RE: The crackers are out there

Currently for remote logins I use a package in Ubuntu (Debian) called opie,
short for *O*ne-time *P*asswords *I*n *E*verything. It is a free
implementation of the S/Key password system (RFC 1760). It is much more
secure since any password used is *only good for one login*. Effectively
changing your password at every login.
To summarize S/Key authentication (my sshd login for this example):

   - There is a "secret" password stored on the machine running opie and
   sshd (different from the UNIX password)
   - Upon login you are prompted for a username as usual ( mine is "user"
   )
   - The password prompt gives the S/Key "challenge"
      -

      otp-md5 471 gr6652 ext

      - This shows that it wants a one-time password, calculated with
   MD5.
      - side note: (other methods are available such as AES, MD4,
      etc... )
   - You then enter the "challenge" and your "Secret password" into an
   S/Key calculator (see http://www.cs.umd.edu/~harry/jotp/)
   - You get the "response" of "MUM WINK NAP BOSS LACK LYNN"
   - Enter your "response" and login !

*Why is this so secure??
*

   - The 'gr6652' challenge is a "seed" that is more or less multiplied
   with your secret password
   - The number "471" in the challenge above is the sequence number, ie
   the number of times the previous output is run through the MD5 hash
      - Every time you login, the "sequence" number decrements one,
      preventing its re-use (replay)
   - There are S/Key calculators online, and even for cell phones and
   palm pilots.

Fact Snippets:

   - OPIE was created by The U. S. Naval Research Laboratory
   - S/Key is a trademark of the company Bellcore
   - I just posted my ssh username and password to an e-mail group !
      - The password is no longer valid, it has been used
      - You do not have my "Secret" to calculate another one
      - See how secure this is ??

*ALSO See* http://en.wikipedia.org/wiki/S/Key

Forwarded conversation
Subject: The crackers are out there
------------------------

From: *Damien Hull* <dhull@digitaloverload.net>
Date: Nov 19, 2007 10:05 AM
To: aklug <aklug@aklug.org>

I setup a test server on Friday. Needed something to play on.

   * Ubuntu 7.10 server
   * User: administrator
   * Password: password
   * OpenSSH server: port 22 (default)

I was about to change the password but changed my mined at the last
minute. I thought it would be cool to see how long it took before
someone got in. Well, I was unable to login this morning.

  1. Rebooted the server in single user mode ( hit the power button )
  2. Checked /var/log/auth.log ( grep administrator auth.log | less )
  3. The cracker got in yesterday
  4. It took about 3 days for someone to break in

   Nov 18 17:26:55 email sshd[18468]: Accepted password for
   administrator from 82.79.221.68 port 1758 ssh2
   Nov 18 17:26:55 email sshd[18474]: pam_unix(ssh:session): session
   opened for user administrator by (uid=0)
   Nov 18 17:31:36 email passwd[18616]: pam_unix(passwd:chauthtok):
   password changed for administrator
   Nov 18 17:33:14 email sshd[18474]: pam_unix(ssh:session): session
   closed for user administrator
   Nov 19 01:47:54 email sshd[18897]: Accepted password for
   administrator from 82.78.219.48 port 2624 ssh2

whois on 82.79.221.68

   administrator@email:/$ whois 82.79.221.68
   % This is the RIPE Whois query server #2.
   % The objects are in RPSL format.
   %
   % Rights restricted by copyright.
   % See http://www.ripe.net/db/copyright.html

   % Note: This output has been filtered.
   % To receive output for a database update, use the "-B" flag

   % Information related to '82.76.0.0 - 82.79.255.255'

   inetnum: 82.76.0.0 - 82.79.255.255
   org: ORG-RA18-RIPE
   admin-c: CN19-RIPE
   netname: RO-RDS-20030714
   descr: RCS & RDS SA
   country: RO
   tech-c: RDS-RIPE
   status: ALLOCATED PA
   mnt-by: RIPE-NCC-HM-MNT
   mnt-lower: AS8708-MNT
   mnt-routes: AS8708-MNT
   source: RIPE # Filtered

   organisation: ORG-RA18-RIPE
   org-name: RCS & RDS SA
   org-type: LIR
   address: Forum 2000 Building
                   71-75 Dr. Staicovici
   address: 050557
   address: Bucharest
   address: Romania
   phone: +40 21 3010850
   phone: +40 21 3010888
   fax-no: +40 21 3010892
   admin-c: CN19-RIPE
   mnt-ref: AS8708-MNT
   mnt-ref: RIPE-NCC-HM-MNT
   mnt-by: RIPE-NCC-HM-MNT
   source: RIPE # Filtered

   role: Romania Data Systems NOC
   address: 71-75 Dr. Staicovici
   address: Bucharest / ROMANIA
   phone: +40 21 30 10 888
   fax-no: +40 21 30 10 892
   abuse-mailbox: abuse@rcs-rds.ro
   admin-c: CN19-RIPE
   admin-c: GEPU1-RIPE
   tech-c: CN19-RIPE
   tech-c: GEPU1-RIPE
   nic-hdl: RDS-RIPE
   mnt-by: AS8708-MNT
   remarks:
   +--------------------------------------------------------------+
   remarks: | ABUSE CONTACT: abuse@rcs-rds.ro IN CASE OF HACK
   ATTACKS, |
   remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES,
   SPAM, ETC. |
   remarks: | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE
   PROBLEMS !! |
   remarks:
   +--------------------------------------------------------------+
   source: RIPE # Filtered

   person: Ciprian Nica
   remarks: Senior IP Engineer
   remarks: Romania Data Systems
   address: Bucharest, Romania
   phone: + 40 31 400 42 43
   abuse-mailbox: abuse@rcs-rds.ro
   remarks: ------------------------------------------------
   remarks: | Please don't send me any abuse complaints. |
   remarks: | Use abuse@rcs-rds.ro for that or contact |
   remarks: | your service provider or local authorities |
   remarks: ------------------------------------------------
   nic-hdl: CN19-RIPE
   mnt-by: NIMACI-MNT
   source: RIPE # Filtered

   % Information related to '82.76.0.0/14AS8708'

   route: 82.76.0.0/14
   descr: RDSNET
   origin: AS8708
   mnt-by: AS8708-MNT
   source: RIPE # Filtered

   administrator@email:/$

NOTE:
I have no idea what the person did once they got onto the system. I'll
have to do some searching. I'll backup /var. If anyone wants to see my
logs let me know. I will reinstall Ubuntu today.

Stay safe!

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

----------
From: *Jim Gribbin* <jimgribbin@gmail.com>
Date: Nov 19, 2007 12:12 PM
To: Damien Hull <dhull@digitaloverload.net>
Cc: aklug <aklug@aklug.org>

Just out of curiosity, did you send the "abuse" contact anything?
Probably wouldn't do any good, but ...

Jim
----------
From: *Damien Hull* <dhull@digitaloverload.net>
Date: Nov 19, 2007 1:18 PM
To: jimgribbin@gmail.com
Cc: aklug <aklug@aklug.org>

No. I didn't try to contact anyone.
----------
From: *Arthur Corliss* <acorliss@nevaeh-linux.org>
Date: Nov 19, 2007 7:19 PM
To: Damien Hull <dhull@digitaloverload.net>
Cc: aklug <aklug@aklug.org>

Always an entertaining exercise, but I'm surprised it took them that long.

All of which should point out a few safety tips for any box exposed to
public networks:

  1) Root/administrator accounts should *never* be allowed to log in
     remotely. The only access to superuser accounts should be on a
     physical console or via su from a wheel group member. Let me be
     more blunt: if you allow root to log in remotely for any reason
     you're an idiot.
  2) Sshd should be configured to restrict login privileges to a specific
     group (other than users), and it should not allow empty passwords.
     This guarantees that just because some idiot packager who adds
     accounts to your box to support a service but forgets to either
     randomize or set a password can't be used to gain shell access.
  3) Ideally, you should also be running a script that watches for
     failed authentication attempts and automatically firewalls off the
     offending IP after n number of attempts.
  4) Also ideally, if you can restrict access to ssh to specific networks
     and/or IPs by both firewall and tcp wrappers, you should.

This is all part of hardening 101, and while basic, is tremendously
important. The vast majority of software vulnerabilities are local
exploits, not remote, so doing everything possible to restrict shell access
is essential.

       --Arthur Corliss
         Live Free or Die
----------
From: ** <bryanm@acsalaska.net>
Date: Nov 20, 2007 12:24 AM
To: aklug@aklug.org

There's that vice-presidential spirit we're looking for. <grin>
Recently, I've had a resurgent interest in port knocking. Has anyone
here tried that? Any tools to recommend?

--
Bryan Medsker
bryanm@acsalaska.net
----------
From: *Arthur Corliss* <acorliss@nevaeh-linux.org>
Date: Nov 20, 2007 9:16 AM
To: bryanm@acsalaska.net
Cc: aklug@aklug.org
That's the standard Corliss no-tact spirit.  In terms of basic security I
just want everyone to know just how aggregious (and dangerous) this is.  The
number one attack I see on my systems is still dictionary attacks.  While a
strong password helps, for those using random combinations it's still just a
function of time -- and not much of that if there's some pure blind luck --
assuming no other precautions are taken.
Good security is about having lots of backup plans.  When you combine all of
the countermeasures I suggest it becomes highly improbable that an attacker
will get a shell on the box (via ssh, anyways), and even if they do, they
still have more barriers in their way to get root.
----------
From: *Craig Hasund* <hasundc@arctic.net>
Date: Nov 20, 2007 9:45 AM
To: aklug@aklug.org
OK, that makes a number of times that I've heard someone mention scripting
to monitor access and modify the firewall based on observations.  How do you
do this?   Can someone post a simplified script to look for access criteria
and modify the firewall based on ip address?  I prefer perl or bash, but am
not sure the methodology about implementing this type of thing.  I also use
fedora and iptables.
I would like to play with this but want to understand a working
implementation before I lock myself out of my systems :)...  I've been
following this list for a long time, but haven't crawled out from under my
rock until now.
Thanks,
--- Craig Hasund
----------
From: *Arthur Corliss* <acorliss@nevaeh-linux.org>
Date: Nov 20, 2007 10:56 AM
To: Craig Hasund <hasundc@arctic.net>
Cc: aklug@aklug.org
My personal solution, which is configurable, can be retrieved via rsync:
  rsync://rsync/nevaeh-test/src/admin-scripts-0.8.tar.gz
  rsync://rsync/nevaeh-test/src/Paranoid-0.13.tar.gz
  rsync://rsync/nevaeh-test/src/Parse-PlainConfig-2.03.tar.gz
The latter two are required dependencies.  Don't use the versions on CPAN, I
haven't uploaded these yet.  In the admin-scripts tarball all you really
care about is the autofw.pl and autofw.conf.  I also cron a weekly SIGHUP to
the autofw.pl script to reset the connection counters.
My hack is in Perl, BTW.  Go figure.  ;-)
----------
From: *Arthur Corliss* <acorliss@nevaeh-linux.org>
Date: Nov 20, 2007 11:00 AM
To: Arthur Corliss <acorliss@nevaeh-linux.org>
Cc: Craig Hasund <hasundc@arctic.net>, aklug@aklug.org
Yes, I am an idiot.  Sue me.  The links now fully qualified:
   rsync://rsync.nevaeh-linux.org/nevaeh-test/src/admin-scripts-0.8.tar.gz
   rsync://rsync.nevaeh-linux.org/nevaeh-test/src/Paranoid-0.13.tar.gz
   rsync://rsync.nevaeh-
linux.org/nevaeh-test/src/Parse-PlainConfig-2.03.tar.gz
BTW, my hack supports listing addresses or networks on a "never ban" list to
prevent you from locking yourself out, just those on hostile (read:  all
other) networks.
----------
From: *Tom Simes* <simestd@netexpress.com>
Date: Nov 20, 2007 12:18 PM
To: aklug@aklug.org
Thanks for sharing Arthur :)
You don't say, I always pegged you for a .Net type ;)
Tom
======================================================================
  "Z-80 system stack overflow.  Shut 'er down Scotty, the system's
        sucking mud" - Error message on TRS 80 Model-16B
Tom Simes                                       simestd@netexpress.com
======================================================================
----------
From: *Craig Hasund* <hasundc@arctic.net>
Date: Nov 20, 2007 12:59 PM
To: aklug@aklug.org
Thanks a bunch Art.
One more basic question... (and probably not the last).  How do you run a
script as a daemon?  I know a bit about cron, but haven't done the "run as a
daemon" thing.
--Craig Hasund
----------
From: *Arthur Corliss* <acorliss@nevaeh-linux.org>
Date: Nov 20, 2007 4:42 PM
To: Tom Simes <simestd@netexpress.com>
Cc: aklug@aklug.org
I'd have a snappy comeback but the mere thought is causes my brain to sieze.
;-)  Anyone smell smoke?
----------
From: *Arthur Corliss* <acorliss@nevaeh-linux.org>
Date: Nov 20, 2007 4:43 PM
To: Craig Hasund <hasundc@arctic.net>
Cc: aklug@aklug.org
At it's simplest you could just add the following line to rc.local:
  /usr/sbin/autofw.pl &
----------
From: *Damien Hull* <dhull@digitaloverload.net>
Date: Nov 21, 2007 7:40 PM
To: Arthur Corliss <acorliss@nevaeh-linux.org>
Cc: aklug@aklug.org
What are your thoughts on gate keepers?
I'm thinking about sticking one on my network. This would be the box
that receives ssh connections from the out side. Once I'm in I can ssh
to other systems on my network. If someone breaks I can reinstall.
This would also have a few extras like ssh keys etc...
----------
From: *Arthur Corliss* <acorliss@nevaeh-linux.org>
Date: Nov 22, 2007 11:00 AM
To: Damien Hull <dhull@digitaloverload.net>
Cc: aklug@aklug.org
That's an excellent idea, something I do as well.  I keep one bastion host
that does nothing but ssh.  All other hosts on the subnet only allow
connections from the local domain and/or subnet.  That dramatically reduces
the attack surface so dictionary attacks can't be simply continued on
another host.
Ideally that host should also be doing remote syslogging for all
authentication attempts.
Way to think ahead, Damien, I'm impressed!
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.