[K12OSN] reporting and/or stopping cracking attempts on server

Terrell Prude' Jr. microman at cmosnetworks.com
Fri Mar 18 17:19:26 UTC 2011


Not sure what the "keep it civil" comment was for, as I do not believe I 
was "uncivil".

But anyway....

Moving ports around unfortunately doesn't work, due to SSH-specific port 
scanners that can easily and quickly scan all 65,536 TCP ports.  I tried 
that myself on a test box as an experiment, and the result was all sorts 
of attack attempts within a week of standing up the server.  Everything 
but that specific port was blocked coming in.  Of course, I had hardened 
the box so that such attacks would be exceedingly unlikely to succeed, 
and none did, but the point is that the attackers still found my SSH 
daemon with the port moved (no, not something obvious like TCP 222, 
2222, 31337, or similar).

On the other hand, blocking pings is not what I'd call security through 
obscurity.  That's because there are actual attacks against boxes that 
use ICMP (e. g. Ping of Death from the 1990's, and there may be other, 
newer ones).  For this reason, the typical system cracker that I 
encounter now assumes that ping will be blocked and simply does a TCP 
port scan without bothering to ping first.

Instead, I would consider setting up a "honey-pot" decoy box on another 
IP address in that same subnet (preferably one that comes "before" the 
real box due to the way most people port-scan, e. g. the honey-pot would 
be a.b.c.99 and the real box a.b.c.100), running a pseudo SSH daemon, 
kinda-sorta like how the OpenBSD project does with SMTP and their 
excellent SPAMD program.  Have that decoy box configured to email you 
whenever there is an attack against it, so that you can take action or 
trigger a script on the "real" box to do an "iptables -A INPUT -s 
w.x.y.z -j DROP" on the attacking IP address.  Naturally, the honey-pot 
decoy needs to be very well hardened if it's going to talk to the real 
box like this.

--TP


David L. Willson wrote:
> This discussion might deserve to be had if we can keep it civil, and I suppose we can.
>
> There are two major "security through obscurity" maneuvers I approve of:
>
>  - Decline ping
>  - Move ssh to a non-default port
>
> Both are intended to evade attack by the 99%, and both are proven effective over time on many hosts.
>
> When you say that "security through obscurity is no security at all", what do you mean? I heard those words many, many years ago, and accepted them verbatim for a time, and took them to mean that a secure host would be secure "no matter what". I pictured in my mind, a hardened, shining server gleaming in a field of rampaging orcs, impervious to their blows. Over time I realized that being obvious, by replying to pings, running ssh on the default port, returning service version numbers, etc. encourages attacks, and makes them more frequent, and that responding to attacks takes up valuable bandwidth, mine and the server's. I came gradually to think that not being attacked might be a valuable part of good security, and that therefore obscuring the target might be a perfectly acceptable way to throw off the enemy's archers, so to speak.
>
> I suppose you may have heard that perspective, too, and I wonder what you think of it.
>
> For me, obscurity actually ~is~ a valuable part of security.
>
> David L. Willson
> Trainer, Engineer, Enthusiast
> RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
> tel://720.333.LANS
> Freedom is better when you earn it. Learn Linux.
>
> ----- "Terrell Prude' Jr." <microman at cmosnetworks.com> wrote:
>
>   
>> Moving SSH to a nonstandard port has been suggested.  I disagree with
>>
>> that, because, as an INFOSEC engineer, I've learned over the years
>> that 
>> security through obscurity is no security at all.  I'm in a similar 
>> situation with a Debian box that I run at work, also accessible from
>> the 
>> Internet.
>>
>> What I do is packet-filter the daylights out of it and use fail2ban 
>> (looks like you are, too--very good).  I like the concept of DenyHosts
>> a 
>> lot, and I believe that fail2ban is the improved version of that 
>> concept, since it uses iptables, thus preventing the "bad" packets
>> from 
>> ever getting to any daemon in the first place.  Reduce your total
>> login 
>> attempts to 3, and block that offending IP address for a month.
>>
>> Now, that said....
>>
>> Personally, I wouldn't be running all that stuff on the same box to 
>> begin with.  Yes, SELinux is helpful, and it should be used.  However,
>> I 
>> guess I'm still of the old school that says "one bastion host for
>> HTTP, 
>> one bastion host for email, one bastion host for <insert whatever 
>> else>", etc.  It's just so much easier to design and keep security
>> rules 
>> (ACL's and such) with those functions on separate servers.  
>> Virtualization can help out here if you don't want to run more than
>> one 
>> physical box.  Fortunately, CentOS 5 has Xen and KVM, both of which 
>> actually work pretty well.
>>
>> --TP
>>
>>
>> Carl Keil wrote:
>>     
>>> Hello folks,
>>>
>>> For those of you that run servers exposed to the outside world, I
>>>       
>> just 
>>     
>>> wanted to send a ping out and see what others are doing about this. 
>>>       
>>> I'm seeing an escalation in what I call "brute force" attacks on my
>>>       
>>> server.  Like people trying to SSH in repeatedly from one IP with 
>>> common sounding user names.  Or lots of http requests (I've got web
>>>       
>> on 
>>     
>>> the same server) for ....setup.php or setup.pl etc.  Repeated Auth 
>>> requests to sendmail.
>>>
>>> I've started running fail2ban, which, I feel does a great job of 
>>> cutting this down.  Is there anything better that's about equally as
>>>       
>>> easy to setup?  Is there any point in making the effort to look up
>>>       
>> the 
>>     
>>> IP's and contact the ISP's about this?  Or does that just piss off
>>>       
>> the 
>>     
>>> script kiddies and make you more of a target.  I don't want to have
>>>       
>> to 
>>     
>>> become a full on security expert, but I want to make sure I'm doing
>>>       
>>> all the easy no-brainer stuff that can protect you 99% of the time. 
>>>       
>> I 
>>     
>>> hope that attitude doesn't offend anyone.  I'm not working for a 
>>> school.  I got into ltsp for home use and just run it for
>>>       
>> convenience 
>>     
>>> and pleasure.  Dealing with idiots who are trying to break in cuts 
>>> down on both.
>>>
>>> Thanks,
>>>
>>> ck
>>>
>>> _______________________________________________
>>> K12OSN mailing list
>>> K12OSN at redhat.com
>>> https://www.redhat.com/mailman/listinfo/k12osn
>>> For more info see <http://www.k12os.org>
>>>       
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>     
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>   




More information about the K12OSN mailing list