Currently for remote logins I use a package in Ubuntu (Debian) called opie,
short for *O*ne-time *P*asswords *I*n *E*verything. It is a free
implementation of the S/Key password system (RFC 1760). It is much more
secure since any password used is *only good for one login*. Effectively
changing your password at every login.
To summarize S/Key authentication (my sshd login for this example):
- There is a "secret" password stored on the machine running opie and
sshd (different from the UNIX password)
- Upon login you are prompted for a username as usual ( mine is "user"
)
- The password prompt gives the S/Key "challenge"
-
otp-md5 471 gr6652 ext
- This shows that it wants a one-time password, calculated with
MD5.
- side note: (other methods are available such as AES, MD4,
etc... )
- You then enter the "challenge" and your "Secret password" into an
S/Key calculator (see http://www.cs.umd.edu/~harry/jotp/)
- You get the "response" of "MUM WINK NAP BOSS LACK LYNN"
- Enter your "response" and login !
*Why is this so secure??
*
- The 'gr6652' challenge is a "seed" that is more or less multiplied
with your secret password
- The number "471" in the challenge above is the sequence number, ie
the number of times the previous output is run through the MD5 hash
- Every time you login, the "sequence" number decrements one,
preventing its re-use (replay)
- There are S/Key calculators online, and even for cell phones and
palm pilots.
Fact Snippets:
- OPIE was created by The U. S. Naval Research Laboratory
- S/Key is a trademark of the company Bellcore
- I just posted my ssh username and password to an e-mail group !
- The password is no longer valid, it has been used
- You do not have my "Secret" to calculate another one
- See how secure this is ??
*ALSO See* http://en.wikipedia.org/wiki/S/Key
Forwarded conversation
Subject: The crackers are out there
------------------------
From: *Damien Hull* <dhull@digitaloverload.net>
Date: Nov 19, 2007 10:05 AM
To: aklug <aklug@aklug.org>
I setup a test server on Friday. Needed something to play on.
* Ubuntu 7.10 server
* User: administrator
* Password: password
* OpenSSH server: port 22 (default)
I was about to change the password but changed my mined at the last
minute. I thought it would be cool to see how long it took before
someone got in. Well, I was unable to login this morning.
1. Rebooted the server in single user mode ( hit the power button )
2. Checked /var/log/auth.log ( grep administrator auth.log | less )
3. The cracker got in yesterday
4. It took about 3 days for someone to break in
Nov 18 17:26:55 email sshd[18468]: Accepted password for
administrator from 82.79.221.68 port 1758 ssh2
Nov 18 17:26:55 email sshd[18474]: pam_unix(ssh:session): session
opened for user administrator by (uid=0)
Nov 18 17:31:36 email passwd[18616]: pam_unix(passwd:chauthtok):
password changed for administrator
Nov 18 17:33:14 email sshd[18474]: pam_unix(ssh:session): session
closed for user administrator
Nov 19 01:47:54 email sshd[18897]: Accepted password for
administrator from 82.78.219.48 port 2624 ssh2
whois on 82.79.221.68
administrator@email:/$ whois 82.79.221.68
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag
% Information related to '82.76.0.0 - 82.79.255.255'
inetnum: 82.76.0.0 - 82.79.255.255
org: ORG-RA18-RIPE
admin-c: CN19-RIPE
netname: RO-RDS-20030714
descr: RCS & RDS SA
country: RO
tech-c: RDS-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS8708-MNT
mnt-routes: AS8708-MNT
source: RIPE # Filtered
organisation: ORG-RA18-RIPE
org-name: RCS & RDS SA
org-type: LIR
address: Forum 2000 Building
71-75 Dr. Staicovici
address: 050557
address: Bucharest
address: Romania
phone: +40 21 3010850
phone: +40 21 3010888
fax-no: +40 21 3010892
admin-c: CN19-RIPE
mnt-ref: AS8708-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: Romania Data Systems NOC
address: 71-75 Dr. Staicovici
address: Bucharest / ROMANIA
phone: +40 21 30 10 888
fax-no: +40 21 30 10 892
abuse-mailbox: abuse@rcs-rds.ro
admin-c: CN19-RIPE
admin-c: GEPU1-RIPE
tech-c: CN19-RIPE
tech-c: GEPU1-RIPE
nic-hdl: RDS-RIPE
mnt-by: AS8708-MNT
remarks:
+--------------------------------------------------------------+
remarks: | ABUSE CONTACT: abuse@rcs-rds.ro IN CASE OF HACK
ATTACKS, |
remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES,
SPAM, ETC. |
remarks: | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE
PROBLEMS !! |
remarks:
+--------------------------------------------------------------+
source: RIPE # Filtered
person: Ciprian Nica
remarks: Senior IP Engineer
remarks: Romania Data Systems
address: Bucharest, Romania
phone: + 40 31 400 42 43
abuse-mailbox: abuse@rcs-rds.ro
remarks: ------------------------------------------------
remarks: | Please don't send me any abuse complaints. |
remarks: | Use abuse@rcs-rds.ro for that or contact |
remarks: | your service provider or local authorities |
remarks: ------------------------------------------------
nic-hdl: CN19-RIPE
mnt-by: NIMACI-MNT
source: RIPE # Filtered
% Information related to '82.76.0.0/14AS8708'
route: 82.76.0.0/14
descr: RDSNET
origin: AS8708
mnt-by: AS8708-MNT
source: RIPE # Filtered
administrator@email:/$
NOTE:
I have no idea what the person did once they got onto the system. I'll
have to do some searching. I'll backup /var. If anyone wants to see my
logs let me know. I will reinstall Ubuntu today.
Stay safe!
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
----------
From: *Jim Gribbin* <jimgribbin@gmail.com>
Date: Nov 19, 2007 12:12 PM
To: Damien Hull <dhull@digitaloverload.net>
Cc: aklug <aklug@aklug.org>
Just out of curiosity, did you send the "abuse" contact anything?
Probably wouldn't do any good, but ...
Jim
----------
From: *Damien Hull* <dhull@digitaloverload.net>
Date: Nov 19, 2007 1:18 PM
To: jimgribbin@gmail.com
Cc: aklug <aklug@aklug.org>
No. I didn't try to contact anyone.
----------
From: *Arthur Corliss* <acorliss@nevaeh-linux.org>
Date: Nov 19, 2007 7:19 PM
To: Damien Hull <dhull@digitaloverload.net>
Cc: aklug <aklug@aklug.org>
Always an entertaining exercise, but I'm surprised it took them that long.
All of which should point out a few safety tips for any box exposed to
public networks:
1) Root/administrator accounts should *never* be allowed to log in
remotely. The only access to superuser accounts should be on a
physical console or via su from a wheel group member. Let me be
more blunt: if you allow root to log in remotely for any reason
you're an idiot.
2) Sshd should be configured to restrict login privileges to a specific
group (other than users), and it should not allow empty passwords.
This guarantees that just because some idiot packager who adds
accounts to your box to support a service but forgets to either
randomize or set a password can't be used to gain shell access.
3) Ideally, you should also be running a script that watches for
failed authentication attempts and automatically firewalls off the
offending IP after n number of attempts.
4) Also ideally, if you can restrict access to ssh to specific networks
and/or IPs by both firewall and tcp wrappers, you should.
This is all part of hardening 101, and while basic, is tremendously
important. The vast majority of software vulnerabilities are local
exploits, not remote, so doing everything possible to restrict shell access
is essential.
--Arthur Corliss
Live Free or Die
----------
From: ** <bryanm@acsalaska.net>
Date: Nov 20, 2007 12:24 AM
To: aklug@aklug.org
There's that vice-presidential spirit we're looking for. <grin>
Recently, I've had a resurgent interest in port knocking. Has anyone
here tried that? Any tools to recommend?
-- Bryan Medsker bryanm@acsalaska.net ---------- From: *Arthur Corliss* <acorliss@nevaeh-linux.org> Date: Nov 20, 2007 9:16 AM To: bryanm@acsalaska.net Cc: aklug@aklug.org That's the standard Corliss no-tact spirit. In terms of basic security I just want everyone to know just how aggregious (and dangerous) this is. The number one attack I see on my systems is still dictionary attacks. While a strong password helps, for those using random combinations it's still just a function of time -- and not much of that if there's some pure blind luck -- assuming no other precautions are taken. Good security is about having lots of backup plans. When you combine all of the countermeasures I suggest it becomes highly improbable that an attacker will get a shell on the box (via ssh, anyways), and even if they do, they still have more barriers in their way to get root. ---------- From: *Craig Hasund* <hasundc@arctic.net> Date: Nov 20, 2007 9:45 AM To: aklug@aklug.org OK, that makes a number of times that I've heard someone mention scripting to monitor access and modify the firewall based on observations. How do you do this? Can someone post a simplified script to look for access criteria and modify the firewall based on ip address? I prefer perl or bash, but am not sure the methodology about implementing this type of thing. I also use fedora and iptables. I would like to play with this but want to understand a working implementation before I lock myself out of my systems :)... I've been following this list for a long time, but haven't crawled out from under my rock until now. Thanks, --- Craig Hasund ---------- From: *Arthur Corliss* <acorliss@nevaeh-linux.org> Date: Nov 20, 2007 10:56 AM To: Craig Hasund <hasundc@arctic.net> Cc: aklug@aklug.org My personal solution, which is configurable, can be retrieved via rsync: rsync://rsync/nevaeh-test/src/admin-scripts-0.8.tar.gz rsync://rsync/nevaeh-test/src/Paranoid-0.13.tar.gz rsync://rsync/nevaeh-test/src/Parse-PlainConfig-2.03.tar.gz The latter two are required dependencies. Don't use the versions on CPAN, I haven't uploaded these yet. In the admin-scripts tarball all you really care about is the autofw.pl and autofw.conf. I also cron a weekly SIGHUP to the autofw.pl script to reset the connection counters. My hack is in Perl, BTW. Go figure. ;-) ---------- From: *Arthur Corliss* <acorliss@nevaeh-linux.org> Date: Nov 20, 2007 11:00 AM To: Arthur Corliss <acorliss@nevaeh-linux.org> Cc: Craig Hasund <hasundc@arctic.net>, aklug@aklug.org Yes, I am an idiot. Sue me. The links now fully qualified: rsync://rsync.nevaeh-linux.org/nevaeh-test/src/admin-scripts-0.8.tar.gz rsync://rsync.nevaeh-linux.org/nevaeh-test/src/Paranoid-0.13.tar.gz rsync://rsync.nevaeh- linux.org/nevaeh-test/src/Parse-PlainConfig-2.03.tar.gz BTW, my hack supports listing addresses or networks on a "never ban" list to prevent you from locking yourself out, just those on hostile (read: all other) networks. ---------- From: *Tom Simes* <simestd@netexpress.com> Date: Nov 20, 2007 12:18 PM To: aklug@aklug.org Thanks for sharing Arthur :) You don't say, I always pegged you for a .Net type ;) Tom ====================================================================== "Z-80 system stack overflow. Shut 'er down Scotty, the system's sucking mud" - Error message on TRS 80 Model-16B Tom Simes simestd@netexpress.com ====================================================================== ---------- From: *Craig Hasund* <hasundc@arctic.net> Date: Nov 20, 2007 12:59 PM To: aklug@aklug.org Thanks a bunch Art. One more basic question... (and probably not the last). How do you run a script as a daemon? I know a bit about cron, but haven't done the "run as a daemon" thing. --Craig Hasund ---------- From: *Arthur Corliss* <acorliss@nevaeh-linux.org> Date: Nov 20, 2007 4:42 PM To: Tom Simes <simestd@netexpress.com> Cc: aklug@aklug.org I'd have a snappy comeback but the mere thought is causes my brain to sieze. ;-) Anyone smell smoke? ---------- From: *Arthur Corliss* <acorliss@nevaeh-linux.org> Date: Nov 20, 2007 4:43 PM To: Craig Hasund <hasundc@arctic.net> Cc: aklug@aklug.org At it's simplest you could just add the following line to rc.local: /usr/sbin/autofw.pl & ---------- From: *Damien Hull* <dhull@digitaloverload.net> Date: Nov 21, 2007 7:40 PM To: Arthur Corliss <acorliss@nevaeh-linux.org> Cc: aklug@aklug.org What are your thoughts on gate keepers? I'm thinking about sticking one on my network. This would be the box that receives ssh connections from the out side. Once I'm in I can ssh to other systems on my network. If someone breaks I can reinstall. This would also have a few extras like ssh keys etc... ---------- From: *Arthur Corliss* <acorliss@nevaeh-linux.org> Date: Nov 22, 2007 11:00 AM To: Damien Hull <dhull@digitaloverload.net> Cc: aklug@aklug.org That's an excellent idea, something I do as well. I keep one bastion host that does nothing but ssh. All other hosts on the subnet only allow connections from the local domain and/or subnet. That dramatically reduces the attack surface so dictionary attacks can't be simply continued on another host. Ideally that host should also be doing remote syslogging for all authentication attempts. Way to think ahead, Damien, I'm impressed! --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Sun Dec 2 09:52:33 2007
This archive was generated by hypermail 2.1.8 : Sun Dec 02 2007 - 09:52:33 AKST