You are not logged in.

#26 2005-05-06 23:48:16

elasticdog
Member
From: Washington, USA
Registered: 2005-05-02
Posts: 995
Website

Re: Tougher SSH

I've been doing some interesting reading lately about remote security and have come across some good information.  One program I'm interested in trying out is called Ostiary, however its purpose is only to allow a fixed set of commands remotely, rather than just open up a shell.  The page also has a good summary of the pros/cons of other techniques such as port knocking, Xringd, VPNs, etc.  Might at least give you some ideas...

Offline

#27 2005-05-07 00:17:28

i3839
Member
Registered: 2004-02-04
Posts: 1,185

Re: Tougher SSH

Ostiary looks interesting, although it has very limited abilities (at purpose). Pity you can't send an option with the commands, or at least some extra info like IP of the client to the program. Luckily it's probably very easy to add (less than 30 minutes work anyway).

That way you can run a script with Ostiary which edits sshd's config and the firewall rules so it only allows connections from your ip address. So with a tiny script you enable ssh with Ostiary, log in, and when done disable sshd again. To prevent man in the middle attacks Ostiary can be slightly changed so that it uses the client's ip address for the checksum too.

Though how paranoid you must be to do it this way I don't know. :-)

Offline

#28 2005-05-07 01:24:51

lanrat
Member
From: Poland
Registered: 2003-10-28
Posts: 1,274

Re: Tougher SSH

I've gave some propositions in the original "hacked?" thread including OPIE and Judd's knockd + some others.

Offline

#29 2005-05-07 04:19:33

joe
Member
From: Folsom, CA
Registered: 2004-07-27
Posts: 51
Website

Re: Tougher SSH

I get brute force attempts to log in all the time.  I guess hearing about phrakture's misfortunes got me a bit more concerned.

Anyways, after browsing around, I found this script which looks like it dynamically blacklists ips with too many failed login attempts.  I am just now trying it out, so I have yet to find out if it works.  Feel free to ssh to joeolivas.com to help me see if it works.  Try something like user 'arch', so I'll know it was a friendly breakin attempt  big_smile

Offline

#30 2005-05-07 07:29:09

sweiss
Member
Registered: 2004-02-16
Posts: 635

Re: Tougher SSH

joe wrote:

I get brute force attempts to log in all the time.  I guess hearing about phrakture's misfortunes got me a bit more concerned.

Anyways, after browsing around, I found this script which looks like it dynamically blacklists ips with too many failed login attempts.  I am just now trying it out, so I have yet to find out if it works.  Feel free to ssh to joeolivas.com to help me see if it works.  Try something like user 'arch', so I'll know it was a friendly breakin attempt  big_smile

Just tried to ssh 3 times to your server, it then blocked me completely. That's a nice idea. But don't most hackers use proxies or something so they can get a new IP at will?

EDIT: Looks like the script builders already thought of it.

Offline

#31 2005-05-07 09:55:44

joe
Member
From: Folsom, CA
Registered: 2004-07-27
Posts: 51
Website

Re: Tougher SSH

Sweet, nice to see it works.  Thanks for your help....

It's pretty nice, seems to help even for weak passwords, since even if it is weak, it would (most likely, unless your password is aardvark or something)take a lot more than 4 attempts to get it right...

Offline

#32 2005-05-07 10:04:06

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Tougher SSH

*hears the sound of many keys being pressed*


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#33 2005-05-08 18:57:11

sweiss
Member
Registered: 2004-02-16
Posts: 635

Re: Tougher SSH

joe wrote:

Sweet, nice to see it works.  Thanks for your help....

It's pretty nice, seems to help even for weak passwords, since even if it is weak, it would (most likely, unless your password is aardvark or something)take a lot more than 4 attempts to get it right...

I've just tried that script myself, and I noticed I don't have a file called /var/log/secure. Am I missing something here?

Offline

#34 2005-05-08 19:06:47

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: Tougher SSH

Just change it to /var/log/auth.log. And change iptables path to /usr/sbin/iptables.

Offline

#35 2005-05-08 19:31:27

sweiss
Member
Registered: 2004-02-16
Posts: 635

Re: Tougher SSH

Ah, so that's where it was smile

Thanks a lot.

Offline

#36 2005-05-09 22:40:54

khazdar
Member
From: ohio
Registered: 2003-11-06
Posts: 123

Re: Tougher SSH

ChallengeResponseAuthentication=no
UsePAM yes
UseDNS no

What do these options do?

Offline

#37 2005-05-09 23:01:47

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Tougher SSH

khazdar wrote:

ChallengeResponseAuthentication=no
UsePAM yes
UseDNS no

What do these options do?

UsePAM...uses pam. This enforces /etc/security/limits and stuff on the ssh shell sessions. no forkbombing over ssh.
UseDNS disables reverse dns lookups. UseDNS could arguable add security, but not much...and I was having trouble with it taking bloody forever!
ChallengeResponseAuth is something that usepam enables, but I dont really want. So, I disabled it. Check man sshd_config for more information..

Back to securing ssh, you should use a password on your ssh keys, and then use ssh-agent and ssh-add to have your passphrase validated for the session. It is very nice, and adds security. Then you can use ssh key access only.

Does arch have ssh-agent setup in the X configs?


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#38 2005-05-10 14:32:48

neri
Forum Fellow
From: Victoria, Canada
Registered: 2003-05-04
Posts: 552

Re: Tougher SSH

cactus wrote:

Does arch have ssh-agent setup in the X configs?

The startxfce4  script brings in an ssh-agent automatically, it wraps a round
the xfc4-session iirc. Also gnome opens it AFAIK.
Anyway this shouldn't be up to the distro, I think, but up to the X-setup you use.
It depends heavily on your preferences. So you can use a session manager
or a window manager to be wrapped by the agent, some prefer to have only
the terminal wrapped which opens the connection... and so on.

-neri

Offline

#39 2005-05-12 22:29:49

Michel
Member
From: Belgium
Registered: 2004-07-31
Posts: 286

Re: Tougher SSH

Heya,

just found a journal about a way a worm could use ssh-info. Maybe some other info too ...

Here is the link: http://undeadly.org/cgi?action=article& … 0511163008

greetz,

Michel

Offline

Board footer

Powered by FluxBB