[App_rpt-users] SSH Security Issues

Wayne wayne at anywherehost.net
Fri Sep 26 15:40:04 UTC 2014 

I am a little late to this thread. As I've mentioned in the past I work for
a web hosting business and we are all too familiar with SSH attacks. Years
ago we allowed SSH to our customers and we were regularly rebuilding servers
OS and attempting to restore customer data. It was maddening. We shut off
all SSH except from specific IP's. That is easier than choosing a different
port. Many/most hackers will do a port scan before a hack to see what's
open.

We use hardware firewalls and intelligent switches. As a general rule one
should ALWAYS use a "stateful" firewall. This means that everything is off
by default and one builds policies for each service including SSH. During
this process one makes an exception allowance for a specific IP(s) or
subnets. Keep the subnet small if you can. If you are trying to access from
a dynamic IP consider using a discreet DNS provider. But never run DMZ.
Always checks your logs and if you see IP's attempting access on any port
that are not you or a twisted servant then blacklist the IP!

You may also deploy a "honey pot" server whose job it is to be discovered
before the real server. Ipconfig rules will let them in like the Roach Motel
but not come out. More importantly is logs their IP that you are duty-bound
that blacklist.

-----Original Message-----
From: app_rpt-users-bounces at ohnosec.org
[mailto:app_rpt-users-bounces at ohnosec.org] On Behalf Of Ken W4NOC
Sent: Thursday, September 25, 2014 2:38 PM
To: app_rpt-users at ohnosec.org
Subject: [App_rpt-users] SSH Security Issues

DMZ will invite SSH attacks and about every other known hack.  Within a few 
days or a week they will zero in on your pubic IP.  I know someone that 
inadvertently left their machine behind a DMZ and the SSH attack traffic was

incredible.

Pick an odd port for your SSH.  I won't mention the ports we use on this 
reflector.  That is what we did on several nodes and that stopped the SSH 
attacks.

All of the hacks know to go after port 22 and they have long wised up to 
222.  So, you may wish to avoid 222 as your SSH port.   As already 
mentioned, pick a really good password.

Ken
W4NOC


>
> Message: 3
> Date: Thu, 25 Sep 2014 10:16:12 -0500
> From: Joe Bennett <aprs at ka3nam.com>
> To: app_rpt-users at ohnosec.org
> Subject: Re: [App_rpt-users] Security Issues
> Message-ID: <542431BC.6010708 at ka3nam.com>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
>
> I guess I'm worried about some of the 'security' comments being shared
> here... First of all, if there is a service that is not used, it should
> be disabled. Firewall or no firewall... It's somewhat like locking the
> doors of your car, but leaving the convertible top down... Second, while
> fail2ban would stop the potential 'hacker' from potentially reaching the
> service or application itself, the incoming packet/ frame still has to
> be processed to find out if it should be banned, dropped or allowed...
> So a DoS or DDos attack is not squelched...
>
> A couple of things to recommend is that you use some sort of two-factor
> authentication on your SSH users. Google auth is free and works well...
> Find yourself a password generator and make strong passwords (like 32
> characters)... Disable any service that is not critical for the
> operation of the intended use... I recommend all of these, and best of
> all, ALL of this can be done for FREE! Installation and setup can
> readily be found online...
>
>
> -Joe
> KA3NAM
>
>
> On 9/25/2014 9:06 AM, Jon Byrne wrote:
>> Hi Loren,
>>
>> I guess you are running your Allstar node on a Virtual server, I do
>> the same and have found bouts of activity from Chinese IP Addresses
>> and other countries. Mostly SIP attempts, but also SSH.
>>
>> If you do not use SIP then unload it and set your IPTABLES to block
>> that port.
>>
>> As for the SSH, this is will probably not be a targeted attack more
>> that they are targeting the block of IP Addresses yours is in. If you
>> have specific IP Addresses you connect to then you can lock
>> connections to those IP's, plus install the fail2ban as mentioned and
>> ensure there is a secure password and you should be ok. You could also
>> enable PORTKNOCKING http://en.wikipedia.org/wiki/Port_knocking
>>
>> As for the 3101702 connection, is that no an Echolink node?
>>
>>
http://ns2.s13avahost.net/repeaters/echolink/node_status.php?node=CX4BBH#sth
ash.n00kxN55.32DNtjrl.dpbs
>>
>> Hope that helps.
>>
>> Jon
>> 2E0RFU
>>
>>
>>
>> ------------
>> Jon Byrne
>> email at jonbyrne.com <mailto:email at jonbyrne.com>
>>
>> On 25 September 2014 08:43, Ken Boyle <ken at kc2idb.net
>> <mailto:ken at kc2idb.net>> wrote:
>>
>>     You could also install fail2ban. By default it allows three failed
>>     password attempts. Than temporarily bans the IP address.
>>
>>     On Sep 24, 2014 10:43 PM, Doug Crompton <doug at crompton.com
>>     <mailto:doug at crompton.com>> wrote:
>>     >
>>     > I assume you have the linux box behind a router? If so why would
>>     you have sip even routed to your linux box if you are not using
>>     it? Routers make good firewalls. The only thing you should have
>>     routed is 4569 (udp) and 222 (tcp)   neither have to be routed.
>>     4569 would only need to be routed if you wanted to accept incoming
>>     connections. Outgoing would work fine without it. 222 would only
>>     be needed for administration.
>>     >
>>     > From what you are saying you obviously must not have a front-end
>>     (router firewall etc.) on your system . It sounds like you are
>>     just hanging on the raw Internet!! Some people go the easy route
>>     and put thhings in the DMZ of their routers which does open them
>>     up to the world. I went into an Allstar system this week to help
>>     with setup and I immediately knew it was on the DMZ. In the
>>     Asterisk client I was getting sip messages left and right. I
>>     unloaded the sip module and they went away. Not the right way to
>>     do it though as it should not be on dmz to begin with. Simply not
>>     having a sip.conf file does not prevent sip traffic!!!
>>     >
>>     > Assuming you have a router there should be no need to disable
>>     sip as it is never going to get to your box unless you port
>>     forward it there. It would be a good idea thought to not load the
>>     code for it if you are not using it. A noload=chan_sip.so   in
>>     modules.conf would take care of that.
>>     >
>>     > Most good routers also allow you to specify specific or blocks
>>     of IP addresses to disallow. If there is a specific foreign block,
>>     say in China you can identify you could probably block it.
>>     >
>>     > So the bottom line is you could make your linux system tottally
>>     unavailable to the outside world by just not forwarding any ports.
>>     The downside is no one could connect to you (sometimes desirable)
>>     and you could not remotely administer your system.
>>     >
>>     >
>>     > 73 Doug
>>     > WA3DSP
>>     > http://www.crompton.com/hamradio
>>     >
>>     >
>>     > ________________________________
>>     > Date: Wed, 24 Sep 2014 20:52:22 -0500
>>     > From: lorentedford at gmail.com <mailto:lorentedford at gmail.com>
>>     > To: app_rpt-users at ohnosec.org <mailto:app_rpt-users at ohnosec.org>
>>     > Subject: [App_rpt-users] Security Issues
>>     >
>>     > Hey its Loren here again...
>>     >
>>     > Was curious what everyone found was the most substantial
>>     security risk with a Acid installation connected too two
>>     repeaters.. The sip.conf was deleted from the asterisks folder..
>>     Noticed a strange node connection that didn?t match all stars
>>     normal node numbers 3101702 also found some thing with
>>     x.allstarlink.org <http://x.allstarlink.org> in it anybody know
>>     what this is?? Anyway my linode server has been under constant
>>     attack from China they keep wanting to ssh into the server we had
>>     to drastically beef up things on the server such as changing the
>>     whole root user issue and moving to another port number etc.. Any
>>     thoughts ideas did i just become victum of a Sip attack too
>>     besides 19 ddos attacks this week already and over a million
>>     failed ssh attempts into my person linode server...
>>     >
>>     >
>>     > Loren Tedford (KC9ZHV)
>>     > Email: lorentedford at gmail.com <mailto:lorentedford at gmail.com>
>>     >
>>     > http://www.lorentedford.com
>>     > http://www.Ltcraft.net
>>     > http://www.richlandcountycomputers.com
>>     > http://kc9zhv.lorentedford.com
>>     >
>>     >
>>     > _______________________________________________ App_rpt-users
>>     mailing list App_rpt-users at ohnosec.org
>>     <mailto:App_rpt-users at ohnosec.org>
>>     http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users To
>>     unsubscribe from this list please visit
>>     http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
>>     scroll down to the bottom of the page. Enter your email address
>>     and press the "Unsubscribe or edit options button" You do not need
>>     a password to unsubscribe, you can do it via email confirmation.
>>     If you have trouble unsubscribing, please send a message to the
>>     list detailing the problem.
>>     _______________________________________________
>>     App_rpt-users mailing list
>>     App_rpt-users at ohnosec.org <mailto:App_rpt-users at ohnosec.org>
>>     http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>>     To unsubscribe from this list please visit
>>     http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and
>>     scroll down to the bottom of the page. Enter your email address
>>     and press the "Unsubscribe or edit options button"
>>     You do not need a password to unsubscribe, you can do it via email
>>     confirmation. If you have trouble unsubscribing, please send a
>>     message to the list detailing the problem.
>>
>>
>>
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>>
>> To unsubscribe from this list please visit 
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down

>> to the bottom of the page. Enter your email address and press the 
>> "Unsubscribe or edit options button"
>> You do not need a password to unsubscribe, you can do it via email 
>> confirmation. If you have trouble unsubscribing, please send a message to

>> the list detailing the problem.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
>
<http://ohnosec.org/pipermail/app_rpt-users/attachments/20140925/b8cdd24a/at
tachment.html>
>
> ------------------------------
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
>
> End of App_rpt-users Digest, Vol 67, Issue 71
> ********************************************* 

_______________________________________________
App_rpt-users mailing list
App_rpt-users at ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to
the bottom of the page. Enter your email address and press the "Unsubscribe
or edit options button"
You do not need a password to unsubscribe, you can do it via email
confirmation. If you have trouble unsubscribing, please send a message to
the list detailing the problem.

More information about the App_rpt-users mailing list