Try to protect your ssh with tcp wrappers. ----- Original Message ----- From: "dadirtyluk" <news4dadirtyluk@gmx.de> To: <suse-security@suse.com> Sent: Monday, September 20, 2004 7:10 PM Subject: AW: [suse-security] SSH password attacks

yo,

i've seen these login attempts on two of my machines, too!

don't know where that comes from, but sometimes in the night i could see plenty pages of denied login attempts.

a few weeks ago that stopped, but i didn't do anything to avoid these attempts...silly thing, since it were the same users as for you and some more different users, but none of them existed locally!

but it sucked quite a bit to see these log entries over and over again!

regards luk

-----Ursprüngliche Nachricht----- Von: suse@rio.vg [mailto:suse@rio.vg] Gesendet: Montag, 20. September 2004 17:40 An: suse-security@suse.com Betreff: [suse-security] SSH password attacks

This may not be strictly SuSE related, but what the heck: Lately, I've been getting tons of attempts to login via ssh for "guest", "test", "user", and "admin". Plenty others for root, and even one that seemed to have been a list of some script kiddie's /etc/passwd. The root ones are pretty obvious and always blocked, but I've found the others rather curious.

Does anyone running a unix server really use "guest", "test", "user", or "admin" as real accounts? Judging by the volume of attempts I'm getting, there has to be something causing this. Was a borked version of ssh server released for windows, or something? Or is this trying to connect to zombie machines? From what I understand, ssh server isn't common on windows, and those accounts certainly aren't common to unix... Anyone know what's going on here?

(I'm not worried about my machines, root is blocked by sshd and I don't have the other accounts, I'm just curious.)

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

I have gone from perplexed to baffled to grimly determined. Having sustained a number of intrusions (all uninvited, including kitting of my Cisco 3640), I want to build a SuSE router with ip-tables. Am having the devil of a time at it. YaST will not support two network cards. Have tried manual configuration with << ip >>, which does recognize the cards ("ip link) as eth0 and eth1, but does not recognize the devices when I reference them from command line as either eth0, eth1, or those names that YaST gives them with the MAC address. Both NICs are internal. Prefer just to have an eth0 and eth1, and someway to force eth0 to load as "external." Does anyone know how to do this? a friend says it is easy in Gentoo. melissa

On Sat, 25 Sep 2004, melissad wrote:

I have gone from perplexed to baffled to grimly determined. Having sustained a number of intrusions (all uninvited, including kitting of my Cisco 3640), I want to build a SuSE router with ip-tables. Am having the devil of a time at it.

YaST will not support two network cards. Have tried manual configuration with << ip >>, which does recognize the cards ("ip link) as eth0 and eth1, but does not recognize the devices when I reference them from command line as either eth0, eth1, or those names that YaST gives them with the MAC address.

Both NICs are internal. Prefer just to have an eth0 and eth1, and someway to force eth0 to load as "external."

Does anyone know how to do this? a friend says it is easy in Gentoo.

I find the claim that YaST does not support two network cards confusing. I've configured machines with up to four NICs using YaST and it simply works. The problem in SuSE 9.1 is that I haven't found a way to force a specific card to be a specific interface, but this could be because I'm not yet familiar enough with the 2.6 kernel. YaST should autodetect your cards in the first dialogue after you start 'yast2 network' and should then let you choose "configure" on them one by one. Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 Support: system@mi.uib.no Contact: teknisk@mi.uib.no Direct: bjornts@mi.uib.no

One way I found to fix this: build your own kernel and do not compile the device drivers for the network cards as modules but include them into the kernel. Now the cards will always get the same 'eth...' ID.

Bad way, IMHO. I'd never even consider monolithic kernels. Try adding the NIC modules to your INITRD_MODULES, in the order you want. Alternatively, insmod the modules from boot.local in the order you want. Untested, but cards get grabbed when their module is loaded. Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.

Volker Kuhlmann wrote:

...

One way I found to fix this: build your own kernel and do not compile the device drivers for the network cards as modules but include them into the kernel. Now the cards will always get the same 'eth...' ID.

Bad way, IMHO. I'd never even consider monolithic kernels. Try adding the NIC modules to your INITRD_MODULES, in the order you want. Alternatively, insmod the modules from boot.local in the order you want. Untested, but cards get grabbed when their module is loaded.

Just use unique names instead of the dynamically assigned interface names. You can for example also refer to an ethernet interface by MAC address or PCI bus address: $ ip link show eth0 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:4c:9f:61:9a brd ff:ff:ff:ff:ff:ff $ getcfg-interface eth-id-00:e0:4c:9f:61:9a eth0 $ lspci |grep net 0000:00:12.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 74) $ getcfg-interface eth-bus-pci-0000:00:12.0 eth0 So in my case I can use either eth0, eth-id-00:e0:4c:9f:61:9a or eth-bus-pci-0000:00:12.0 as interface name in SuSEfirewall2 depending on whether I want to refer to the first ethernet interface, an ethernet interface with a certain MAC address or the interface of a network card in a specific pci slot. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX AG, Development V_/_ http://www.suse.de/

This will work if you have different cards - but not if you have cards of the same type where the module loaded will handle all cards

Yes I was aware of that, but then the same driver will always grab cards in the same order. However, as Ludwig says, addressing interfaces by MAC or PCI address (which didn't used to be possible) is ever so much better.

Monolithic kernels have some advantages from the security point of view. If the kernel does not support loading modules nobody can temper with the modules. Also, if I have a given hardware constellation which will not change (typical for server applications) why load modules?

The security advantage is thin, ever since someone found out how to do the equivalent of loading modules in a monolithic kernel many years back. That the hardware doesn't change is an illusion in my experience. The network card dies, or refuses to work with some other device, mobo dies, whatever, it's a server so you're under stress to replace the part fast. Then you boot up and find you have a monolithic kernel - that's when you really start rotating... Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.

On most machines, special with own monolithic kernels, I've a standard kernel as reserve.

All very well, until you find that the previous admin was less organised... :) Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.

Carl A. Schreiber wrote:

Hello,

a question about a (SuSE)Firewall-Login:

Is there a possibility (most probably) to restrict the ssh-access (user and root) to the firewall to certain (local) networks like 10.10.10.*?

Am I on the right way that I must change /etc/ssh/sshd_config

Here I should change #ListenAddress 0.0.0.0 to ListenAddress 10.10.10.0 (with this only from the 10.10.10.0 net a user can login, root login is denied anyway)

But _only_ this? For me there is no need to protect from 'inside' as it is only me.

What exactly are you trying to accomplish? If you want to only allow SSH from the internal network, including root, use the rollowing in sshd_config: ListenAddress 10.10.10.5 (or whatever the IP of the server is) PermitRootLogin yes This will prevent anyone from connecting to ssh from the external network, and allow even root to login from internal. In general, this is not desirable, but if it's what you want, that's how you do it.