Author |
Message |
fra
|
Posted: Sat Sep 29, 2007 10:47 pm |
|
Joined: Fri Sep 07, 2007 11:57 pm
Posts: 166
|
tjc wrote: It sounds like you've misunderstood what it's for, and that is almost 180 degrees from what you seem to think. Requiring a password for authentication is the normal state of affairs, key authentication allows you to bypass that for trusted hosts. Therefore if you don't have a key you get prompted for a password. There is a different mechanism for allowing and disallowing remote hosts by IP address.
I see.. Still I'm using it to NOT allow anyone BUT trusted hosts [so you never get prompted for a password.. you either have a key to my door or have to turn back..]
I simply used hosts.allow and hosts.deny to deny all and allow only one ip addy. I decided my paranoia stops here I won't go ahead and do that ip restriction from the router.. Just in case I'm away one day and want to change that restriction. I can, for now, ssh to the account that is allowed, ssh to the mythbox, and change the rules..
I still haven't figured out how to restrict the number of attempts. But google wil eventually do its magic
EDIT: MaxAuthTries 3 (default is 6) in sshd_config does the job, as far as I'm concerned. After 1 failed attempt the subsequent 2 get logged. And I decided not to block any ips after failed attempts since the only ip that is allowed is my own and ip spoofing can cause to block ME!! i think i'm happy with https [port changed from 443], key authentication, no passwd authentication ever, ssh tunneling, only port that is open is the ssh one [changed from 22], and of course router's firewall.
|
|
Top |
|
|
mattbatt
|
Posted: Wed Oct 24, 2007 12:21 am |
|
Joined: Tue Aug 15, 2006 11:14 am
Posts: 1343
Location:
Orlando FL
|
|
Top |
|
|
graysky
|
Posted: Wed Oct 24, 2007 1:54 am |
|
Joined: Wed Dec 10, 2003 8:31 pm
Posts: 1996
Location:
/dev/null
|
mattbatt wrote: to stop all legit web crawlers /spiders put this Code: User-agent: * Disallow: /
Just for the sake of others.... don't forward ports to your mythtv box; keep it safe from the WAN unless you know what you're doing security-wise. More on this suggestion here.
_________________ Retired KM user (R4 - R6.04); friend to LH users.
|
|
Top |
|
|
neutron68
|
Posted: Sun Feb 17, 2008 9:14 am |
|
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location:
Minneapolis, MN
|
mjl wrote: There was posted a couple simple iptable things that would also help lock down some more. It added two or three ssh password attempts and then reject for x number of minutes. Helps stop the constant hammering on the front door from robots. If you can't enter your password correctly by the third try, maybe a cooling period is needed
I like the sound of that idea. I've been searching the Knoppmyth forum for the message you referenced - telling how-to to add iptable rules to SSH access. I'm not finding it.
People have made reference to iptables here and there, but no one has mentioned WHAT file you edit to add/change them. Can someone fill in the blank on this one?
Appreciated.
Eric
_________________ KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner
|
|
Top |
|
|
Kirk
|
Posted: Sun Feb 17, 2008 5:26 pm |
|
Joined: Mon Mar 13, 2006 2:28 am
Posts: 143
Location:
Brisbane, Australia
|
neutron68 wrote: People have made reference to iptables here and there, but no one has mentioned WHAT file you edit to add/change them. Can someone fill in the blank on this one?
You actually use the command 'iptables' as root to change them. That being said, I'm probably not the one to ask for specifics. I use a program called fail2ban to control my iptables settings - 'apt-cache show fail2ban'
_________________ MBE/FE ~ R5F27 ~ Asus A8N-VM-CSM ~ AMD64 3500+ ~ 1GB RAM ~ 1.5TB Storage ~ Nova-T-500 ~ SH-S183A DVDRW ~ LC20M Case ~ iMON-Pad Remote FE ~ Diskless ~ Asus M2NPV-VM ~ AMD X2 BE-2350 (45w) ~ 1GB RAM ~ TT Lanbox Lite ~ iMON-Pad Remote
|
|
Top |
|
|
neutron68
|
Posted: Sun Feb 17, 2008 10:32 pm |
|
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location:
Minneapolis, MN
|
Ah. Ok. So, the iptables lines shown on this page:
http://hostingfu.com/article/ssh-dictio ... h-iptables
Code: iptables -N SSH_CHECK iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK iptables -A SSH_CHECK -m recent --set --name SSH iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
just get entered at a command line (as root) and then they end up in the appropriate file?
_________________ KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner
|
|
Top |
|
|
Kirk
|
Posted: Sun Feb 17, 2008 11:46 pm |
|
Joined: Mon Mar 13, 2006 2:28 am
Posts: 143
Location:
Brisbane, Australia
|
Yep, but on reboot they'll need to be set again. So you'd probably append those commands to /etc/init.d/bootmisc.sh (for example), so they can be called on boot up.
_________________ MBE/FE ~ R5F27 ~ Asus A8N-VM-CSM ~ AMD64 3500+ ~ 1GB RAM ~ 1.5TB Storage ~ Nova-T-500 ~ SH-S183A DVDRW ~ LC20M Case ~ iMON-Pad Remote FE ~ Diskless ~ Asus M2NPV-VM ~ AMD X2 BE-2350 (45w) ~ 1GB RAM ~ TT Lanbox Lite ~ iMON-Pad Remote
|
|
Top |
|
|
mjl
|
Posted: Mon Feb 18, 2008 7:55 am |
|
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location:
Warwick, RI
|
|
Top |
|
|
manicmike
|
Posted: Mon Feb 18, 2008 1:42 pm |
|
Joined: Sun Aug 28, 2005 7:07 pm
Posts: 821
Location:
Melbourne, Australia
|
Hi,
You could install firestarter. It's a gui for iptables. I don't use it, but a friend does, and loves it (he's a recent linux convert).
It must, of course, be installed and run as root.
Mike
_________________ ********************* LinHES 7.4 Australian Dragon *********************
|
|
Top |
|
|
mjl
|
Posted: Mon Feb 18, 2008 3:57 pm |
|
Joined: Sun Jun 12, 2005 10:55 pm
Posts: 3161
Location:
Warwick, RI
|
Hi,
Some tid bits for firestarter...
apt-get install firestarter and it comes up running.
To administer it, I needed to add it to the suders list as it is a gui and only mythtv can access the xserver.
It does work. Very quick way to make your KM box become invisible
Mike
|
|
Top |
|
|
neutron68
|
Posted: Tue Feb 19, 2008 9:51 am |
|
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location:
Minneapolis, MN
|
My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.
I went to http://www.csc.liv.ac.uk/~greg/sshdfilter/ and downloaded the code for the 1.5.5 version of sshdfilter. I read the INSTALL file to see how easy/hard it was to install. You can pick standalone mode or as an sshd wrapper. There are perl scripts for either choice that autoinstall and configure for you. The script autodetects if you have Debian, Redhat, Slackware, etc. and makes the correct tweaks for that distro. When the script was done, all I had to do was /etc/init.d/ssh restart.
I do have a couple of clarification questions, if someone could lend some expertise.
1. There is a section in the INSTALL text file that I'm not sure of the proper location for these commands. Quote: 3. Add the SSHD chain to your iptables firewall setup, typically (/etc/sysconfig/iptables style): :SSHD - [0:0] or bash: $ iptables -N SSHD
Add a jump to SSHD rule with something like (/etc/sysconfig/iptables style): -A INPUT -p tcp -m tcp --dport 22 -j SSHD or bash: $ iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD would the 2 iptables lines go in the file /etc/init.d/bootmisc.sh ?
2. Is there a way to see the list of IP addresses that sshdfilter has blocked?
insight appreciated,
Eric
_________________ KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner
|
|
Top |
|
|
manicmike
|
Posted: Wed Feb 20, 2008 4:52 am |
|
Joined: Sun Aug 28, 2005 7:07 pm
Posts: 821
Location:
Melbourne, Australia
|
neutron68 wrote: My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.
Ah, that's easy. Install denyhosts. Setup is easy, and you should probably change the number of attempts at invalid logins to, say, 2. I also changed the failed valid logins (where they guessed correctly the login name) to 3. My ssh logs are now a lot smaller
Mike
P.S. and change the deny type to ALL - that'll block them from any connection at all in the future.
_________________ ********************* LinHES 7.4 Australian Dragon *********************
|
|
Top |
|
|
neutron68
|
Posted: Fri Feb 22, 2008 8:54 am |
|
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location:
Minneapolis, MN
|
I did try putting the iptables lines in the bootmisc.sh file and rebooted. It seems to be working. I see that it has been blacklisting attackers in the auth.log: Code: Feb 22 00:29:47 mythtv sshd[3101]: Did not receive identification string from 210.185.187.4 Feb 22 00:29:47 mythtv sshdfilt[3100]: DB:NOID: ip=210.185.187.4 Feb 22 00:29:47 mythtv sshdfilt[3100]: No ssh id string from client, blocking 210.185.187.4 after 0 chances Feb 22 00:29:47 mythtv sshdfilt[3100]: DB: pre fw add command is $fwcommand="iptables -A $chain -p tcp -s $ip --dport 22 -j DROP" Feb 22 00:29:47 mythtv sshdfilt[3100]: DB: post fw add command is iptables -A SSHD -p tcp -s 210.185.187.4 --dport 22 -j DROP
I would still like to know how I can view the blacklisted IP address as time goes on, but otherwise, I think I've got what I want!
_________________ KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner
|
|
Top |
|
|
Kirk
|
Posted: Fri Feb 22, 2008 3:53 pm |
|
Joined: Mon Mar 13, 2006 2:28 am
Posts: 143
Location:
Brisbane, Australia
|
neutron68 wrote: I would still like to know how I can view the blacklisted IP address as time goes on, but otherwise, I think I've got what I want!
Code: # iptables -L
_________________ MBE/FE ~ R5F27 ~ Asus A8N-VM-CSM ~ AMD64 3500+ ~ 1GB RAM ~ 1.5TB Storage ~ Nova-T-500 ~ SH-S183A DVDRW ~ LC20M Case ~ iMON-Pad Remote FE ~ Diskless ~ Asus M2NPV-VM ~ AMD X2 BE-2350 (45w) ~ 1GB RAM ~ TT Lanbox Lite ~ iMON-Pad Remote
|
|
Top |
|
|
neutron68
|
Posted: Sat Feb 23, 2008 10:15 am |
|
Joined: Tue Mar 28, 2006 8:26 pm
Posts: 804
Location:
Minneapolis, MN
|
Kirk wrote:
Oh, of course! Thank you!
You know, I'd used this command over and over at the start of the sshdfilter process and it was always empty. NOW it has entries in it.
Any idea if these lists clear out with each reboot?
Thanks very much!
Eric
_________________ KnoppMyth R5.5, Asus A8N-VM CSM (nvidia 6150 onboard video), AMD Athlon 64 dual-core 4200+, two 1GB sticks DDR 400, HD-3000 HDTV card, PVR-150 card, Iguanaworks RS-232 IR receiver/transmitter, Pioneer DVR-110 DVD burner
|
|
Top |
|
|