
devd,
devfs,
devotionalia,
df,
dfd_keeper,
dhcp,
dhcpcd,
dhcpd,
dhs,
diezeit,
digest,
digests,
dilbert,
dirhash,
disklabel,
distcc,
dmesg,
Docs,
Documentation,
donations,
draco,
dracopkg,
dragonflybsd,
dreamcast,
dri,
driver,
drivers,
drm,
dsl,
dst,
dtrace,
dvb,
ec2,
eclipse,
eeepc,
eeepca,
ehci,
ehsm,
eifel,
elf,
em64t,
embedded,
Embedded,
emips,
emulate,
encoding,
envsys,
eol,
espresso,
etcupdate,
etherip,
euca2ools,
eucalyptus,
eurobsdcon,
eurosys,
Events,
exascale,
ext3,
f5,
facebook,
falken,
fan,
faq,
fatbinary,
features,
fefe,
ffs,
filesystem,
fileysstem,
firefox,
firewire,
fireworks,
flag,
flash,
flashsucks,
flickr,
flyer,
fmslabs,
force10,
fortunes,
fosdem,
fpga,
freebsd,
freedarwin,
freescale,
freex,
freshbsd,
friendlyAam,
friendlyarm,
fritzbox,
froscamp,
fsck,
fss,
fstat,
ftp,
ftpd,
fujitsu,
fun,
fundraising,
funds,
funny,
fuse,
fusion,
g4u,
g5,
galaxy,
games,
gcc,
gdb,
gentoo,
geode,
getty,
gimstix,
git,
gnome,
google,
google-soc,
googlecomputeengine,
gpio,
gpl,
gprs,
gracetech,
gre,
groff,
groupwise,
growfs,
grub,
gumstix,
guug,
gzip,
hackathon,
hackbench,
hal,
hanoi,
happabsd,
Hardware,
hardware,
haze,
hdaudio,
heat,
heimdal,
hf6to4,
hfblog,
hfs,
history,
hosting,
hotplug,
hp,
hp700,
hpcarm,
hpcsh,
hpux,
html,
httpd,
hubertf,
hurd,
i18n,
i386,
i386pkg,
ia64,
ian,
ibm,
ids,
ieee,
ifwatchd,
igd,
iij,
image,
images,
imx233,
imx7,
information,
init,
initrd,
install,
intel,
interix,
internet2,
interview,
interviews,
io,
ioccc,
iostat,
ipbt,
ipfilter,
ipmi,
ipplug,
ipsec,
ipv6,
irbsd,
irc,
irix,
iscsi,
isdn,
iso,
isp,
itojun,
jail,
jails,
japanese,
java,
javascript,
jetson,
jibbed,
jihbed,
jobs,
jokes,
journaling,
kame,
kauth,
kde,
kerberos,
kergis,
kernel,
keyboardcolemak,
kirkwood,
kitt,
kmod,
kolab,
kvm,
kylin,
l10n,
landisk,
laptop,
laptops,
law,
ld.so,
ldap,
lehmanns,
lenovo,
lfs,
libc,
license,
licensing,
linkedin,
links,
linksys,
linux,
linuxtag,
live-cd,
lkm,
localtime,
locate.updatedb,
logfile,
logging,
logo,
logos,
lom,
lte,
lvm,
m68k,
macmini,
macppc,
macromedia,
magicmouse,
mahesha,
mail,
makefs,
malo,
mame,
manpages,
marvell,
matlab,
maus,
max3232,
mbr95,
mbuf,
mca,
mdns,
mediant,
mediapack,
meetbsd,
mercedesbenz,
mercurial,
mesh,
meshcube,
mfs,
mhonarc,
microkernel,
microsoft,
midi,
mini2440,
miniroot,
minix,
mips,
mirbsd,
missile,
mit,
mixer,
mobile-ip,
modula3,
modules,
money,
mouse,
mp3,
mpls,
mprotect,
mtftp,
mult,
multics,
multilib,
multimedia,
music,
mysql,
named,
nas,
nasa,
nat,
ncode,
ncq,
ndis,
nec,
nemo,
neo1973,
netbook,
netboot,
netbsd,
netbsd.se,
nethack,
nethence,
netksb,
netstat,
netwalker,
networking,
neutrino,
nforce,
nfs,
nis,
npf,
npwr,
nroff,
nslu2,
nspluginwrapper,
ntfs-3f,
ntp,
nullfs,
numa,
nvi,
nvidia,
nycbsdcon,
office,
ofppc,
ohloh,
olimex,
olinuxino,
olpc,
onetbsd,
openat,
openbgpd,
openblocks,
openbsd,
opencrypto,
opendarwin,
opengrok,
openmoko,
openoffice,
openpam,
openrisk,
opensolaris,
openssl,
or1k,
oracle,
oreilly,
oscon,
osf1,
osjb,
paas,
packages,
pad,
pae,
pam,
pan,
panasonic,
parallels,
pascal,
patch,
patents,
pax,
paypal,
pc532,
pc98,
pcc,
pci,
pdf,
pegasos,
penguin,
performance,
pexpect,
pf,
pfsync,
pgx32,
php,
pie,
pike,
pinderkent,
pkg_install,
pkg_select,
pkgin,
pkglint,
pkgmanager,
pkgsrc,
pkgsrc.se,
pkgsrccon,
pkgsrcCon,
Platforms,
plathome,
pleiades,
pocketsan,
podcast,
pofacs,
politics,
polls,
polybsd,
portability,
posix,
postinstall,
power3,
powernow,
powerpc,
powerpf,
pppoe,
precedence,
preemption,
prep,
presentations,
prezi,
Products,
products,
proplib,
protectdrive,
proxy,
ps,
ps3,
psp,
psrset,
pthread,
ptp,
ptyfs,
Publications,
puffs,
puredarwin,
pxe,
qemu,
qnx,
qos,
qt,
quality-management,
quine,
quote,
quotes,
r-project,
ra5370,
radio,
radiotap,
raid,
raidframe,
rants,
raptor,
raq,
raspberrypi,
rc.d,
readahead,
realtime,
record,
refuse,
reiserfs,
Release,
releases,
Releases,
releng,
reports,
resize,
restore,
ricoh,
rijndael,
rip,
riscos,
rng,
roadmap,
robopkg,
robot,
robots,
roff,
rootserver,
rotfl,
rox,
rs323,
rs6k,
rss,
ruby,
rump,
rzip,
sa,
safenet,
san,
sata,
savin,
sbsd,
scampi,
scheduler,
scheduling,
schmonz,
sco,
screen,
script,
sdf,
sdtemp,
secmodel,
security,
Security,
sed,
segvguard,
seil,
sendmail,
serial,
serveraptor,
sfu,
sge,
sgi,
sgimips,
sh,
sha2,
shark,
sharp,
shisa,
shutdown,
sidekick,
size,
slackware,
slashdot,
slides,
slit,
smbus,
smp,
sockstat,
soekris,
softdep,
softlayer,
software,
solaris,
sony,
sound,
source,
source-changes,
spanish,
sparc,
sparc64,
spider,
spreadshirt,
spz,
squid,
ssh,
sshfs,
ssp,
statistics,
stereostream,
stickers,
storage,
stty,
studybsd,
subfile,
sudbury,
sudo,
summit,
sun,
sun2,
sun3,
sunfire,
sunpci,
support,
sus,
suse,
sushi,
susv3,
svn,
swcrypto,
symlinks,
sysbench,
sysctl,
sysinst,
sysjail,
syslog,
syspkg,
systat,
systrace,
sysupdate,
t-shirt,
tabs,
talks,
tanenbaum,
tape,
tcp,
tcp/ip,
tcpdrop,
tcpmux,
tcsh,
teamasa,
tegra,
teredo,
termcap,
terminfo,
testdrive,
testing,
tetris,
tex,
TeXlive,
thecus,
theopengroup,
thin-client,
thinkgeek,
thorpej,
threads,
time,
time_t,
timecounters,
tip,
tk1,
tme,
tmp,
tmpfs,
tnf,
toaster,
todo,
toolchain,
top,
torvalds,
toshiba,
touchpanel,
training,
translation,
tso,
tty,
ttyrec,
tulip,
tun,
tuning,
uboot,
ucom,
udf,
ufs,
ukfs,
ums,
unetbootin,
unicos,
unix,
updating,
upnp,
uptime,
usb,
usenix,
useradd,
userconf,
userfriendly,
usermode,
usl,
utc,
utf8,
uucp,
uvc,
uvm,
valgrind,
vax,
vcfe,
vcr,
veriexec,
vesa,
video,
videos,
virtex,
virtualization,
vm,
vmware,
vnd,
vobb,
voip,
voltalinux,
vpn,
vpnc,
vulab,
w-zero3,
wallpaper,
wapbl,
wargames,
wasabi,
webcam,
webfwlog,
wedges,
wgt624v3,
wiki,
willcom,
wimax,
window,
windows,
winmodem,
wireless,
wizd,
wlan,
wordle,
wpa,
wscons,
wstablet,
X,
x.org,
x11,
x2apic,
xbox,
xcast,
xen,
Xen,
xfree,
xfs,
xgalaxy,
xilinx,
xkcd,
xlockmore,
xmms,
xmp,
xorg,
xscale,
youos,
youtube,
zaurus,
zdump,
zfs,
zlib
'nuff.
Grab the RSS-feed,
index,
or go back to my regular NetBSD page
Disclaimer: All opinion expressed here is purely my own.
No responsibility is taken for anything.