ssh security questions
JimR
I occasionally see a pop-up from the firewall such as IP 207.xx.xx.xx is
connecting to SSH. Since nobody else is allowed to use SSH except me
from another machine (and no other machine is turned on right now), I am
concerned.
I an confused because in the firewall config, I selected the option to
"Log firewall messages in system logs". I cannot find these items logged
anywhere. I have checked /var/logs/messages, auth, system, warning,
etc., etc. Where are they hiding?
2nd part of this question - I have disabled ssh and sshd and
sshd-xinetd in the system services menu (stopped, on-boot unchecked,
start-when requested unchecked) and only turn them on when I need to
use them. Does that keep me fairly safe from ssh hackers?
Thanks,
JimR
Bit Twister
> Hi all. I am running 2008.1 with all patches.
>
> I occasionally see a pop-up from the firewall such as IP 207.xx.xx.xx is
> connecting to SSH. Since nobody else is allowed to use SSH except me
> from another machine (and no other machine is turned on right now), I am
> concerned.
Popups are from the fact that you did not disable interactive firewall
in the firewall setup section.
> I an confused because in the firewall config, I selected the option to
> "Log firewall messages in system logs". I cannot find these items logged
> anywhere. I have checked /var/logs/messages, auth, system, warning,
> etc., etc. Where are they hiding?
Guessing you would see them by doing a
grep Shorewall /var/log/messages
That should work for about anytime except just after Sunday around 4am
or any Sunday you login if you installed anacron.
If so, then
zcat /var/log/messages*.gz | grep Shorewall would show messages
which are compressed.
> 2nd part of this question - I have disabled ssh and sshd and
> sshd-xinetd in the system services menu (stopped, on-boot unchecked,
> start-when requested unchecked) and only turn them on when I need to
> use them. Does that keep me fairly safe from ssh hackers?
Fairly safe.
Your firewall is your defence from attack attempts from the Internet.
Most of those will be from script kiddies.
Your black hats are trying to exploit systems via the applications
you execute on your system when browsing.
Common attacks there are from java/javascript.
Your first line of defense solution to those would be adding the
NoScript Add On to Firefox.
To reduce the window of exploit opportunity via cracked ad/web servers,
I would recommend privoxy.
Another point of entry to close is disable Universal Plug and Play in
your router if it has one. Then add your router to privoxy's user.action file.
========================================================================
privoxy.txt version 2.1
Crackers are cracking systems and routers from application's data
files like Realplayer, flash, Internet Explorer,... running on the pc using
java, javascript, activeX, silverlight, etc.
They have cracked ad servers to distribute/run malware.
I hard code Opendns.org nameservers on pc just in case my router gets
cracked and black hat DNS ip get set. Opendns also blocks known
malware sites.
Opendns nameservers are 208.67.222.222 and 208.67.220.220.
See https://www.opendns.com
javascript malware runs on linux and micro$oft and may be used to
crack your router. Latest jre from java.sun.com installs a jexec
linux service/daemon to allow java to execute. I disabled that pretty quick.
I suggest installing privoxy and the NoScript Add On in Firefox.
Details of hijacked 24/7 ad server emerge
http://www.networkworld.com/news/2007/102207-details-of-hijacked-247-ad.html
“In mid-year 2007, studies showed there were nearly 30,000 new
infected web pages being created every day."
http://finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
Shape-shifting malware hits the web
http://itnews.com.au/News/76128,shapeshifting-malware-hits-the-web.aspx
I suggest using privoxy to block ads. http://www.privoxy.org/
and access to your router from the pc.
If you want to play with privoxy, Mandriva Linux install instructions here
http://groups.google.com/group/alt.os.linux.mandriva/msg/a76245f3f5fab041
has a bunch of sites already added to +block in user.action.
You may want to add your router's ip under { +block } to prevent malware
cracks of your router while surfing.
Another extensive action file found here
http://www.neilvandyke.org/privoxy-rules/
Adding NoScript Add On to firefox http://noscript.net/getit
It's Options --> Advanced Untrusted
lets you set a few restrictions for Untrusted Sites.
I have all boxes checked for Untrusted sites.
#***************** start privoxy.txt *********************************
click up a terminal
su - root
urpmi --wget privoxy --auto
You might consider getting a copy of my user.actions:
cp /etc/privoxy/user.action /etc/privoxy/user.action_orig
Copy my user.aciton script into /etc/privoxy/user.action from
http://groups.google.com/group/alt.os.linux.mandriva/msg/a76245f3f5fab041
You may want to add your router's ip under { +block }
in /etc/privoxy/user.action to prevent malware cracks of your router
while surfing.
service privoxy restart
exit
exit
In firefox,
Edit->Preference->Advanced
Click Network tab
Connection
Settings button
click Manual proxy configuration:
HTTP Proxy: 127.0.0.1 Port: 8118
SSL Proxy: 127.0.0.1 Port: 8118
Be sure to clear the "No Proxy for" box
Click OK
Click Close
#********************* end privoxy.txt **************************
I'll recommend not using Internet Explorer or Outlook Express.
Use third party apps. Firefox, Thunderbird for example.
I strongly recommend Firefox with the NoScript Add On.
Black Hats have are using a lot of Java* tricks to exploit systems.
My NoScript Option settings.
General
check box Left clicking on NoScript toobar button
Radio button Base 2nd level Domains
check box Automatically reload affected pages when permissions change
Whitelist
I added file:// for my local index.html file
Plugins
All boxes checked except Collapse blocked objects
Appearance
No changes by me.
Notifications
Everything checked except Audio Feedback
Did set Hide After at 5 seconds
Advanced
Untrusted
Everything checked except Hide <NOSCRIPT>elements
Trusted
Only have Show the <NOSCRIPT> element which follows a blocked <SCIRPT>
XSS
both boxes checked and removed all exceptions.
Black Hats are using google links to inject malware links.
JAR
checkbox Block JAR remote resources being loaded as documents
Left jar:https://samples\.noscript\.net/sample_apps.jar string alone.
lordy
> sshd-xinetd in the system services menu (stopped, on-boot unchecked,
> start-when requested unchecked) and only turn them on when I need to
> use them. Does that keep me fairly safe from ssh hackers?
To be safe from hackers using ssh.. I think ..
1) Make sure you always get and apply the latest security updates immediately.
(as you seem to do)
2) Make sure root cant log in.
3) Make sure every account on your server either disallows login or has
a strong password. (or maybe force certificate logins only and keep
certificate somewhere handy, personally I dont do this.)
4) If possible run sshd on a high port (I abit of security via obscurity
but I've found it very effective personally. There is usually no
activity at all on the port I use unless it's me)
My sshd server is on about 90% of the time, and I've never noticed
anyone sniffing around it when I've looked in the logs.
(Although maybe I should set up some IDS to be on the safe side). Good
point..
5) Install an IDS package of some kind.
6) Look at port triggering/port knocking (some people think it adds no
additional security , others love it)
Lordy
dnoyeB
Just pick a new port. When I used standard port I got brute forced all
the time. Also I disabled passwords and only use keys. And no root login.
CL
Scott B.
> #***************** start privoxy.txt *********************************
>
> click up a terminal
>
> su - root
> urpmi --wget privoxy --auto
>
> You might consider getting a copy of my user.actions:
> cp /etc/privoxy/user.action /etc/privoxy/user.action_orig
> Copy my user.aciton script into /etc/privoxy/user.action from
Bit Twister, there is a typographical error in the line above:
user.aciton -> user.action
Also, I noticed there was no reference to Neil Van Dyke's Privoxy
action file in your privoxy.txt. I don't care very much whether
there is or not, but sometimes I notice things while reading, so I
mentioned it in case the omission was inadvertent.
Bit Twister
>
> Bit Twister, there is a typographical error in the line above:
> user.aciton -> user.action
Fixed, thank you.
> Also, I noticed there was no reference to Neil Van Dyke's Privoxy
> action file in your privoxy.txt.
Yes there was about line 48.
JimR
>
> On Sat, 14 Jun 2008 15:59:25 -0400, JimR wrote:
>> Hi all. I am running 2008.1 with all patches.
>>
>> I occasionally see a pop-up from the firewall such as IP 207.xx.xx.xx is
>> connecting to SSH. Since nobody else is allowed to use SSH except me
>> from another machine (and no other machine is turned on right now), I am
>> concerned.
>
> Popups are from the fact that you did not disable interactive firewall
> in the firewall setup section.
>
>> I an confused because in the firewall config, I selected the option to
>> "Log firewall messages in system logs". I cannot find these items logged
>> anywhere. I have checked /var/logs/messages, auth, system, warning,
>> etc., etc. Where are they hiding?
>
> Guessing you would see them by doing a
> grep Shorewall /var/log/messages
>
That was pretty much the point of my first question. Those messages are
*not* appearing in /var/log/messages. grep Shorewall /var/log/messages
yields nothing. Nor is there anything logged at all under anything in
/var/log/*
Thanks,
JimR
Bit Twister
> That was pretty much the point of my first question. Those messages are
> *not* appearing in /var/log/messages. grep Shorewall /var/log/messages
> yields nothing. Nor is there anything logged at all under anything in
> /var/log/*
Well, had you done a grep shorewall /var/log/messages they would not
show up. I was just checking.
I know have to guess Shorewall is not running. Let's get some facts to
work with.
click up a terminal, and show us the output from the following:
su - root
chkconfig --list shorewall
echo $SECURE_LEVEL
David W. Hodgins
> That was pretty much the point of my first question. Those messages are
> *not* appearing in /var/log/messages. grep Shorewall /var/log/messages
> yields nothing. Nor is there anything logged at all under anything in
The grep command is case sensetive (without the -i option). Try copying
and pasting "grep Shorewall /var/log/syslog" and see if that shows anything.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
JimR
OK, let's simplify this.
I inspect the log with tail /var/log/messages .
I go to the other computer and perform ssh from there to the Mandriva
machine. On the Mandriva machine, I see the interactive popup stating
that the other computer is connecting to ssh.
I inspect the log again with tail /var/log/messages.
There are *no new entries* since the time 15 seconds ago when I
inspected it. Nor in any of the other logs under /var/logs/* .
So when I check the box in MCC that says to log firewall messages to
system logs, and it apparently does nothing, is this a bug in MCC?
Thanks,
JimR
PS - to answer your suggestions, here is the output.
[root@xxxxxx log]# chkconfig --list shorewall
shorewall 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@xxxxxx log]# echo $SECURE_LEVEL
2
[root@xxxxxx log]#
Bit Twister
>
> OK, let's simplify this.
>
> I inspect the log with tail /var/log/messages .
As an fyi, you can use tail -f /var/log/messages to watch the log in
real time. Ctl c to abort the tail -f
> I go to the other computer and perform ssh from there to the Mandriva
> machine. On the Mandriva machine, I see the interactive popup stating
> that the other computer is connecting to ssh.
Normally allowed connects are not logged.
> So when I check the box in MCC that says to log firewall messages to
> system logs, and it apparently does nothing, is this a bug in MCC?
Mine logs so we will need to drill farther into what you have.
> [root@xxxxxx log]# chkconfig --list shorewall
> shorewall 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> [root@xxxxxx log]# echo $SECURE_LEVEL
> 2
Ok, I run 3 with interactive off.
get back into your root terminal and show us the output from the following:
cd /etc/shorewall
grep -i log *
service shorewall restart
grep -v '#' rules
cat rules.drakx