Re: Possible attack?

On Tue, 23 Sep 2008, in the Usenet newsgroup comp.os.linux.security, in article
<slrngdiodv.gso.syl@xxxxxxxxxxxxxxxxxxxxxx>, Sylvain Robitaille wrote:

Moe Trin wrote:

... If a specific service isn't meant to be offered to everyone,
making it more difficult to find may be a valid decision ...

Well, if a specific service isn't meant to be offered to everyone, one
might argue that the first step in ensuring that, is that the service
shouldn't be *visible* to everyone, or at least it shouldn't *respond*
to everyone.

I think that is the one that most smart people adopt. My home system
under "normal" conditions accepts connections from a /22 and two /24s
on the outside. In the somewhat rare situations when I'm traveling,
I've taken to using a port-knocking scheme (where you first attempt
to connect to an otherwise un-used port - the firewall notes the
attempt, and unblocks access to the SSH server from "that" address for
one minute). I still have to authenticate (an RSA key on a USB memory
card) so the knocking isn't really security, but more "noise
reduction".

Yes, that's certainly advisable, as one layer of security. More to
the point, I generally advise configuring a firewall (in whatever form
that might be) to permit access only from those addresses (or address
ranges) where legitimate access is expected. As you no-doubt imagine,
the reactions I get are frequently similar to those you get, but the
approach works really well.

We're a research facility for the company, and have somewhat less of a
"need" to log in from the outside world. This permits pretty
restrictive limits on such access.

Another reason some get unhappy is that they must log every failed
attempt ....

I normally advise folks to worry about the attempts that didn't fail.
Those that failed are the result of your configuration working as it
should ...

Exactly. That's also why the USB dongle only provides part of the
authentication - the users still need a password that gets hashed in
to create the actual credentials.

They will be slowed if they must first _find_ the port.

As quoted above, they "won't be slowed very much". In fact, in my
opinion, they won't be slowed enough to offset the inconvenience to
users who will then need to remember to send their Ssh clients to the
non-standard port.

It's amazing how much fits into those little USB dongles today. We
are getting more concerned with 'homeland security' idiots than we used
to be. There has always been the worry about having a laptop stolen
at the security check-point, which is why filesystem encryption is more
common, but now that may result in the laptop being detained while the
CBP look for illegal files. See the stuff in news://comp.risks issues
25-28 (12 Aug, 2008) and 25-14 (2 May, 2008) including the EFF URL.

A problem with this is that most users can't remember their own
telephone number or postal delivery code, and expecting them to
remember any port number is probably asking to much.

Well, after all, we're asking them to remember reusable passwords too,
without using simple dictionary words! Some of us even insist that
they not write them down on a sticky-note taped to their monitors (oh
the nerve we have!)

The sticky-note on the monitor, or on the bottom of the keyboard (or
mouse) had a fairly short life here - we got tagged in a government
security audit many years ago, and there was hell to pay. We _try_ to
help our users by having a regular hand-out that shows ways to create
and remember more difficult passwords - the "n'th letter of the words
of a phrase/song" seems to be tolerable, and a heck of a lot more
secure than the phone number of the bookie, pizza-joint, or what-ever.

Old guy
.

Relevant Pages

  • Re: ID-ing Hackers
    ... I'm using my sonicwall firewall to trace the incoming connections ... port 25 and cross referencing them to my security log and the blocking IP ... I took everyone's advice from here and boosted my passwords to 15 digits. ... That log is an attempt on port 25... ...
    (microsoft.public.windows.server.sbs)
  • Re: ID-ing Hackers
    ... I'm using my sonicwall firewall to trace the incoming connections to ... port 25 and cross referencing them to my security log and the blocking IP ... I took everyone's advice from here and boosted my passwords to 15 digits. ... That log is an attempt on port 25... ...
    (microsoft.public.windows.server.sbs)
  • Re: Need urgent help regarding security
    ... security features of FreeBSD's inetd. ... Hosts that don't have at least these 4 protections in place will ... reduce their exposure by moving sshd to a port other than 22. ... Take passwords for example. ...
    (FreeBSD-Security)
  • RE: Height of paranoia
    ... having them change their passwords would be my first thought. ... I am the security guy. ... bounds by system/domain admins. ... I have a feeling that their port 3389 gets ...
    (Security-Basics)
  • comp.security.unix and comp.security.misc frequently asked questions
    ... Can I turn off identd? ... to learn about computer security? ... Niles and Jyrki Havia for tripwire bug details as posted to the newsgroup. ... connecting from port 20546 on your machine to port 25 on 205.238.143.33. ...
    (comp.security.misc)