Opening ports in my firewall
This is a discussion on Opening ports in my firewall within the Linux Security forums, part of the System Security and Security Related category; Joe <joe@jretrading.com> wrote in news:qwvtaNEIVAEBFw5e@jretrading.com: >>>> I fall into this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-04-2004
|
|||
|
|||
Re: Opening ports in my firewall
Joe <joe@jretrading.com> wrote in news:qwvtaNEIVAEBFw5e@jretrading.com:
>>>> I fall into this camp. I have a LinkSys firewall with all ports >>>> shutdown and set to timeout instead of reject. All except SSH >>>> on port 22. How exposed am I? I see failed login attempts in >>>> /var/log/messages almost daily. Should I be doing more to secure >>>> my box (RH9)? I really like being able to ssh back home from work >>>> so I'd rather leave the ssh port open. >>> >>> While you can't ever have perfect security without yanking out the >>> modem/wireless/usb/whatever, it doesn't hurt to use additional >>> defensive measures, i.e. "defense in depth". >> >>Agreed. So limiting open ports to just ssh is a step in the right >>direction? > > Yes, certainly. While OpenSSH has had a few bugs in recent years, I > believe none of them were remote exploits, i.e. someone has to get into > a valid account first. If ssh is locked down, this should not be > possible. Excellent. I'm up2date on the ssh RPM so hopefully I'm okay. >>Good question. My valid ssh connects are limited to a couple of domains >>so I'll limit the acceptable domains to just those I know I use. I'll >>have to read up on hosts.allow and how it pertains to incoming ssh. > > If you're allowing access to ssh only using iptables, as I would assume, > you can also use iptables to limit the hosts allowed to connect. But use > hosts.allow/deny as well. Finally, you can limit the users allowed to > connect, in the sshd config file. Never allow root, and this has a > separate config option. I don't know if I am. I just enabled sshd and off I go. I'll attempt to set hosts.deny to ALL:ALL and then allow the domains I trust via hosts.allow. How would I check iptables in RedHat 9? Thank you. -- - Mark -> -- 
|
|
08-05-2004
|
|||
|
|||
|
Re: Opening ports in my firewall
On Tue, 03 Aug 2004 08:05:48 -0500, Harry Putnam, <reader@newsguy.com> wrote:
> "Walter Dnes (delete the 'z' to get my real address)" <wzaltdnes@waltdnes.org> writes: > > > 2) This may be a bit more painfull, but consider accepting connections > > only with DSA keys, and not allowing manual password logins. > > Brute-forcing a DSA key is a helluva lot more difficult than a password. > > Walter, sorry to butt in here but,I've wondered about password method > for a while and your post started to get to the crux of it. > > Can you spell the above method out a little. I guess you mean the > method where you exchange id_dsa.pub keys and keep them an > authorized_keys file right? But how is this limiting done? More details in "man sshd_config". To disable logins via typing in the password, make the following entry in /etc/ssh/sshd_config # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no > But that would assume you always know in advance what machine you > will be sshing in from (or at least a group of possible machines). > So that would be pretty much the same as using /etc/hosts.allow > it seems. > > In a situation where one may ssh in from machines unknowable in > advance, is there really any other technique than password? Once you have the keys set up on one machine, so that you can log in from it, copy the ~/.ssh directory to a floppy or usb key. Go over to the new machine you want to log in from and depending on your paranoia - copy the .ssh directory to the new machine, if you control it, or - mount the floppy (or usb key) and use ssh with the "-i" parameter to point to a non-default location for your ssh DSA (or RSA) key Note that ssh is paranoid about permissions for the files. The .ssh directory has to be "chmod 700" and the files in it "chmod 600". One of the files doesn't need that, but rather than trying to remember which one, I just keep them all owner-only for access. I use a floppy for this. I have an old Win98SE machine for multimedia sites that insist on WMP and IE. My backup procedure is to boot the Windows machine from a Knoppix CD. My floppy has a script that does the appropriate ifconfig and route commands as well as setting up the ~/.ssh directory. I then back up C: like so... dd if=/dev/hda1 | ssh -2 waltdnes@192.168.123.250 'cat - > win98_c' If C: ever gets infected, I can blow it away and restore in the other direction from a clean snapshot. I can loop-mount the drive image on the linux machine if I only want one or two files. And if you're going to be accessing from another IP address, do remember to poke appropriate holes in hosts.allow and iptables. If you're coming in from anywhere, that means allowing from all IP addresses. > If one uses a good password wouldn't a dictionary attack take a very > long time? And with ssh only allowing 3 login attempts at a time, you > could be talking wks of effort. Or is there some other way with ssh > password auth that is a quicker crack. Password authentication uses your regular login password, which can be discovered in other ways. DSA-key authentication will still work even if an attacker discovers your regular password. I just noticed a message in news.admin.net-abuse.email... -> Subject: [OT] SSH Password Guessing Script Running -> Message-ID: <Ma-dnav_2KeLSZPcRVn-pg@comcast.com> -> -> Noticed the first attempt a few weeks ago trying for user names guest -> and test. If you're running SSH this script is searching for you and -> trying for easily guessable passwords. Probably coming from already -> owned/rooted machines. Here are some excerpts from my security log -> that alerted me. If you have SSH running it's probably a good idea -> to make sure you don't have the user name guest or test and it will -> quickly give up. -> -> Jul 16 08:42:07 admin sshd[19542]: Illegal user test from 62.100.21.188 -> Jul 16 08:42:08 admin sshd[19562]: Illegal user guest from 62.100.21.188 -> Jul 22 04:14:34 admin sshd[3446]: Illegal user test from 64.230.97.170 -> Jul 22 04:14:34 admin sshd[3448]: Illegal user guest from 64.230.97.170 -> Jul 23 18:48:49 admin sshd[1167]: Illegal user test from 211.23.151.74 -> Jul 23 18:48:49 admin sshd[1169]: Illegal user guest from 211.23.151.74 -> Aug 2 16:03:36 admin sshd[6539]: Illegal user test from 66.98.186.87 -> Aug 2 16:03:36 admin sshd[6542]: Illegal user guest from 66.98.186.87 > Also, is it possible to limit incoming ssh to a particualr username? > And that user ends up in a chroot jail or something. Needing yet > another password (root's) to do damage. If you have "PasswordAuthentication no", then the only accounts you can log into are those with a ~/.ssh directory containing your public key. Even with password authentication, there is an "AllowUsers" option (see "man sshd_config") that can restrict which accounts are allowed to accept ssh logins. If you give someone a shell account, then they can use "su" or some form of privilege-escalation attack if they're hostile. -- Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org Delete the "z" to get my real address. If that gets blocked, follow the instructions at the end of the 550 message.
|
Linear Mode
