LinHES Forums
http://forums.linhes.org/

Securing KnoppMyth
http://forums.linhes.org/viewtopic.php?f=5&t=16766		 Page 2 of 3
Author:  fra [ Sat Sep 29, 2007 10:47 pm ]
Post subject: 
tjc wrote:
It sounds like you've misunderstood what it's for, and that is almost 180 degrees from what you seem to think. Requiring a password for authentication is the normal state of affairs, key authentication allows you to bypass that for trusted hosts. Therefore if you don't have a key you get prompted for a password. There is a different mechanism for allowing and disallowing remote hosts by IP address.


I see.. Still I'm using it to NOT allow anyone BUT trusted hosts :) [so you never get prompted for a password.. you either have a key to my door or have to turn back..]

I simply used hosts.allow and hosts.deny to deny all and allow only one ip addy. I decided my paranoia stops here :) I won't go ahead and do that ip restriction from the router.. Just in case I'm away one day and want to change that restriction. I can, for now, ssh to the account that is allowed, ssh to the mythbox, and change the rules..

I still haven't figured out how to restrict the number of attempts. But google wil eventually do its magic :)

EDIT: MaxAuthTries 3 (default is 6) in sshd_config does the job, as far as I'm concerned. After 1 failed attempt the subsequent 2 get logged. And I decided not to block any ips after failed attempts since the only ip that is allowed is my own and ip spoofing can cause to block ME!! i think i'm happy with https [port changed from 443], key authentication, no passwd authentication ever, ssh tunneling, only port that is open is the ssh one [changed from 22], and of course router's firewall.
Author:  mattbatt [ Wed Oct 24, 2007 12:21 am ]
Post subject: 
to stop all legit web crawlers /spiders put this
Code:
User-agent: *
Disallow: /


In a new text file called robots.txt in the /var/www/ folder

for more info http://www.robotstxt.org/wc/robots.html
Author:  graysky [ Wed Oct 24, 2007 1:54 am ]
Post subject: 
mattbatt wrote:
to stop all legit web crawlers /spiders put this
Code:
User-agent: *
Disallow: /


Just for the sake of others.... don't forward ports to your mythtv box; keep it safe from the WAN unless you know what you're doing security-wise. More on this suggestion here.
Author:  neutron68 [ Sun Feb 17, 2008 9:14 am ]
Post subject:  iptables - what file?
mjl wrote:
There was posted a couple simple iptable things that would also help lock down some more. It added two or three ssh password attempts and then reject for x number of minutes. Helps stop the constant hammering on the front door from robots. If you can't enter your password correctly by the third try, maybe a cooling period is needed :)

I like the sound of that idea. I've been searching the Knoppmyth forum for the message you referenced - telling how-to to add iptable rules to SSH access. I'm not finding it.
People have made reference to iptables here and there, but no one has mentioned WHAT file you edit to add/change them. Can someone fill in the blank on this one?

Appreciated.
Eric
Author:  Kirk [ Sun Feb 17, 2008 5:26 pm ]
Post subject:  Re: iptables - what file?
neutron68 wrote:
People have made reference to iptables here and there, but no one has mentioned WHAT file you edit to add/change them. Can someone fill in the blank on this one?

You actually use the command 'iptables' as root to change them. That being said, I'm probably not the one to ask for specifics. I use a program called fail2ban to control my iptables settings - 'apt-cache show fail2ban'
Author:  neutron68 [ Sun Feb 17, 2008 10:32 pm ]
Post subject:  ah, I think I see
Ah. Ok. So, the iptables lines shown on this page:
http://hostingfu.com/article/ssh-dictio ... h-iptables
Code:
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

just get entered at a command line (as root) and then they end up in the appropriate file?
Author:  Kirk [ Sun Feb 17, 2008 11:46 pm ]
Post subject: 
Yep, but on reboot they'll need to be set again. So you'd probably append those commands to /etc/init.d/bootmisc.sh (for example), so they can be called on boot up.
Author:  mjl [ Mon Feb 18, 2008 7:55 am ]
Post subject: 
Hi,

This is one of the posts I was thinking of:
http://knoppmyth.net/phpBB2/viewtopic.p ... 25e7a0c65f

Mike
Author:  manicmike [ Mon Feb 18, 2008 1:42 pm ]
Post subject: 
Hi,

You could install firestarter. It's a gui for iptables. I don't use it, but a friend does, and loves it (he's a recent linux convert).

It must, of course, be installed and run as root.

Mike
Author:  mjl [ Mon Feb 18, 2008 3:57 pm ]
Post subject: 
Hi,

Some tid bits for firestarter...
apt-get install firestarter and it comes up running.

To administer it, I needed to add it to the suders list as it is a gui and only mythtv can access the xserver.

It does work. Very quick way to make your KM box become invisible :)
Mike
Author:  neutron68 [ Tue Feb 19, 2008 9:51 am ]
Post subject:  trying sshdfilter
My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.

I went to http://www.csc.liv.ac.uk/~greg/sshdfilter/ and downloaded the code for the 1.5.5 version of sshdfilter. I read the INSTALL file to see how easy/hard it was to install. You can pick standalone mode or as an sshd wrapper. There are perl scripts for either choice that autoinstall and configure for you. The script autodetects if you have Debian, Redhat, Slackware, etc. and makes the correct tweaks for that distro. When the script was done, all I had to do was /etc/init.d/ssh restart.

I do have a couple of clarification questions, if someone could lend some expertise.

1. There is a section in the INSTALL text file that I'm not sure of the proper location for these commands.
Quote:
3.
Add the SSHD chain to your iptables firewall setup, typically (/etc/sysconfig/iptables style):
:SSHD - [0:0]
or bash:
$ iptables -N SSHD

Add a jump to SSHD rule with something like (/etc/sysconfig/iptables style):
-A INPUT -p tcp -m tcp --dport 22 -j SSHD
or bash:
$ iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD
would the 2 iptables lines go in the file /etc/init.d/bootmisc.sh ?

2. Is there a way to see the list of IP addresses that sshdfilter has blocked?

insight appreciated,
Eric
Author:  manicmike [ Wed Feb 20, 2008 4:52 am ]
Post subject:  Re: trying sshdfilter
neutron68 wrote:
My main goal is to automatically block an IP address from SSH after they have shown that they are a dictionary login attacker - after a few failed names. It sounds like sshdfilter will do that.


Ah, that's easy. Install denyhosts. Setup is easy, and you should probably change the number of attempts at invalid logins to, say, 2. I also changed the failed valid logins (where they guessed correctly the login name) to 3. My ssh logs are now a lot smaller :D

Mike

P.S. and change the deny type to ALL - that'll block them from any connection at all in the future.
Author:  neutron68 [ Fri Feb 22, 2008 8:54 am ]
Post subject:  seems to be working
I did try putting the iptables lines in the bootmisc.sh file and rebooted. It seems to be working. I see that it has been blacklisting attackers in the auth.log:
Code:
Feb 22 00:29:47 mythtv sshd[3101]: Did not receive identification string from 210.185.187.4
Feb 22 00:29:47 mythtv sshdfilt[3100]: DB:NOID: ip=210.185.187.4
Feb 22 00:29:47 mythtv sshdfilt[3100]: No ssh id string from client, blocking 210.185.187.4 after 0 chances
Feb 22 00:29:47 mythtv sshdfilt[3100]: DB: pre fw add command is $fwcommand="iptables -A $chain -p tcp -s $ip --dport 22 -j DROP"
Feb 22 00:29:47 mythtv sshdfilt[3100]: DB: post fw add command is iptables -A SSHD -p tcp -s 210.185.187.4 --dport 22 -j DROP

I would still like to know how I can view the blacklisted IP address as time goes on, but otherwise, I think I've got what I want! 8)
Author:  Kirk [ Fri Feb 22, 2008 3:53 pm ]
Post subject:  Re: seems to be working
neutron68 wrote:
I would still like to know how I can view the blacklisted IP address as time goes on, but otherwise, I think I've got what I want! 8)


Code:
# iptables -L
Author:  neutron68 [ Sat Feb 23, 2008 10:15 am ]
Post subject:  Re: seems to be working
Kirk wrote:
Code:
# iptables -L

Oh, of course! Thank you! :oops:
You know, I'd used this command over and over at the start of the sshdfilter process and it was always empty. NOW it has entries in it.

Any idea if these lists clear out with each reboot?

Thanks very much!
Eric
Page 2 of 3 All times are UTC - 6 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/