Re: Opening ports in my firewall

From: Walter Dnes (delete the 'z' to get my real address) (wzaltdnes_at_waltdnes.org)
Date: 08/05/04

  • Next message: Mark Adams: "Re: Port 785 = Network Terrorist?" 
    Date: 5 Aug 2004 02:59:45 GMT

    On Tue, 03 Aug 2004 08:05:48 -0500, Harry Putnam, <reader@newsguy.com> wrote:
    > "Walter Dnes (delete the 'z' to get my real address)" <wzaltdnes@waltdnes.org> writes:
    >
    > > 2) This may be a bit more painfull, but consider accepting connections
    > > only with DSA keys, and not allowing manual password logins.
    > > Brute-forcing a DSA key is a helluva lot more difficult than a password.
    >
    > Walter, sorry to *** in here but,I've wondered about password method
    > for a while and your post started to get to the crux of it.
    >
    > Can you spell the above method out a little. I guess you mean the
    > method where you exchange id_dsa.pub keys and keep them an
    > authorized_keys file right? But how is this limiting done?

       More details in "man sshd_config". To disable logins via typing in
    the password, make the following entry in /etc/ssh/sshd_config

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no

    > But that would assume you always know in advance what machine you
    > will be sshing in from (or at least a group of possible machines).
    > So that would be pretty much the same as using /etc/hosts.allow
    > it seems.
    >
    > In a situation where one may ssh in from machines unknowable in
    > advance, is there really any other technique than password?

       Once you have the keys set up on one machine, so that you can log in
    from it, copy the ~/.ssh directory to a floppy or usb key. Go over to
    the new machine you want to log in from and depending on your paranoia
       - copy the .ssh directory to the new machine, if you control it, or
       - mount the floppy (or usb key) and use ssh with the "-i" parameter
         to point to a non-default location for your ssh DSA (or RSA) key
      Note that ssh is paranoid about permissions for the files. The .ssh
    directory has to be "chmod 700" and the files in it "chmod 600". One of
    the files doesn't need that, but rather than trying to remember which
    one, I just keep them all owner-only for access.

       I use a floppy for this. I have an old Win98SE machine for
    multimedia sites that insist on WMP and IE. My backup procedure is to
    boot the Windows machine from a Knoppix CD. My floppy has a script that
    does the appropriate ifconfig and route commands as well as setting up
    the ~/.ssh directory. I then back up C: like so...

    dd if=/dev/hda1 | ssh -2 waltdnes@192.168.123.250 'cat - > win98_c'

       If C: ever gets infected, I can blow it away and restore in the other
    direction from a clean snapshot. I can loop-mount the drive image on
    the linux machine if I only want one or two files.

       And if you're going to be accessing from another IP address, do
    remember to poke appropriate holes in hosts.allow and iptables. If
    you're coming in from anywhere, that means allowing from all IP
    addresses.

    > If one uses a good password wouldn't a dictionary attack take a very
    > long time? And with ssh only allowing 3 login attempts at a time, you
    > could be talking wks of effort. Or is there some other way with ssh
    > password auth that is a quicker crack.

       Password authentication uses your regular login password, which can be
    discovered in other ways. DSA-key authentication will still work even
    if an attacker discovers your regular password. I just noticed a
    message in news.admin.net-abuse.email...

    -> Subject: [OT] SSH Password Guessing Script Running
    -> Message-ID: <Ma-dnav_2KeLSZPcRVn-pg@comcast.com>
    ->
    -> Noticed the first attempt a few weeks ago trying for user names guest
    -> and test. If you're running SSH this script is searching for you and
    -> trying for easily guessable passwords. Probably coming from already
    -> owned/rooted machines. Here are some excerpts from my security log
    -> that alerted me. If you have SSH running it's probably a good idea
    -> to make sure you don't have the user name guest or test and it will
    -> quickly give up.
    ->
    -> Jul 16 08:42:07 admin sshd[19542]: Illegal user test from 62.100.21.188
    -> Jul 16 08:42:08 admin sshd[19562]: Illegal user guest from 62.100.21.188
    -> Jul 22 04:14:34 admin sshd[3446]: Illegal user test from 64.230.97.170
    -> Jul 22 04:14:34 admin sshd[3448]: Illegal user guest from 64.230.97.170
    -> Jul 23 18:48:49 admin sshd[1167]: Illegal user test from 211.23.151.74
    -> Jul 23 18:48:49 admin sshd[1169]: Illegal user guest from 211.23.151.74
    -> Aug 2 16:03:36 admin sshd[6539]: Illegal user test from 66.98.186.87
    -> Aug 2 16:03:36 admin sshd[6542]: Illegal user guest from 66.98.186.87

    > Also, is it possible to limit incoming ssh to a particualr username?
    > And that user ends up in a chroot jail or something. Needing yet
    > another password (root's) to do damage.

       If you have "PasswordAuthentication no", then the only accounts you
    can log into are those with a ~/.ssh directory containing your public
    key. Even with password authentication, there is an "AllowUsers" option
    (see "man sshd_config") that can restrict which accounts are allowed to
    accept ssh logins.

       If you give someone a shell account, then they can use "su" or some
    form of privilege-escalation attack if they're hostile. 

    -- 
Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org
Delete the "z" to get my real address.  If that gets blocked, follow
the instructions at the end of the 550 message.
  • Next message: Mark Adams: "Re: Port 785 = Network Terrorist?"