I need to install an ssh server and I need some information about security options. I know that has been some kind off "attacks" on port 22 on the internet so I want to know a little more about those options under /etc/ssh/sshd_config. Thanks, Bruno
On Sunday 11 December 2005 23:41, Bruno Cochofel wrote:
I need to install an ssh server and I need some information about security options. I know that has been some kind off "attacks" on port 22 on the internet
If you mean the ones that have been much publicised recently, those have been brute force attacks against passwords. That's not an attack, it's just a silly waste of time nuisance that fills up your log. Just don't use bad passwords and you'll be safe against that particular "attack" If you mean something else, I'd like to know about it, so please give me a link where I can read about it
On Sunday 11 December 2005 2:41 pm, Bruno Cochofel wrote:
I need to install an ssh server and I need some information about security options. I know that has been some kind off "attacks" on port 22 on the internet so I want to know a little more about those options under /etc/ssh/sshd_config.
The options are pretty well documented in man 5 sshd_config Most people seem to strongly recommend setting Protocol 2 instead of Protocol 1,2 and PermitRootLogin no instead of PermitRootLogin yes You will also see many people recommending you change the default port from 22 to some high port number, but I'm not so sure that makes much of a difference. Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.9-default x86_64 SuSE Linux 9.3 (x86-64)
Hi again, If someone is using a script to probe port 22 of random machines, probably it does make sense to attach the ssh server to some other port. But your users will have to be warned that they have to explicitly name such a port when trying to login remotely. Furthermore, a nmap search for open ports can always reveal the services which are available, but this is a directed attack. Given the nuisance (such strategy is essentially security via obscurity), I think it isn't worth doing it. Best, Jaime.
On Sunday 11 December 2005 3:27 pm, Jaime Santos wrote:
Hi again,
If someone is using a script to probe port 22 of random machines, probably it does make sense to attach the ssh server to some other port. But your users will have to be warned that they have to explicitly name such a port when trying to login remotely. Furthermore, a nmap search for open ports can always reveal the services which are available, but this is a directed attack. Given the nuisance (such strategy is essentially security via obscurity), I think it isn't worth doing it.
Yes, the script kiddies are a nuisance. I use login_sentry to send them on their way (it adds their IP address to hosts.deny). http://www.lumiere.net/~j/login_sentry/ Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.9-default x86_64 SuSE Linux 9.3 (x86-64)
Hi Scott, Yes, that is a good idea (using login_sentry). Presumably, if someone tries to do a portscan, it will also end up in hosts.deny. I used portsentry at some stage, but it was discontinued. I will give this one a try. Thanks. Best, Jaime.
I believe there's a program called sentry tools (port sentry, logcheck and host sentry) that could do the job but I think this is obsolete and the version under sourceforge is old. Does anyone know where this can be found by these days? Or there's any substitute? I want not only to monitor sshd port put also others services running... Thanks, Bruno Scott Leighton wrote:
On Sunday 11 December 2005 3:27 pm, Jaime Santos wrote:
Hi again,
If someone is using a script to probe port 22 of random machines, probably it does make sense to attach the ssh server to some other port. But your users will have to be warned that they have to explicitly name such a port when trying to login remotely. Furthermore, a nmap search for open ports can always reveal the services which are available, but this is a directed attack. Given the nuisance (such strategy is essentially security via obscurity), I think it isn't worth doing it.
Yes, the script kiddies are a nuisance. I use login_sentry to send them on their way (it adds their IP address to hosts.deny).
http://www.lumiere.net/~j/login_sentry/
Scott
Hi Bruno, That is correct, portsentry which drops any address from which a portscan is attempted into the hosts to be denied by the firewall, was, I believe, discontinued. This checked for portscans on all ports, not just port 22. I would also be interested to know if there is an updated alternative tool. Thanks. Best, Jaime.
A more amusing alternative is to move SSH to another port, and put the LaBrea tarpit on port 22 and any other commonly attacked ports (firewall module). Amusing but probably a bit irresponsible towards people who get to that port on your machine by accident.
-----Original Message----- From: Jaime Santos [mailto:jesantos@alexandre-santos.com] Sent: Monday, December 12, 2005 5:17 PM To: suse-security@suse.com Subject: Re: [suse-security] Openssh + security
Hi Bruno,
That is correct, portsentry which drops any address from which a portscan is attempted into the hosts to be denied by the firewall, was, I believe, discontinued. This checked for portscans on all ports, not just port 22.
I would also be interested to know if there is an updated alternative tool.
Thanks. Best, Jaime.
Hi, Hmm, not just irresponsible, but also illegal in the US, so watch out if you are travelling there ;-). I heard the conditions in US prisons are not particularly pleasant :-) ... Check this (somewhat outdated) article on the LaBrea tool: http://seclists.org/lists/isn/2003/Apr/0103.html I would tend to say that any passive countermeasures (such as a porsentry like tool) are okay, any active countermeasures are a bad idea, or at least you are in swampy territory here... Best, Jaime.
Thanks for the reference. I'd forgotten about that small bit of panic. It's nice to live in a liberal democracy. I think that's an overstatement of the summary presented in the article referenced. "Possibly illegal" is the strongest you can get from it. Having said that, I'm fairly safe unless the CIA has taken to using extraordinary rendition for misdemeanours (fewer than 10 exposed gateways / firewalls) or to arresting relatives! It's not clear that LaBrea is any more active than portsentry. As I understand it, all it does is to not complete the connection set-up exchange, but keep sending "wait-a-bit" responses as it has no resources to respond properly. Sounds fair enough to me. I don't allocate resources to opening non-invited connections. It's no more offensive than trying to see how long you can keep politicians talking on the doorstep, keeping phone salesmen talking, or posting unrequested free offers back to the sender without postage attached. I do all of those as well. _____ From: Jaime Santos [mailto:jesantos@alexandre-santos.com] Sent: Monday, December 12, 2005 6:24 PM To: Admin; suse-security@suse.com Subject: Re: [suse-security] Openssh + security Hi, Hmm, not just irresponsible, but also illegal in the US, so watch out if you are travelling there ;-). I heard the conditions in US prisons are not particularly pleasant :-) ... Check this (somewhat outdated) article on the LaBrea tool: http://seclists.org/lists/isn/2003/Apr/0103.html I would tend to say that any passive countermeasures (such as a porsentry like tool) are okay, any active countermeasures are a bad idea, or at least you are in swampy territory here... Best, Jaime.
Admin wrote:
A more amusing alternative is to move SSH to another port, and put the LaBrea tarpit on port 22 and any other commonly attacked ports (firewall module).
I uite like this: summer@www:~$ cat /etc/xinetd.d/telnet # default: off # description: An internal xinetd service which gets the current system time # then prints it out in a format like this: "Wed Nov 13 22:30:27 EST 2002". # This is the tcp version. service telnet { disable = no socket_type = stream protocol = tcp user = games wait = no flags = NAMEINARGS server = /usr/sbin/tcpd server_args = /bin/false } summer@www:~$ with this: summer@www:~$ tail -4 /etc/hosts.deny false: ALL: spawn ((echo attack from %h;id -a) | \ /usr/bin/mail -s %d-%h root) & summer@www:~$ Good places to attach it where the services are not otherwise engaged: telnet ftp ssh There are probably better things to do that send email, but I just set this up as a POC; you can't actually trigure it becaus the firewall keeps you out.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2005-12-11 at 15:46 -0800, Scott Leighton wrote:
Yes, the script kiddies are a nuisance. I use login_sentry to send them on their way (it adds their IP address to hosts.deny).
That list could grow very large. Also, if those attacks come from dynamic ips, you could have a deny line for an IP that has changed owner, and now is an honest person, while the attacker is using a new one you do not have listed yet. I think I read in passing somewhere about an iptables rule to deny temporarily access to a certain IP; the rule is temporary and disappears after some time, freeing resources. But I don't know what is it. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDndm7tTMYHG2NR9URApSmAJ0WuUjdVdPVlZM7RdnTys56dsO7qACghFtm QtqC1F5kXDtFZ8apoGySMzY= =fDVs -----END PGP SIGNATURE-----
On Monday 12 December 2005 12:12 pm, Carlos E. R. wrote:
The Sunday 2005-12-11 at 15:46 -0800, Scott Leighton wrote:
Yes, the script kiddies are a nuisance. I use login_sentry to send them on their way (it adds their IP address to hosts.deny).
That list could grow very large. Also, if those attacks come from dynamic ips, you could have a deny line for an IP that has changed owner, and now is an honest person, while the attacker is using a new one you do not have listed yet.
Not a problem, login_sentry has a configurable time delay, the ip is denied for X days, then the entry is automatically removed from hosts.deny. You can set X to whatever you like, I use 3 days myself. Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.9-default x86_64 SuSE Linux 9.3 (x86-64)
On Mon, 12 Dec 2005, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Sunday 2005-12-11 at 15:46 -0800, Scott Leighton wrote:
Yes, the script kiddies are a nuisance. I use login_sentry to send them on their way (it adds their IP address to hosts.deny).
That list could grow very large. Also, if those attacks come from dynamic ips, you could have a deny line for an IP that has changed owner, and now is an honest person, while the attacker is using a new one you do not have listed yet.
I think I read in passing somewhere about an iptables rule to deny temporarily access to a certain IP; the rule is temporary and disappears after some time, freeing resources.
But I don't know what is it.
I assume you're looking for the "recent" module for iptables. # Blocking ssh attacks /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT This will block all further syns from an IP address starting on the sixth port 22 connection within 60 seconds. It takes 60 seconds of absolute quiet from that same ip address (or a reboot) to make the block go away. Kills a LOT of brute force ssh attacks. I've also used this both against web statistics spammers and email DOSers with good results. Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 Support: http://bs.uib.no Contact: teknisk@mi.uib.no Direct: bjornts@mi.uib.no
Carlos E. R. wrote:
The Sunday 2005-12-11 at 15:46 -0800, Scott Leighton wrote:
Yes, the script kiddies are a nuisance. I use login_sentry to send them on their way (it adds their IP address to hosts.deny).
That list could grow very large. Also, if those attacks come from dynamic ips, you could have a deny line for an IP that has changed owner, and now is an honest person, while the attacker is using a new one you do not have listed yet.
I think I read in passing somewhere about an iptables rule to deny temporarily access to a certain IP; the rule is temporary and disappears after some time, freeing resources.
But I don't know what is it.
I'd be fairly happy blocking a class C network from "by arrangement" services, but then I work with places with tens of employees:
Hi, This discussion has developed in two different directions, namely how SSH works and in particular how challenge-response is implemented and the use of different rules to block scan attempts, both to port 22 and also in general. Let me clarify that, although I do use challenge-response, I do not think it is a universal panacea. If your users are computer literate, then its is a good idea to implement it (it also works under Windows ssh-clients such as Putty, but I have no idea how to). If not, which is the most probable thing if you administer a network with hundreds of users, then you will have to keep password authentication and a blocking rule against password attacks is a good idea. It is in any case worth implementing, I think, specially if it is designed to block general port scans, rather than just single ports like port 22. You never know if your apache server, or mail server, or whatever is vulnerable. To repeat the mantra of security people, security is a layered process. Two locks are always better than one :-) ... Best, Jaime.
Jaime Santos wrote:
Hi again,
If someone is using a script to probe port 22 of random machines, probably it does make sense to attach the ssh server to some other port. But your users will have to be warned that they have to explicitly name such a port when trying to login remotely. Furthermore, a nmap search for open ports can always reveal the services which are available, but this is a directed attack. Given the nuisance (such strategy is essentially security via obscurity), I think it isn't worth doing it.
I think it's a very good idea to place ssh on a very high port I'm running it on one and actually NEVER had anyone finding out the correct port. It they wanted to know they have to scan for a looong time which generates LOTS of logs...... And then it's probably best to only allow a specific user so it gets extremely hard to even find out the USER, not even speaking of the pass.... Matt
Jaime Santos wrote:
Hi again,
If someone is using a script to probe port 22 of random machines, I see half a dozen or more each day, on each machine. Believe it's happening.
probably it does make sense to attach the ssh server to some other port. But your users will have to be warned that they have to explicitly name such a port when trying to login remotely. Furthermore, a nmap search for open ports can always reveal the services which are available, but this is a directed attack. Given the nuisance (such strategy is essentially security via obscurity), I think it isn't worth doing it.
nmap or equivalent's always being run too. However, generally the assumption is that port 22 is ssh because that's where ssh is. What I've found works a treat is to use /etc/hosts.{allow,deny} to restrict connexions to my region, determined by networks from which known-good connexions come. Since I did that some months ago, over several machines I've had thousands of connexions rejected because they're from out of area, and maybe one that tried his dictionary. I also moved incoming connexions to a different machine where users who can't connect from remote can't authenticate. Another good idea, but one that requires more work to set up, is to set up a VPN: I use openvpn. The VPN authenticates, and yoiu can trust people with a VPN better than you would the average Joe, Guiseppe or Josephine. You still have to control the VPN keys as you would any password.
You will also see many people recommending you change the default port from 22 to some high port number, but I'm not so sure that makes much of a difference.
By changing the ports on some of my producton machines, I reduced the incorrect login attempts in my log down from circa 8-10 000 per day to only as often as I mistype my RSA passphrase :) At least this way I can seriously view my logs with a view to noticing something sinister. B
You will also see many people recommending you change the default port from 22 to some high port number, but I'm not so sure that makes much of a difference.
By changing the ports on some of my producton machines, I reduced the incorrect login attempts in my log down from circa 8-10 000 per day to only as often as I mistype my RSA passphrase :)
At least this way I can seriously view my logs with a view to noticing something sinister.
B
I´ve got the same number of incorrect login in my log... and so I´ve changed the ports, just like you, adn the attack stopped... And so, now I am a sada guy, with no IP´s to have some fun.. (yes, I do usually do something with who attacks me, have even made a software to serch the logs and log all unique IP´s, and login attempts into a mysql table...) If tou likes to have fun, let the port 22 ,if don´t like to have fun with the logged ip´s, change the port!
now I am a sada guy, with no IP?s to have some fun.. (yes, I do usually do something with who attacks me, have even made a software to serch the logs and log all unique IP?s, and login attempts into a mysql table...)
I don't allow password based login into my machines, so these attacks pose no threat. But if you make your ssh daemon listen above port 32000, chances are 90% 0f port scanners will not bother to search that high so the real threats are further marginalised. As for logging IP's to have "fun" as you call it. You can use your firewall logs to check who is trying to connect to port 22. All of your legitimate users will know about the change, so the ONLY people connecting to port 22 will be people who have no right to be on the machines. So you can still have "fun". By the way, how much fun is it trying to sift through files, call ISP's, lay complaints. Does Brazil have a nice mechanism to do this with with good support from the ISP's? B
Thank you all for your responses... Bruno
On Sun, Dec 11, 2005 at 02:56:50PM -0800, Scott Leighton wrote:
On Sunday 11 December 2005 2:41 pm, Bruno Cochofel wrote:
I need to install an ssh server and I need some information about security options. I know that has been some kind off "attacks" on port 22 on the internet so I want to know a little more about those options under /etc/ssh/sshd_config.
The options are pretty well documented in man 5 sshd_config
Most people seem to strongly recommend setting
Protocol 2
instead of
Protocol 1,2
and
PermitRootLogin no
instead of
PermitRootLogin yes
how about DenyGroup DenyUsers AllowGroup AllowUsers these seem usefull for preventing brute force attacks on accounts like www, postgres, uucp, etc.
You will also see many people recommending you change the default port from 22 to some high port number, but I'm not so sure that makes much of a difference.
Scott
-- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.9-default x86_64 SuSE Linux 9.3 (x86-64)
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"
Can we allow user @host with openssh? Not using tcpwrappers, I've a domain based on my ISP and if I let the domain in I open several chances... I read that we can put matching patterns under allowed users but can't seen to find that on man 5 sshd_config... David Bear wrote:
On Sun, Dec 11, 2005 at 02:56:50PM -0800, Scott Leighton wrote:
On Sunday 11 December 2005 2:41 pm, Bruno Cochofel wrote:
I need to install an ssh server and I need some information about security options. I know that has been some kind off "attacks" on port 22 on the internet so I want to know a little more about those options under /etc/ssh/sshd_config.
The options are pretty well documented in man 5 sshd_config
Most people seem to strongly recommend setting
Protocol 2
instead of
Protocol 1,2
and
PermitRootLogin no
instead of
PermitRootLogin yes
how about
DenyGroup DenyUsers AllowGroup AllowUsers
these seem usefull for preventing brute force attacks on accounts like www, postgres, uucp, etc.
You will also see many people recommending you change the default port from 22 to some high port number, but I'm not so sure that makes much of a difference.
Scott
-- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.9-default x86_64 SuSE Linux 9.3 (x86-64)
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Bruno Cochofel wrote:
Can we allow user @host with openssh? Not using tcpwrappers, I've a domain based on my ISP and if I let the domain in I open several chances... I read that we can put matching patterns under allowed users but can't seen to find that on man 5 sshd_config...
What's the problem with tcpwrappers.
I'm behind an ISP an I have always diferent IP's, so I can always guess my domain, the one that comes from ISP, but it's mine and about several people. Anyway, the option AllowUsers, under OpenSSH let's you define user@somehost.com and even let's you use wildcards, * ? John Summerfield wrote:
Bruno Cochofel wrote:
Can we allow user @host with openssh? Not using tcpwrappers, I've a domain based on my ISP and if I let the domain in I open several chances... I read that we can put matching patterns under allowed users but can't seen to find that on man 5 sshd_config...
What's the problem with tcpwrappers.
Well I have a problem... After reconfigured my ssh server based on all your suggestions I've opened my firewall port so I can connect from anywhere in the Internet (this was last night). Today my CPU was around 90% and above and the program that's consuming that it's X owned by root!!! This was the same problem that made me ask for ssh options. It's not the first time this happens... I'm using publickey auth only, no root logon, and AllowUsers has only one. My password it's pretty good, chars, numbers, special chars... Does this mean I've been hacked somehow??? Thnaks, Bruno
On Dec 14, Bruno Cochofel <bruno.cochofel@gmail.com> wrote:
Well I have a problem... After reconfigured my ssh server based on all your suggestions I've opened my firewall port so I can connect from anywhere in the Internet (this was last night).
Today my CPU was around 90% and above and the program that's consuming that it's X owned by root!!!
Please check if you are running X windows and if there is a screensaver active! Don't run X on servers!! Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Well, I'm running X. I'm a home user and the "server" it's also my PC so I have to use it. I'm also running xscreensaver and aMule (this one all the time). Maybe this is bad!!! On 12/14/05, Markus Gaugusch <markus@gaugusch.at> wrote:
On Dec 14, Bruno Cochofel <bruno.cochofel@gmail.com> wrote:
Well I have a problem... After reconfigured my ssh server based on all your suggestions I've opened my firewall port so I can connect from anywhere in the Internet (this was last night).
Today my CPU was around 90% and above and the program that's consuming that it's X owned by root!!!
Please check if you are running X windows and if there is a screensaver active! Don't run X on servers!!
Markus
-- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Hi *, Bruno Cochofel schrieb:
Well, I'm running X. I'm a home user and the "server" it's also my PC so I have to use it.
But you do not have to use a "screensaver".
I'm also running xscreensaver and aMule (this one all the time). Maybe this is bad!!!
Oh man, inviting a DOS and wondering, why the load is high. ;-( After plugging out a Mule-Client, my 2KBit DSL-Line was another 15 Minutes unusable. ;-( Don`t use that Monster, or live with a high load and full network lines. Just my 2ct/eur Dirk
Any suggestions on using other p2p client? On 12/14/05, Dirk Schreiner <Dirk.Schreiner@tria.de> wrote:
Hi *,
Bruno Cochofel schrieb:
Well, I'm running X. I'm a home user and the "server" it's also my PC so I have to use it.
But you do not have to use a "screensaver".
I'm also running xscreensaver and aMule (this one all the time). Maybe this is bad!!!
Oh man, inviting a DOS and wondering, why the load is high. ;-(
After plugging out a Mule-Client, my 2KBit DSL-Line was another 15 Minutes unusable. ;-(
Don`t use that Monster, or live with a high load and full network lines.
Just my 2ct/eur
Dirk
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Wednesday 14 December 2005 12:09, Bruno Cochofel wrote:
Any suggestions on using other p2p client?
It could have been a security related question, but in the current context it is most certainly not. If you have content that you can legally distribute, I think apache web server would be the best choice. It also has third party tools that enable you to put limits on bandwidth and other usage, so your internet connection does not become saturated. -- Jure Koren, n.i.
Jure Koren wrote:
On Wednesday 14 December 2005 12:09, Bruno Cochofel wrote:
Any suggestions on using other p2p client?
It could have been a security related question, but in the current context it is most certainly not.
If you have content that you can legally distribute, I think apache web server would be the best choice. It also has third party tools that enable you to put limits on bandwidth and other usage, so your internet connection does not become saturated.
That is not always true. The BitTorrent capability to distribute workload is very useful for very heavy, bursty loads. For instance, when a new Linux kernel appears, everyone rushes all at once to get it, and the web servers sag. But the BT shares just chug away, because the people who have fetched even a partial copy start taking up some of the load to pass it on to others. The distributed P2P protocol helps to absorb the burst. But in general you are correct, sharing with Apache is more manageable than sharing with a P2P client. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
On Wednesday 14 December 2005 12:23, Crispin Cowan wrote:
That is not always true. The BitTorrent capability to distribute workload is very useful for very heavy, bursty loads. For instance, when a new Linux kernel appears, everyone rushes all at once to get it, and the web servers sag. But the BT shares just chug away, because the people who have fetched even a partial copy start taking up some of the load to pass it on to others. The distributed P2P protocol helps to absorb the burst. But in general you are correct, sharing with Apache is more manageable than sharing with a P2P client.
Yes, and BitTorrent is generally not a "classic" p2p protocol. It just enables one to distribute content more efficiently, but you still need to distribute the torrent files and have a tracker up to delegate streams. Security-wise, this is probably the best solution, but obviously not the easiest to set up and use (and I think this is not a coincidence). Regards, -- Jure Koren, n.i.
Bruno Cochofel wrote:
Well, I'm running X. I'm a home user and the "server" it's also my PC so I have to use it. I'm also running xscreensaver and aMule (this one all the time). Maybe this is bad!!!
Er, yeah, this is bad. A firewall machine for a home really does not need much power. You can go buy a crappy old computer and make it be your firewall, and keep the good one for your workstation. I actually do run X on my gateway, but only because I like the GUI tools like YaST. To make it safe(er), I have carefully ensured that all of X is not talking to the network. AppArmor makes this a bit easier :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
-----Original Message----- From: Crispin Cowan [mailto:crispin@novell.com] Sent: 14 December 2005 11:16 To: Bruno Cochofel Cc: Markus Gaugusch; suse-security@suse.com Subject: Re: [suse-security] Re: Openssh + security
Bruno Cochofel wrote:
Well, I'm running X. I'm a home user and the "server" it's also my PC so I have to use it. I'm also running xscreensaver and aMule (this one all the time). Maybe this is bad!!!
Er, yeah, this is bad.
A firewall machine for a home really does not need much power. You can go buy a crappy old computer and make it be your firewall, and keep the good one for your workstation.
I actually do run X on my gateway, but only because I like the GUI tools like YaST. To make it safe(er), I have carefully ensured that all of X is not talking to the network. AppArmor makes this a bit easier :)
But but but... yast works really well in text mode! Me, I do without X entirely. Some of my boxes just won't like the exra load :-( Heh, why does it not surprise me that you are pro AppArmour? Tom. -- Thomas Knight System Administration Officer Arts and Humanities Data Service http://www.ahds.ac.uk
I'm using blank screen in the xscreensaver... Someone has to explain to me Apache Web Server and P2P??? I have Apache Web Server but are there any P2P clients to run under this? By the way, I use fluxbox... On 12/14/05, Thomas Knight <thomas.knight@ahds.ac.uk> wrote:
-----Original Message----- From: Crispin Cowan [mailto:crispin@novell.com] Sent: 14 December 2005 11:16 To: Bruno Cochofel Cc: Markus Gaugusch; suse-security@suse.com Subject: Re: [suse-security] Re: Openssh + security
Bruno Cochofel wrote:
Well, I'm running X. I'm a home user and the "server" it's also my PC so I have to use it. I'm also running xscreensaver and aMule (this one all the time). Maybe this is bad!!!
Er, yeah, this is bad.
A firewall machine for a home really does not need much power. You can go buy a crappy old computer and make it be your firewall, and keep the good one for your workstation.
I actually do run X on my gateway, but only because I like the GUI tools like YaST. To make it safe(er), I have carefully ensured that all of X is not talking to the network. AppArmor makes this a bit easier :)
But but but... yast works really well in text mode! Me, I do without X entirely. Some of my boxes just won't like the exra load :-(
Heh, why does it not surprise me that you are pro AppArmour?
Tom.
-- Thomas Knight System Administration Officer Arts and Humanities Data Service http://www.ahds.ac.uk
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi,
Please check if you are running X windows and if there is a screensaver active! Don't run X on servers!!
Why not? This is, what is the problem to run a X server on a server machine? I understand that it may take lots of resources, so I wont run KDE to say. But some packages do require (as far as I know) a X server (Oracle does, if I remember correctly). Is there anything wrong to run windowmaker? (i mean, security issues, not just performance issues). Thanks in advance for your comments! -- Saludos, miguel
miguel gmail wrote:
Please check if you are running X windows and if there is a screensaver active! Don't run X on servers!!
Why not? This is, what is the problem to run a X server on a server machine? I understand that it may take lots of resources, so I wont run KDE to say. But some packages do require (as far as I know) a X server (Oracle does, if I remember correctly).
Well, try not to run X on servers, because it is a memory and CPU hog, and you generally want your servers to have lots of memory and CPU available to serve clients. But really REALLY don't run X on security-exposed servers, because X is very, very difficult to secure.
Is there anything wrong to run windowmaker? (i mean, security issues, not just performance issues).
It doesn't really matter which desktop or window manager you use. X and its raft of applications are fundamentally vulnerable, because a HUGE volume of code is running as root, and a lot of it connects to the network unless you actively configurate it not to. Another large problem with X on a security sensitive server is if you actually run desktop applications (mail clients, IM clients, P2P clients, OpenOffice, etc.) and they get compromised by some vulnerability in the application, then your server is compromised. All of this is based on the premise that your server is far more important/valuable than just one desktop, because only one person depends on the desktop, while *everyone* in the organization depends on the server. But if we are just talking about the machines in your basement :) then you likely have one client and one server and they may be the same machine, in which case the "importance" argument is moot. However, the security benefit of a hardened gateway machine (a firewall) is still strong, and it doesn't have to be a big machine. Either go buy a cheap, old, crappy i486 or something with 32MB of RAM and deploy it as a firewall, or go buy one of those $100 firewall appliances from Linksys or whatever. But get yourself a firewall, it is much better than hoping that Gaim has finally fixed all the vulnerabilities :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
Well I use SuSEFirewall2 but my ADSL Router has one also and it's active, letting only the web port, ssh port and aMule port open and also noip... On 12/14/05, Crispin Cowan <crispin@novell.com> wrote:
miguel gmail wrote:
Please check if you are running X windows and if there is a screensaver active! Don't run X on servers!!
Why not? This is, what is the problem to run a X server on a server machine? I understand that it may take lots of resources, so I wont run KDE to say. But some packages do require (as far as I know) a X server (Oracle does, if I remember correctly).
Well, try not to run X on servers, because it is a memory and CPU hog, and you generally want your servers to have lots of memory and CPU available to serve clients.
But really REALLY don't run X on security-exposed servers, because X is very, very difficult to secure.
Is there anything wrong to run windowmaker? (i mean, security issues, not just performance issues).
It doesn't really matter which desktop or window manager you use. X and its raft of applications are fundamentally vulnerable, because a HUGE volume of code is running as root, and a lot of it connects to the network unless you actively configurate it not to. Another large problem with X on a security sensitive server is if you actually run desktop applications (mail clients, IM clients, P2P clients, OpenOffice, etc.) and they get compromised by some vulnerability in the application, then your server is compromised.
All of this is based on the premise that your server is far more important/valuable than just one desktop, because only one person depends on the desktop, while *everyone* in the organization depends on the server. But if we are just talking about the machines in your basement :) then you likely have one client and one server and they may be the same machine, in which case the "importance" argument is moot.
However, the security benefit of a hardened gateway machine (a firewall) is still strong, and it doesn't have to be a big machine. Either go buy a cheap, old, crappy i486 or something with 32MB of RAM and deploy it as a firewall, or go buy one of those $100 firewall appliances from Linksys or whatever. But get yourself a firewall, it is much better than hoping that Gaim has finally fixed all the vulnerabilities :)
Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Ok, let's say I'll put a firewall PC on my network... I have to create a masquerade rule to let the internet access my intranet web server right? (By the way, trying to find out how to do that under yast but don't get the diference between the option Source network and requested IP, so if someone help me on this I appreciate... There's several options to create a rule so please illucidate me) Doesn't this rule opens a hole in my intranet security if, let's say, my web server get's compromised? On 12/14/05, Crispin Cowan <crispin@novell.com> wrote:
miguel gmail wrote:
Please check if you are running X windows and if there is a screensaver active! Don't run X on servers!!
Why not? This is, what is the problem to run a X server on a server machine? I understand that it may take lots of resources, so I wont run KDE to say. But some packages do require (as far as I know) a X server (Oracle does, if I remember correctly).
Well, try not to run X on servers, because it is a memory and CPU hog, and you generally want your servers to have lots of memory and CPU available to serve clients.
But really REALLY don't run X on security-exposed servers, because X is very, very difficult to secure.
Is there anything wrong to run windowmaker? (i mean, security issues, not just performance issues).
It doesn't really matter which desktop or window manager you use. X and its raft of applications are fundamentally vulnerable, because a HUGE volume of code is running as root, and a lot of it connects to the network unless you actively configurate it not to. Another large problem with X on a security sensitive server is if you actually run desktop applications (mail clients, IM clients, P2P clients, OpenOffice, etc.) and they get compromised by some vulnerability in the application, then your server is compromised.
All of this is based on the premise that your server is far more important/valuable than just one desktop, because only one person depends on the desktop, while *everyone* in the organization depends on the server. But if we are just talking about the machines in your basement :) then you likely have one client and one server and they may be the same machine, in which case the "importance" argument is moot.
However, the security benefit of a hardened gateway machine (a firewall) is still strong, and it doesn't have to be a big machine. Either go buy a cheap, old, crappy i486 or something with 32MB of RAM and deploy it as a firewall, or go buy one of those $100 firewall appliances from Linksys or whatever. But get yourself a firewall, it is much better than hoping that Gaim has finally fixed all the vulnerabilities :)
Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi, Bruno Cochofel wrote:
Ok, let's say I'll put a firewall PC on my network...
I have to create a masquerade rule to let the internet access my intranet web server right?
If you are new to Firewalling try out rinetd. Makes Firewall rules by far easier. In fact you simply can use Yast Firewall configuration. (Simply handle the redirected external Port as if it was opend by the Server.)
(By the way, trying to find out how to do that under yast but don't get the diference between the option Source network and requested IP, so if someone help me on this I appreciate... There's several options to create a rule so please illucidate me)
Doesn't this rule opens a hole in my intranet security if, let's say, my web server get's compromised?
Yea. Put another 5.--EUR ethernet card into the Firewall. Declare it as DMZ and put the webserver there. (But then youre workstation cannot be the webserver ;-)) Greetings Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: bruno.cochofel@gmail.com, suse-security@suse.com # Dateianhänge: 0
Bruno Cochofel wrote:
Ok, let's say I'll put a firewall PC on my network...
I have to create a masquerade rule to let the internet access my intranet web server right? (By the way, trying to find out how to do that under yast but don't get the diference between the option Source network and requested IP, so if someone help me on this I appreciate... There's several options to create a rule so please illucidate me)
Yes, that is an advanced firewall configuration, and it doesn't surprise me if it isn't easy.
Doesn't this rule opens a hole in my intranet security if, let's say, my web server get's compromised?
Yes it does. The usual "enterprise" way to address that is with an elaborate network, which has an outer firewall that is fairly porus and *not* NAT'd, a DMZ network populated with publicly routable servers such as your web server, an inner firewall that does do NAT, and finally your local LAN. Machines in the DMZ are more vulnerable, but that's fairly ok because your really important stuff is behind the 2nd firewall. The minimal-number-of-machines approach requires that you either configure the masquerade rule you mentioned, or hosting the web server on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
Hi Crispin, Crispin Cowan wrote:
Bruno Cochofel wrote:
Ok, let's say I'll put a firewall PC on my network...
[...]
on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :)
Crispin
Oh, you can chroot apache fairly well. SCNR Crispn. Greetings Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: crispin@novell.com, bruno.cochofel@gmail.com, suse-security@suse.com # Dateianhänge: 0
Dirk Schreiner wrote:
Crispin Cowan wrote:
on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :)
Oh, you can chroot apache fairly well.
True, if you use any of a variety of confinement mechanisms (chroot, virtual machines (Xen, VMware, UML), AppArmor, SELinux) then you can achieve sufficient confinement of the web server that your firewall could be safe enough. The issue is how easy or difficult it is to achieve that, and to achieve it correctly because if the confinement has holes, then your security is at risk again. Chroot, in particular, has issues with being escapable if it is not configured correctly, so be careful. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
Hi, Crispin Cowan wrote:
Dirk Schreiner wrote:
Crispin Cowan wrote:
on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :)
Oh, you can chroot apache fairly well.
True, if you use any of a variety of confinement mechanisms (chroot, virtual machines (Xen, VMware, UML), AppArmor, SELinux) then you can achieve sufficient confinement of the web server that your firewall could be safe enough. The issue is how easy or difficult it is to achieve that, and to achieve it correctly because if the confinement has holes, then your security is at risk again. Chroot, in particular, has issues with being escapable if it is not configured correctly, so be careful.
I am ;-) Btw. I don`t want to start another discussion thread about AppArmor. But if you have an configuration example handy for securing apache2 on SuSE 10 I would like give AppArmor a chance. Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: crispin@novell.com, bruno.cochofel@gmail.com, suse-security@suse.com # Dateianhänge: 0
Well, AppArmor is out of question, not freeware (sorry Crispin...) Let me clear up: A) I have a firewall/router/adsl/4 hub ports connecting to internet. B) I need a web server and a ssh server C) I also have a 5 port switch D) I have a laptop to use in my intranet and also have a old Pentium MMX 200MHz At the moment I have my "server" with 2 nic's, one connected to the router and the other to the switch (my intranet) and all the firewall, web server, ssh server, noip account works under this "server". I also have aMule always running on this (ok, I've learned this is bad...). This "server" has SuseFirewall2 running also and dows IP Forwarding to my intranet. It's a DNS, DHCP, LDAP, MySQL, PostgreSQL Server but just for my intranet. What can I do with this? Crispin Cowan wrote:
Bruno Cochofel wrote:
Ok, let's say I'll put a firewall PC on my network...
I have to create a masquerade rule to let the internet access my intranet web server right? (By the way, trying to find out how to do that under yast but don't get the diference between the option Source network and requested IP, so if someone help me on this I appreciate... There's several options to create a rule so please illucidate me)
Yes, that is an advanced firewall configuration, and it doesn't surprise me if it isn't easy.
Doesn't this rule opens a hole in my intranet security if, let's say, my web server get's compromised?
Yes it does.
The usual "enterprise" way to address that is with an elaborate network, which has an outer firewall that is fairly porus and *not* NAT'd, a DMZ network populated with publicly routable servers such as your web server, an inner firewall that does do NAT, and finally your local LAN. Machines in the DMZ are more vulnerable, but that's fairly ok because your really important stuff is behind the 2nd firewall.
The minimal-number-of-machines approach requires that you either configure the masquerade rule you mentioned, or hosting the web server on the gateway machine. The latter is just as horrible for the security of your firewall as is running X on your firewall. Unless you use AppArmor :)
Crispin
Remove "1" in the "Protocol" field in /etc/ssh/sshd_config . It should be --> Protocol 2 Thanks & Regards, Shashi Kanth Bruno Cochofel wrote:
I need to install an ssh server and I need some information about security options. I know that has been some kind off "attacks" on port 22 on the internet so I want to know a little more about those options under /etc/ssh/sshd_config.
Thanks, Bruno
On Sunday 11 December 2005 17:41, Bruno Cochofel wrote:
I need to install an ssh server and I need some information about security options. I know that has been some kind off "attacks" on port 22 on the internet so I want to know a little more about those options under /etc/ssh/sshd_config.
Thanks, Bruno
Bruno, Take a look at : http://denyhosts.sourceforge.net Ron
participants (21)
-
Admin -
Anders Johansson -
b@rry -
Bjorn Tore Sund -
Bruno Cochofel -
Carlos E. R. -
Crispin Cowan -
David Bear -
Dharmendra Chaturvedi -
Dirk Schreiner -
Jaime Santos -
joao marka -
John Summerfield -
Jure Koren -
Markus Gaugusch -
Matthias Keller -
miguel gmail -
Ron Joffe -
Scott Leighton -
shashi -
Thomas Knight