View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 34 posts ] 
Go to page Previous  1, 2, 3  Next

Print view Previous topic   Next topic  
Author Message
Search for:
 Post subject:
PostPosted: Sat Sep 29, 2007 10:47 pm 
Offline
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
tjc wrote:
It sounds like you've misunderstood what it's for, and that is almost 180 degrees from what you seem to think. Requiring a password for authentication is the normal state of affairs, key authentication allows you to bypass that for trusted hosts. Therefore if you don't have a key you get prompted for a password. There is a different mechanism for allowing and disallowing remote hosts by IP address.


I see.. Still I'm using it to NOT allow anyone BUT trusted hosts :) [so you never get prompted for a password.. you either have a key to my door or have to turn back..]

I simply used hosts.allow and hosts.deny to deny all and allow only one ip addy. I decided my paranoia stops here :) I won't go ahead and do that ip restriction from the router.. Just in case I'm away one day and want to change that restriction. I can, for now, ssh to the account that is allowed, ssh to the mythbox, and change the rules..

I still haven't figured out how to restrict the number of attempts. But google wil eventually do its magic :)

EDIT: MaxAuthTries 3 (default is 6) in sshd_config does the job, as far as I'm concerned. After 1 failed attempt the subsequent 2 get logged. And I decided not to block any ips after failed attempts since the only ip that is allowed is my own and ip spoofing can cause to block ME!! i think i'm happy with https [port changed from 443], key authentication, no passwd authentication ever, ssh tunneling, only port that is open is the ssh one [changed from 22], and of course router's firewall.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 24, 2007 12:21 am 
Offline
Joined: Tue Aug 15, 2006 11:14 am
Posts: 1343
Location: Orlando FL
to stop all legit web crawlers /spiders put this
Code:
User-agent: *
Disallow: /


In a new text file called robots.txt in the /var/www/ folder

for more info http://www.robotstxt.org/wc/robots.html


Top
 Profile  
 
 Post subject:
PostPosted: Wed Oct 24, 2007 1:54 am 
Offline
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location: /dev/null
mattbatt wrote:
to stop all legit web crawlers /spiders put this
Code:
User-agent: *
Disallow: /


Just for the sake of others.... don't forward ports to your mythtv box; keep it safe from the WAN unless you know what you're doing security-wise. More on this suggestion here.

_________________
Retired KM user (R4 - R6.04); friend to LH users.


Top
 Profile  
 
 Post subject: iptables - what file?
PostPosted: Sun Feb 17, 2008 9:14 am 
Offline
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location: Minneapolis, MN
mjl wrote:
There was posted a couple simple iptable things that would also help lock down some more. It added two or three ssh password attempts and then reject for x number of minutes. Helps stop the constant hammering on the front door from robots. If you can't enter your password correctly by the third try, maybe a cooling period is needed :)

I like the sound of that idea. I've been searching the Knoppmyth forum for the message you referenced - telling how-to to add iptable rules to SSH access. I'm not finding it.
People have made reference to iptables here and there, but no one has mentioned WHAT file you edit to add/change them. Can someone fill in the blank on this one?

Appreciated.
Eric

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner


Top
 Profile  
 
PostPosted: Sun Feb 17, 2008 5:26 pm 
Offline
Joined: Mon Mar 13, 2006 2:28 am
Posts: 143
Location: Brisbane, Australia
neutron68 wrote:
People have made reference to iptables here and there, but no one has mentioned WHAT file you edit to add/change them. Can someone fill in the blank on this one?

You actually use the command 'iptables' as root to change them. That being said, I'm probably not the one to ask for specifics. I use a program called fail2ban to control my iptables settings - 'apt-cache show fail2ban'

_________________
MBE/FE ~ R5F27 ~ Asus A8N-VM-CSM ~ AMD64 3500+ ~ 1GB RAM ~ 1.5TB Storage ~ Nova-T-500 ~ SH-S183A DVDRW ~ LC20M Case ~ iMON-Pad Remote
FE ~ Diskless ~ Asus M2NPV-VM ~ AMD X2 BE-2350 (45w) ~ 1GB RAM ~ TT Lanbox Lite ~ iMON-Pad Remote


Top
 Profile  
 
 Post subject: ah, I think I see
PostPosted: Sun Feb 17, 2008 10:32 pm 
Offline
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location: Minneapolis, MN
Ah. Ok. So, the iptables lines shown on this page:
http://hostingfu.com/article/ssh-dictio ... h-iptables
Code:
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

just get entered at a command line (as root) and then they end up in the appropriate file?

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner


Top
 Profile  
 
 Post subject:
PostPosted: Sun Feb 17, 2008 11:46 pm 
Offline
Joined: Mon Mar 13, 2006 2:28 am
Posts: 143
Location: Brisbane, Australia
Yep, but on reboot they'll need to be set again. So you'd probably append those commands to /etc/init.d/bootmisc.sh (for example), so they can be called on boot up.

_________________
MBE/FE ~ R5F27 ~ Asus A8N-VM-CSM ~ AMD64 3500+ ~ 1GB RAM ~ 1.5TB Storage ~ Nova-T-500 ~ SH-S183A DVDRW ~ LC20M Case ~ iMON-Pad Remote
FE ~ Diskless ~ Asus M2NPV-VM ~ AMD X2 BE-2350 (45w) ~ 1GB RAM ~ TT Lanbox Lite ~ iMON-Pad Remote


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 18, 2008 7:55 am 
Offline
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location: Warwick, RI
Hi,

This is one of the posts I was thinking of:
http://knoppmyth.net/phpBB2/viewtopic.p ... 25e7a0c65f

Mike


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 18, 2008 1:42 pm 
Offline
Joined: Sun Aug 28, 2005 7:07 pm
Posts: 821
Location: Melbourne, Australia
Hi,

You could install firestarter. It's a gui for iptables. I don't use it, but a friend does, and loves it (he's a recent linux convert).

It must, of course, be installed and run as root.

Mike

_________________
*********************
LinHES 7.4
Australian Dragon
*********************


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 18, 2008 3:57 pm 
Offline
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location: Warwick, RI
Hi,

Some tid bits for firestarter...
apt-get install firestarter and it comes up running.

To administer it, I needed to add it to the suders list as it is a gui and only mythtv can access the xserver.

It does work. Very quick way to make your KM box become invisible :)
Mike


Top
 Profile  
 
 Post subject: trying sshdfilter
PostPosted: Tue Feb 19, 2008 9:51 am 
Offline
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location: Minneapolis, MN
My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.

I went to http://www.csc.liv.ac.uk/~greg/sshdfilter/ and downloaded the code for the 1.5.5 version of sshdfilter. I read the INSTALL file to see how easy/hard it was to install. You can pick standalone mode or as an sshd wrapper. There are perl scripts for either choice that autoinstall and configure for you. The script autodetects if you have Debian, Redhat, Slackware, etc. and makes the correct tweaks for that distro. When the script was done, all I had to do was /etc/init.d/ssh restart.

I do have a couple of clarification questions, if someone could lend some expertise.

1. There is a section in the INSTALL text file that I'm not sure of the proper location for these commands.
Quote:
3.
Add the SSHD chain to your iptables firewall setup, typically (/etc/sysconfig/iptables style):
:SSHD - [0:0]
or bash:
$ iptables -N SSHD

Add a jump to SSHD rule with something like (/etc/sysconfig/iptables style):
-A INPUT -p tcp -m tcp --dport 22 -j SSHD
or bash:
$ iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD
would the 2 iptables lines go in the file /etc/init.d/bootmisc.sh ?

2. Is there a way to see the list of IP addresses that sshdfilter has blocked?

insight appreciated,
Eric

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner


Top
 Profile  
 
 Post subject: Re: trying sshdfilter
PostPosted: Wed Feb 20, 2008 4:52 am 
Offline
Joined: Sun Aug 28, 2005 7:07 pm
Posts: 821
Location: Melbourne, Australia
neutron68 wrote:
My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.


Ah, that's easy. Install denyhosts. Setup is easy, and you should probably change the number of attempts at invalid logins to, say, 2. I also changed the failed valid logins (where they guessed correctly the login name) to 3. My ssh logs are now a lot smaller :D

Mike

P.S. and change the deny type to ALL - that'll block them from any connection at all in the future.

_________________
*********************
LinHES 7.4
Australian Dragon
*********************


Top
 Profile  
 
 Post subject: seems to be working
PostPosted: Fri Feb 22, 2008 8:54 am 
Offline
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location: Minneapolis, MN
I did try putting the iptables lines in the bootmisc.sh file and rebooted. It seems to be working. I see that it has been blacklisting attackers in the auth.log:
Code:
Feb 22 00:29:47 mythtv sshd[3101]: Did not receive identification string from 210.185.187.4
Feb 22 00:29:47 mythtv sshdfilt[3100]: DB:NOID: ip=210.185.187.4
Feb 22 00:29:47 mythtv sshdfilt[3100]: No ssh id string from client, blocking 210.185.187.4 after 0 chances
Feb 22 00:29:47 mythtv sshdfilt[3100]: DB: pre fw add command is $fwcommand="iptables -A $chain -p tcp -s $ip --dport 22 -j DROP"
Feb 22 00:29:47 mythtv sshdfilt[3100]: DB: post fw add command is iptables -A SSHD -p tcp -s 210.185.187.4 --dport 22 -j DROP

I would still like to know how I can view the blacklisted IP address as time goes on, but otherwise, I think I've got what I want! 8)

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner


Top
 Profile  
 
 Post subject: Re: seems to be working
PostPosted: Fri Feb 22, 2008 3:53 pm 
Offline
Joined: Mon Mar 13, 2006 2:28 am
Posts: 143
Location: Brisbane, Australia
neutron68 wrote:
I would still like to know how I can view the blacklisted IP address as time goes on, but otherwise, I think I've got what I want! 8)


Code:
# iptables -L

_________________
MBE/FE ~ R5F27 ~ Asus A8N-VM-CSM ~ AMD64 3500+ ~ 1GB RAM ~ 1.5TB Storage ~ Nova-T-500 ~ SH-S183A DVDRW ~ LC20M Case ~ iMON-Pad Remote
FE ~ Diskless ~ Asus M2NPV-VM ~ AMD X2 BE-2350 (45w) ~ 1GB RAM ~ TT Lanbox Lite ~ iMON-Pad Remote


Top
 Profile  
 
 Post subject: Re: seems to be working
PostPosted: Sat Feb 23, 2008 10:15 am 
Offline
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location: Minneapolis, MN
Kirk wrote:
Code:
# iptables -L

Oh, of course! Thank you! :oops:
You know, I'd used this command over and over at the start of the sshdfilter process and it was always empty. NOW it has entries in it.

Any idea if these lists clear out with each reboot?

Thanks very much!
Eric

_________________
KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 34 posts ] 
Go to page Previous  1, 2, 3  Next



All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu