[ILUG] Breakins attempted - advice please
Ivan Griffin
ivan at skynet.ie
Wed Aug 27 13:14:01 IST 2008
Hi John,
All externally visible internet hosts are subject to port scans and
automated brute-force login attempts via SSH/HTTPS/other common services,
via bots - especially in the wake of the Debian OpenSSL weak key issue.
Restricting logins via IP is a very powerful means of protecting yourself
- and probably second on the priority list after only running
secure, encrypted services. The 3-way TCP handshake makes it very
difficult for people to reliably spoof an IP address within a TCP
connection - unless they have infiltrated an ISP somewhere.
Third would be to change off the default ports - I'm pretty sure port 22
receives more than its fair share of automated SSH cracks - likewise with
443 for HTTPS.
Obviously, the fewer services that are running the better, particularly
the fewer that are exposed (via firewall rules or otherwise) externally.
The American spooks have some reasonable basic security guidelines
available at:
http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf
(They have an extended list, which covers other OSes also:
http://www.nsa.gov/snac/downloads_all.cfm )
A product which may be of interest is
http://www.yubico.com/products/yubikey/
It is a USB key that acts as a keyboard HID device - you select your
password field, then press a button on the key, and voila - a one-time
password is used to authenticate you.
My understanding is that there is an open-source PAM module available
for it for use with Linux.
Best Regards,
Ivan
On Wed, 27 Aug 2008, John Kinsella wrote:
> Hi,
> no flames please!
>
> I'm being regularly subjected to what appear to auth.log (and me) to be
> attempted breakins on my office desktop machine (Ubuntu Hearty Heron with
> Firestarter firewall)
> e.g.
>
> ==============8<===========
> Aug 27 11:56:18 jkcray sshd[15664]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.78.212.68 user=root
> Aug 27 11:56:20 jkcray sshd[15664]: Failed password for root from
> 200.78.212.68 port 34256 ssh2
> Aug 27 11:56:22 jkcray sshd[15666]: reverse mapping checking getaddrinfo for
> na-200-78-212-68.na.avantel.net.mx [200.78.212.68] failed - POSSIBLE BREAK-IN
> ATTEMPT!
> Aug 27 11:56:22 jkcray sshd[15666]: Invalid user magazine from 200.78.212.68
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): check pass; user
> unknown
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.78.212.68
> Aug 27 11:56:24 jkcray sshd[15666]: Failed password for invalid user magazine
> from 200.78.212.68 port 34486 ssh2
> ==============8<===========
>
> I'd like to keep sshd running so I can log in from home.
>
> Other than changine firewall settings to block all but my ISP's IP addresses
> for access via ssh is there anything else that I should be looking at?
>
> Thanks
>
> John
>
> --
> John A. Kinsella Ph: +353-61-202148 (Direct)
> +353-61-333644 x 2148 (Switch)
> Mathematics Dept. e-mail: John.Kinsella at ul.ie
> University of Limerick FAX: +353-61-334927
> IRELAND Web: http://jkcray.maths.ul.ie
>
> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug
> Who we are : http://www.linux.ie/
> Where we are : http://www.linux.ie/map/
>
>
More information about the ILUG
mailing list