14 Feb
2009
14 Feb
'09
6:55 p.m.
Hello all!
I'm just a little worried abot my system security. I wonder is the following
normal:
# ps -ax
[...]
8226 ? Ss 0:00 sshd: unknown [priv]
8227 ? S 0:00 sshd: unknown [net]
Just before that I only saw "sshd [accept]" and "sshd [net]".
Shutdown sshd and made new password and restarted sshd. Now it's the same.
Can I easily check where it's coming from and what it's doing. I don't see
anything besides those two lines. No other strange processes.
Sorry to have bothered you with that.
Kindest regards
Julien
--------
Music was my first love and it will be my last (John Miles)
======== FIND MY WEB-PROJECT AT: ========
http://ltsb.sourceforge.net
the Linux TextBased Studio guide
======= AND MY PERSONAL PAGES AT: =======
http://www.juliencoder.de
14 Feb
14 Feb
7:42 p.m.
On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien Claassen wrote:
8226 ? Ss 0:00 sshd: unknown [priv]
8227 ? S 0:00 sshd: unknown [net]
Just before that I only saw "sshd
[accept]" and "sshd [net]".
Shutdown sshd and made new password and restarted sshd. Now it's the same.
Can I easily check where it's coming from and what it's doing. I don't see
anything besides those two lines. No other strange processes.
Someone is trying a ssh login - usually from the former
east block - and probably trying a list of user names
and passwords. Do (as root) tail -50 /var/log/secure
to see the show.
It happens here all the time. As long as you don't have
any easily guessed user/passwd combinations the danger
is limited, and closing your network connection for a
minute usually makes them go away. Configuring sshd to
allow only dsa authentication is better of course.
Last summer I watched one of them and whois told me
this was coming from a Canadian university. Called
their security, and it turned out this was a 'live'
user (very often its done by malware doing its job
without the system owner being aware) That one won't
try it again I guess...
Ciao,
--
FA
Laboratorio di Acustica ed Elettroacustica
Parma, Italia
O tu, che porte, correndo si ?
E guerra e morte !
7:46 p.m.
Thanks! That put my mind at easy.
Kindest regards
Julien
--------
Music was my first love and it will be my last (John Miles)
======== FIND MY WEB-PROJECT AT: ========
http://ltsb.sourceforge.net
the Linux TextBased Studio guide
======= AND MY PERSONAL PAGES AT: =======
http://www.juliencoder.de
9:14 p.m.
On Sun, 15 Feb 2009 00:43:17 +0100
Fons Adriaensen <fons(a)kokkinizita.net> wrote:
On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien
Claassen wrote:
I changed the port sshd runs on because I got sick of the
clickety click as logs were written due to brute force login
attempts. Not an option for everyone but it did the trick
nicely for me. Port knocking is another option.
pete.
8226 ? Ss 0:00 sshd: unknown [priv]
8227 ? S 0:00 sshd: unknown [net]
Just before that I only saw "sshd
[accept]" and "sshd [net]".
Shutdown sshd and made new password and restarted sshd. Now it's the same.
Can I easily check where it's coming from and what it's doing. I don't see
anything besides those two lines. No other strange processes.
Someone is trying a ssh login - usually from the former
east block - and probably trying a list of user names
and passwords. Do (as root) tail -50 /var/log/secure
to see the show.
It happens here all the time. As long as you don't have
any easily guessed user/passwd combinations the danger
is limited, and closing your network connection for a
minute usually makes them go away. Configuring sshd to
allow only dsa authentication is better of course. 
11:02 p.m.
On Sun, 2009-02-15 at 01:14 +0000, pete shorthose wrote:
On Sun, 15 Feb 2009 00:43:17 +0100
Fons Adriaensen <fons(a)kokkinizita.net> wrote:
Another option is a service called denyhosts, it adds entries
to /etc/hosts.deny for each host from which a defined number of failed
logins happen. So the attacking hosts are dropped out as they try
passwords and hopefully fail...
http://denyhosts.sourceforge.net/
-- Fernando
On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien
Claassen wrote:
I changed the port sshd runs on because I got sick of the
clickety click as logs were written due to brute force login
attempts. Not an option for everyone but it did the trick
nicely for me. Port knocking is another option. 8226 ? Ss 0:00 sshd: unknown [priv]
8227 ? S 0:00 sshd: unknown [net]
Just before that I only saw "sshd
[accept]" and "sshd [net]".
Shutdown sshd and made new password and restarted sshd. Now it's the same.
Can I easily check where it's coming from and what it's doing. I don't see
anything besides those two lines. No other strange processes.
Someone is trying a ssh login - usually from the former
east block - and probably trying a list of user names
and passwords. Do (as root) tail -50 /var/log/secure
to see the show.
It happens here all the time. As long as you don't have
any easily guessed user/passwd combinations the danger
is limited, and closing your network connection for a
minute usually makes them go away. Configuring sshd to
allow only dsa authentication is better of course. 
15 Feb
15 Feb
12:35 a.m.
Fernando Lopez-Lezcano wrote:
Another option is a service called denyhosts, it adds
entries
to /etc/hosts.deny for each host from which a defined number of failed
logins happen. So the attacking hosts are dropped out as they try
passwords and hopefully fail...
While effective, this can result in a DoS against your machine.
However, I do something similar with the firewall. I found a good firewall
script here:
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.h
tml#s-firewall-setup
And I added this rule:
#
# This is to limit all those ssh bots
#
/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW
-m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW
-m recent --set --name DEFAULT --rsource
Which temporarily ignores traffic from a host if they hit my SSH port 4 times in
60 seconds.
However, in the past few months, the scripts that are attacking the ssh ports
have taken on a distributed attack vector that is able to circumvent this
firewall rule.
HTH,
Gabriel
5:32 a.m.
On Sunday 15 February 2009 00:43:17 Fons Adriaensen wrote:
On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien
Claassen wrote:
I have a script that filters the log-files for "invalid user", extracts the IP
and adds it to the RECENT table (which is used for blocking for five minutes).
But some of these attackers have botnets which means a lot of IP's to be
blocked before they finished their username-list...
From my experience using key-logins only helps when you have only linux users.
Most windows people don't really understand the concepts of security, public
keys and such.
Arnold
8226 ? Ss 0:00 sshd: unknown [priv]
8227 ? S 0:00 sshd: unknown [net]
Just before that I only saw "sshd [accept]" and "sshd [net]".
Shutdown sshd and made new password and restarted sshd. Now it's the
same. Can I easily check where it's coming from and what it's doing. I
don't see anything besides those two lines. No other strange processes.
Someone is trying a ssh login - usually from the former
east block - and probably trying a list of user names
and passwords. Do (as root) tail -50 /var/log/secure
to see the show.
It happens here all the time. As long as you don't have
any easily guessed user/passwd combinations the danger
is limited, and closing your network connection for a
minute usually makes them go away. Configuring sshd to
allow only dsa authentication is better of course. 
6:38 a.m.
Hallo,
Arnold Krille hat gesagt: // Arnold Krille wrote:
I have a script that filters the log-files for
"invalid user", extracts the IP
and adds it to the RECENT table (which is used for blocking for five minutes).
But some of these attackers have botnets which means a lot of IP's to be
blocked before they finished their username-list...
Basically that's what denyhost does, and it also has additional features
like a realtime bla/ocklist, which also blocks distributed
attacks that are not affected by blocking single IPs because one
attacker there is able to use a new IP for each attempt. OTOH botnets
usually are interested in servers with more valuable data than most of
us have.
From my experience using key-logins only helps when
you have only linux users.
Most windows people don't really understand the concepts of security, public
keys and such.
True, but for home-machines of Linux Audio freaks, usually nobody from a
Windows machine needs to log in anyway. ;) And if it's a public server,
I'd rather not have anybody logging in through ssh who is not capable of
dealing with key logins. I disabled password logins through ssh on
my public machines.
Ciao
--
Frank
6:46 a.m.
Thanks you all very much for your help and information.
I found out, that the login-attempts were coming from one host only and they
indeed stopped after my sshd was down for a while. And yes they came from
Russia, at least that's what whois said.
Kindest regards
Julien
--------
Music was my first love and it will be my last (John Miles)
======== FIND MY WEB-PROJECT AT: ========
http://ltsb.sourceforge.net
the Linux TextBased Studio guide
======= AND MY PERSONAL PAGES AT: =======
http://www.juliencoder.de
6:56 a.m.
New subject: [ot] - NEED some security advise PLEASE! + new question
On Sun, Feb 15, 2009 at 11:39:09AM +0100, Frank Barknecht wrote:
... And if it's a public server,
I'd rather not have anybody logging in through ssh who is not capable of
dealing with key logins. I disabled password logins through ssh on
my public machines.
That seems to be the best way to deal with it.
A weakly related OT question:
I need to set up a machine as a router. One side is
a fixed public IP address, the other side is a local
net using 192.168.1.x. I want to give internet access
to the machines on the local net, so this requires
(AFAIK) NAT. Anyone has a pointer to a good tutorial
about how to do this ?
TIA,
--
FA
Laboratorio di Acustica ed Elettroacustica
Parma, Italia
O tu, che porte, correndo si ?
E guerra e morte !
7:14 a.m.
New subject: [ot] - NEED some security advise PLEASE! + new question
I need to set up a machine as a router. One side is
a fixed public IP address, the other side is a local
net using 192.168.1.x. I want to give internet access
to the machines on the local net, so this requires
(AFAIK) NAT. Anyone has a pointer to a good tutorial
about how to do this ?
Google the words 'iptables' and 'masquerade', piece of cake.
L
7:46 a.m.
New subject: [ot] - NEED some security advise PLEASE! + new question
Luis Garrido wrote:
masquerade only works from the inside to the world.
for remote access to inside hosts, you need port forwarding (or "DNAT",
destination nat, in iptables lingo).
problem is, when you have, say, 16 hosts for which you want to open ssh
access, you need 16 ports on the router. gets nasty real quick.
what i usually did was to say "port 22000 is the base port for ssh, add
the last quad of the internal ip address of the host you want to reach"
and forward accordingly. same for any other services you might want.
I need to set
up a machine as a router. One side is
a fixed public IP address, the other side is a local
net using 192.168.1.x. I want to give internet access
to the machines on the local net, so this requires
(AFAIK) NAT. Anyone has a pointer to a good tutorial
about how to do this ?
Google the words 'iptables' and 'masquerade', piece of cake. 
7:24 a.m.
New subject: Re : [ot] - NEED some security advise PLEASE! + new question
A weakly related OT question:
I need to set up a machine as a router. One side is
a fixed public IP address, the other side is a local
net using 192.168.1.x. I want to give internet access
to the machines on the local net, so this requires
(AFAIK) NAT. Anyone has a pointer to a good tutorial
about how to do this ?
I think you just need to enable ip_forward on the router:
See for instance http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html#FORWARDING
Then
you need to configure other machines to use the router as a gateway. In
my case I have to add the line GATEWAY=ip_of_the_router in
/etc/sysconfig/network-scripts/ifcfg-eth0
Cheers,
Sylvain
__________________________________________________________________________________________________
Ne pleurez pas si votre Webmail ferme ! Récupérez votre historique sur Yahoo! Mail !
http://fr.docs.yahoo.com/mail/transfert_mails.html
7:32 a.m.
New subject: Re : [ot] - NEED some security advise PLEASE! + new question
I think you just need to enable ip_forward on the
router:
Necessary, but not sufficient. If you do just that without performing
some kind of SNAT your router will deliver packets with private
addresses to your provider, who will promptly throw them in the waste
bin.
L
7:33 a.m.
New subject: Re : [ot] - NEED some security advise PLEASE! + new question
On Sun, Feb 15, 2009 at 11:24:07AM +0000, Sylvain HENRY wrote:
I think you just need to enable ip_forward on the
router:
See for instance
http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html#FORWARDING
Then
you need to configure other machines to use the router as a gateway. In
my case I have to add the line GATEWAY=ip_of_the_router in
/etc/sysconfig/network-scripts/ifcfg-eth0
It's not *that* simple. You can't use 192.168.x.x externally,
there are zillions of LANs using that network address !
Ciao,
--
FA
Laboratorio di Acustica ed Elettroacustica
Parma, Italia
O tu, che porte, correndo si ?
E guerra e morte !
8:08 a.m.
New subject: [ot] - NEED some security advise PLEASE! + new question
On Sun, Feb 15, 2009 at 9:57 PM, Fons Adriaensen <fons(a)kokkinizita.net> wrote:
A weakly related OT question:
I need to set up a machine as a router. One side is
a fixed public IP address, the other side is a local
net using 192.168.1.x. I want to give internet access
to the machines on the local net, so this requires
(AFAIK) NAT. Anyone has a pointer to a good tutorial
about how to do this ?
I find shorewall is the nicest way to go about this sort of thing. You
write some fairly straightforward configuration files describing your
setup and what you want to achieve, and it handles all the iptables
configuration for you. Easy to setup, easy to maintain, easy to modify
when your requirements change (if you want to do some port forwarding
etc.).
http://www.shorewall.net
- Steve
16 Feb
16 Feb
2:30 p.m.
New subject: [ot] - NEED some security advise PLEASE! + new question
On Sun, 2009-02-15 at 23:08 +1100, Steve Lindsay wrote:
On Sun, Feb 15, 2009 at 9:57 PM, Fons Adriaensen
<fons(a)kokkinizita.net> wrote:
Second that, it's what we use. But I don't use it as a NAT gateway.
For an internal authenticated "guest" network for wired/wireless laptop
access + NAT for outgoing stuff we use chillispot
(http://www.chillispot.info/), you need two network interfaces and
chillispot manages a dhcp server for the internal side and tunneling to
go outside. Users see a "login screen" through any browser where they
can enter their account name and password and then they are granted
access to the network (I did use shorewall in the gateway machine to
manage firewalling). In our own machines I set up a static route to the
"internal" 192.x.x.x network so that laptops are reachable from our
linux workstations.
-- Fernando
A weakly related OT question:
I need to set up a machine as a router. One side is
a fixed public IP address, the other side is a local
net using 192.168.1.x. I want to give internet access
to the machines on the local net, so this requires
(AFAIK) NAT. Anyone has a pointer to a good tutorial
about how to do this ?
I find shorewall is the nicest way to go about this sort of thing. You
write some fairly straightforward configuration files describing your
setup and what you want to achieve, and it handles all the iptables
configuration for you. Easy to setup, easy to maintain, easy to modify
when your requirements change (if you want to do some port forwarding
etc.).
http://www.shorewall.net
5:41 p.m.
New subject: [ot] - NEED some security advise PLEASE! + new question
Thanks to all who responded !
[ Steve Lindsay ]
> I find shorewall is the nicest way to go about
this sort of thing. You
> write some fairly straightforward configuration files describing your
> setup and what you want to achieve, and it handles all the iptables
> configuration for you. Easy to setup, easy to maintain, easy to modify
> when your requirements change (if you want to do some port forwarding
> etc.).
>
> http://www.shorewall.net
[ Fernando ]
Second that, it's what we use. But I don't use
it as a NAT gateway.
For an internal authenticated "guest" network for wired/wireless laptop
access + NAT for outgoing stuff we use chillispot
(http://www.chillispot.info/), you need two network interfaces and
chillispot manages a dhcp server for the internal side and tunneling to
go outside. Users see a "login screen" through any browser where they
can enter their account name and password and then they are granted
access to the network (I did use shorewall in the gateway machine to
manage firewalling). In our own machines I set up a static route to the
"internal" 192.x.x.x network so that laptops are reachable from our
linux workstations.
The situtation here is somewhat different - the
internal network *is* trusted. All the computers
are in a single room, most of them even in the
same rack, and it's not a multi-user scenario.
Strict rules will be applied for anything coming
in from the outside to the router, but these are
essentially the same that would be applied to any
single machine.
I'll keep the higher level tools in mind for next
time. But since by now I've already learned to hack
iptables in order to accommodate some other special
requirements on the internal net, that's what I'm
going to do for the NAT as well - it's in fact a
lot simpler than what I imagined.
Ciao,
--
FA
Laboratorio di Acustica ed Elettroacustica
Parma, Italia
O tu, che porte, correndo si ?
E guerra e morte !
15 Feb
15 Feb
10:02 a.m.
New subject: [ot] - NEED some security advise PLEASE! + new question
On Sunday 15 February 2009, Fons Adriaensen wrote:
On Sun, Feb 15, 2009 at 11:39:09AM +0100, Frank
Barknecht wrote:
Just one answer IMO, DD-WRT. Runs from a CF card in an adapter on the end of
a PATA cable.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Give all orders verbally. Never write anything down that might go into a
"Pearl Harbor File".
... And if it's a public server,
I'd rather not have anybody logging in through ssh who is not capable of
dealing with key logins. I disabled password logins through ssh on
my public machines.
That seems to be the best way to deal with it.
A weakly related OT question:
I need to set up a machine as a router. One side is
a fixed public IP address, the other side is a local
net using 192.168.1.x. I want to give internet access
to the machines on the local net, so this requires
(AFAIK) NAT. Anyone has a pointer to a good tutorial
about how to do this ?
TIA,
8:21 a.m.
Hi,
On Sunday 15 February 2009 11:39:09 Frank Barknecht wrote:
Arnold Krille hat gesagt: // Arnold Krille wrote:
In our university setup the only alternative to ssh/sftp would be pure ftp
(with their accounts and passwords), which is a no-go. Its hard enough to
teach them to set their ftp-program to use sftp...
And I once tried to use key-based authentication with winssh (or putty? can't
remember) and even I didn't succeed. How should I expect them to use it?
Have fun,
Arnold
From my experience using key-logins only helps
when you have only linux
users. Most windows people don't really understand the concepts of
security, public keys and such.
True, but for home-machines of Linux Audio freaks,
usually nobody from a
Windows machine needs to log in anyway. ;) And if it's a public server,
I'd rather not have anybody logging in through ssh who is not capable of
dealing with key logins. I disabled password logins through ssh on
my public machines.
5754
days inactive
5756
days old
linux-audio-dev@lists.linuxaudio.org
19 comments
12 participants
participants (12)
-
Arnold Krille -
Fernando Lopez-Lezcano -
Fons Adriaensen -
Frank Barknecht -
Gabriel M. Beddingfield -
Gene Heskett -
Julien Claassen -
Jörn Nettingsmeier -
Luis Garrido -
pete shorthose -
Steve Lindsay -
Sylvain HENRY