Mailinglist Archive: opensuse-security (14 mails)

< Previous Next >
RE: [opensuse-security] Break-in via ftp and tomcat accounts
I can not find the reference right off, but one of the first things I do
when bringing up a new SuSE machine is make a couple of changes to ssh.
There was an article at Novell that basically said the same thing when
you want to expose ssh.

Change Permit root login to no

Change protocol version to 2 only

Change the port the server listens to. I recommend something > 1024. If
you are running a public server, you may not be able to do that, but few
web designers know what to do with a command line and it cuts down on
the chaff from the script kiddies.

Add the following to the /etc/sshd_config:
AllowGroups sshallow

Now go into YAST and add group sshallow and only put in the user ids you
want to be able to login via ssh. And that does not include root or ftp.

This is all good advice, and I did not know about DenyUsers, AllowUsers,
DenyGroups, AllowGroups. However, it doesn't explain the mystery because
the usernames concerned were already not allowed to login...they
did not have valid passwords. Changing the sshd config just makes them
even more not allowed to login.

To use a house analogy: somebody has got through a locked door and I don't
know how they managed it. I can put a new lock on the door but I am still
scared because I rely on the same lock in other places.

Just to repeat what happened: it appears that sshd accepted a password
login for user ftp even though user ftp has no valid password. That is
either a dreadful bug or a terrible misconfiguration.

You could (on the belt & braces approach) add the "PermitEmptyPasswords No"
option to sshd_config, although this is nominally the default.

A better route for sshd is to switch all the logins to PubkeyAuthentication
and disallow PasswordAuthentication. This is a more secure option as it's
not then so easy to use brute force attacks to break in.

Maybe then you'll be able to sleep at nights ;-)

Alternatively you can block all access from non-local IP addresses + VPN and
insist that all connects from the outside come through a VPN (e.g. Zerina).
This filtering can be done in the box's firewall, so you're using another
layer of protection rather than relying solely on sshd & pam to apply
security policy.


To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >