Tag Archives: Linux

Brute force ssh password attacks

Posted on by

Since opening my SSH server at home to the internet yesterday – less than 24 hours ago – there have been 2883 failed attempts to log in from two ip addresses: 209.183.190.11 and 59.120.13.130. That makes me nervous, even though I’m reasonably confident that it’s secure due to password authentication being turned off and the following two handy iptables rules in force:

iptables -A INPUT -p tcp -m state --state NEW --dport 22 \
 -m recent --update --seconds 15 -j DROP 

iptables -A INPUT -p tcp -m state --state NEW --dport 22 \
 -m recent --set -j ACCEPT

I got this idea from a post to alt.os.linux.slackware. These rules use the recent extension to iptables to track attempted SSH connections and drop any that come from the same IP within 15 seconds. If you miss-type your passphrase, you just have to remember to hang back for a few seconds before retrying to avoid getting caught out. You could jump to a custom chain that logged such connections before dropping them if you felt the need to monitor the effectiveness of the rule – although the scripts usually just stop trying after a few connection attempts are dropped.

Securing sshd

Posted on by

I’ve decided to collate what I’ve picked-up on this topic as much of the advice I’ve found on the net is rather fragmented. Following these instructions is no substitute for reading the documentation with your SSH server and should be followed at your own risk – this is very much a brief round-up and not a detailed HOWTO. Anyway, having any services publicly available to the internet is a security risk and no amount of preparation can provide 100% certainty against compromise.

  1. Is your version of SSH up to date? Do you have a system for ensuring that it is kept up to date? None of the tips in this post will be of any use if your server has any known vulnerabilities (or any largely unknown ones for that matter, although the only way to effectively protect against these is to give up and unplug the network cable ;-) The same should apply for all the other services you make available to the internet as having a tightly locked-down SSH daemon won’t be much use if your mail and web servers are full of holes. Make sure you have a reasonable understanding of what it takes to secure your machine – see the related reading section below for some starting points.
  2. Work out how sshd is started and with what command line options. For example, are you sure you know what configuration file the server is using? The default is /etc/ssh/sshd_config, but it is possible to change this using the -f switch on the command line used to start the server. Check your startup scripts to be sure.
  3. Audit the user accounts on your system. This is the sort of more general security measure that you should be taking anyway, but it’s worth mentioning here. Some common account names are targeted by the automated brute-force password cracker scripts out there, so be careful of accounts with names like admin, user, guest, test, etc. Where possible also make sure that the system accounts required by some services have no passwords set and have something sensible set as their shells like /bin/false.
  4. Think carefully about from where you need to allow access to the server: does every machine on the net really need to be able to connect to it? You can use the /etc/hosts.allow and /etc/hosts.deny files to control access (see man hosts_access), as well as setting up iptables rules only permit access from trusted IPs or ranges of IPs, for example (assuming you drop incoming packets by default): 
    iptables -A INPUT -s $TRUSTED_IP -p tcp --dport 22 -j ACCEPT
  5. Carefully read the relevant manual pages, particularly sshd and sshd_config. Then read your /etc/ssh/sshd_config file – do not assume that your vendor or distribution has not altered any of the default variables. Some variables to pay particular attention to include:
    • Protocol – set this to 2 so as to not allow connections to fall back on protocol 1.
    • Make sure that PermitRootLogin in set to no.
    • Set PasswordAuthentiction to no whenever possible.
    • Set PubkeyAuthentication to yes (default) and set up keypairs for users (see man ssh-keygen and man ssh-agent).
    • Set PermitEmptyPasswords to no (default).
    • Set StrictModes to yes (default).
    • Set UsePrivilageSeparation to yes (default).

    Hopefully most of these variables will be in the states described. Note that some linux distributions use PAM to authenticate users connecting to the SSH server. This is beyond the scope of this article – see the UsePAM directive in the sshd_config manpage and the Linux-PAM website for more information on this.

  6. You can use the AllowUsers and AllowGroups directives and their DenyUsers and DenyGroups counterparts to limit access to trusted users or deny access to system accounts or untrusted users. Particularly useful if you need to allow password-based authentication.
  7. If you need to allow blanket access to the server from the internet, investigate methods for throttling large numbers of simultaneous incoming connections. Two worth investigating are:
    • The built-in MaxStartups directive in the sshd_config file. This sets the number of unauthenticated connections that are allowed at any one time before the server starts ignoring new connection attempts, and can be useful if you find your server is being targeted by brute force attackers making lots and lots of simultaneous or near-simultaneous connections. Read the sshd_config man page for more information on this.
    • Use the recent extension to iptables to track incoming connections and drop any from the same IP within a given number of seconds. This is very effective aganist the brute-force password crackers: 
      iptables -A INPUT -p tcp -m state --state NEW --dport 22 \
 -m recent --update --seconds 15 -j DROP 

iptables -A INPUT -p tcp -m state --state NEW --dport 22 \
 -m recent --set -j ACCEPT
  8. Some people may recommend moving the server to an unusual port by setting the Port directive in sshd_config, others may suggest implementing port knocking to control access. Although these solutions may afford you some additional security, the former is just a form of security through obscurity, although it’s probably quite effective against the automated scanners. The latter method is not without detractors, but can also be useful. Anyway, neither should be used as a substitute for other security measures, so I’ll say no more about them here.

This article has been re-written from a stub that really just referenced the article that inspired it, Securing access to your server checklist. Feedback is very welcome.

non-us.debian.org

Posted on by

At work we’ve got a load of Mepis installs, and attempting to apt-get update for the last couple of days has failed from the non-us.debian.org respositories with the error “Unable to fetch file, server said ‘unable to open file. ‘”.

Now I’m quite new to Debian-based distros (I learned on and still use Slackware for the most part) but this is obviously some kind of server issue (I’ve updated before without problems). Thankfully there’s a list of mirrors available at the Debian website and ftp.uk.debian.org/debian-non-us works fine. Maybe I’ll do a bit of digging when I’ve got the time.

Update

Solved: sounds this is due to non-us being obsoleted with the release two days ago of Debian 3.1. I assume the mirrors have yet to catch up.

Handling mailto links in Firefox

Posted on by

On my setup – Firefox 1.0, KDE 3.2, Thunderbird 0.9, Slackware 10 – clicking on a mailto: link in Firefox does nothing; I wanted this to open a new message in Thunderbird, email address pasted in and ready to go. Thanks to Google, I found the answer pretty quickly – add this line to your user.js:

user_pref("network.protocol-handler.app.mailto","/usr/bin/thunderbird");

Just remember to change /usr/bin/thunderbird to the appropriate path for your installation.

Website access frustration

Posted on by

I’ve just spent an intensely annoying half hour or so trying to get car insurance quotes online. I finally managed to coax a quote out of one of the four sites I tried. What follows is a boring rant on the subject.

The problems mainly stemmed from poor site design and rather badly implemented user-agent sniffing. (This is when a website tries to assess what browser you are using and tailors content based on their guess.) Something in the javascript on the Direct Line site breaks when entering additional driver details, and it becomes impossible to get any further. Both esure.com and Tesco (the car insurance bit of the site, anyway) refuse to let me in based on my user-agent, helpfully suggesting that I “update” by browser to version 4 or above of either Internet Explorer or Netscape(!). When I’m using the brand-spanking-new Mozilla Firefox released in the last week and, it’s probably fair to say, at the cutting edge of browser development, this is rather idiotic. I did manage to get a quote from Churchill, so well done them. Funnily enough, they seemed to use an almost identical system to Direct Line, so I’m not sure where the difference was that broke one site but not the other.

Still, I suppose that Firefox has only just come out of beta testing, so perhaps it’s a bit premature to expect across the board support just yet. I decided to send off a quick note to the offending sites pointing out their lack of support for Firefox, just to let them know potential customers do use browsers other than IE. At the end of the day, they’ll want to know this if they care about their customers. Or at least you’d think so, wouldn’t you?

Attempting to do this results in yet more hurdles. Tesco seem quite reluctant to give out email contact details, but they do provide a form you can fill in to request technical support. Although aimed primarily at their online banking customers, I thought that I’d give this a try. No luck – you have to specify your browser and operating system from a menu with very limited choice and no “other” category. Pretty much all Windows versions and the last three Mac OS releases were your OS choices. The browser list was longer, but only contained versions of three different products – Netscape, IE and AOL. So, no Tesco customers use Linux, Opera or Mozilla, then. Or maybe they just don’t give a shit.

This indicates to me more than just a delay in catering for a comparatively new product – more of a complete mindset. The designers of the Tesco website must have been aware of the existence of other tools and platforms, but have chosen not to cater for them to the extent of not even providing an “other” category on their technical support form. Is this the sort of company you want to use for important financial matters? I think not. The details matter, and Tesco has skipped on those in my view.

Linux in Iraq?

Posted on by

There’s an interesting article by Adam Davidson in Linux Journal about two Iraqi Linux advocates who are trying to preach the benefits of Open Source to their compatriots before proprietary software lock-in occurs.

Ashraf Tariq and Hasanen Nawfal are the founders of the Linux Users Group of Iraq, and are asking for any help that people can provide. Follow the link above to Davidson’s article for more specifics.

It sounds like a great idea to me, but I suspect they might find the struggle quite difficult. After all, founding a new Iraqi IT infrastructure on Free Software might be just a little bit more freedom than some might like.

unwired

Posted on by

I thought it might be useful to post a few notes on the process of getting connected to the CafeNET WLAN here in Wellington. It will help me in absorbing everything that I have read about and might prove useful to someone else one day. Be warned, this is a fairly technical post!

Hardware and OS:

Software Requirements:

The package references in parentheses above are Slackware specific. I can’t imagine that there is a major distribution that does not supply any of these packages, but the links will take you to the source if you need it. There are alternatives to dhcpcd you might use, and there is an alternative solution (in part) to the one I am going to describe using a different driver and toolkit.

The ZoomAir 4100 uses the PRISM II architecture with a MANFID of 0x0156, 0x0002. This architecture is listed in the know cards database (/etc/pcmcia/config) and bound to the orinoco_cs device driver, so upon card insertion the cardmgr daemon loads the relevant drivers and logs this in /var/log/messages.

Once cardmgr has identified a card and loaded the device driver(s), it performs some further configuration using the scripts in /etc/pcmcia. The scripts called depend on the device class of the card (see the PCMCIA-HOWTO for more information). In this case cardmgr calls the network script which in turn calls the wireless script. Specific configuration options can be added to the scripts by editing corresponding *.opts files in the same directory.

I had not altered any of these scripts when I began experimenting with the ZoomAir card, and it turned out that the scripts as distributed with Slackware don’t do anything untoward – but neither do they do anything particularly useful, so the final steps needed to be performed manually.

The CafeNET website gives their SSID as ‘cafenet’ and tells us that they do not use WEP (encryption). Armed with this information, we can manually configure the interface using iwconfig. It turns out that the default setup has encryption turned off and sets reasonable values for everything else, so all we need to do is set the SSID:

# iwconfig eth0 essid cafenet

Then you can fire up the dhcp client daemon and hopefully get connected:

# dhcpcd eth0

(I’m going to use eth0 as the interface throughout these examples, but this might not always be the correct option for everyone. If your interface is eth0, you don’t actually need to specify it to dhcpcd as it will use that by default. I’m specifying it for clarity.)

This was enough to get connected to the network. To ‘hang-up’, firstly cleanly kill dhcpcd:

# dhcpcd -k

Then you can eject the card:

# cardctl eject

So – very little needs doing to get connected. But there are some tweaks I’ve made to automate the whole process – even geeks get bored of typing in the same old commands all the time, and what are computers good for if not automation, anyway?

As implied above, Card Services comes with a ready-made system to help automate managing cards. By adding some code to the scripts in /etc/pcmcia we can automate the entire process of connecting to and disconnecting from CafeNET.

I created a scheme for connecting to CafeNET by customising network.opts and wireless.opts. There is no card-specific configuration that I’ve found necessary, so this scheme may be of use to you whatever your card type. Before customising these scripts it is worth reading through the comments as there will probably be sections you will want to remove or comment out.

Here is the case to add to wireless.opts:


cafenet,*,*,*)
    INFO="Scheme for connecting to Wellingon's CafeNET"
    ESSID="cafenet"
    MODE="managed"
    # Turn off encryption as suggested:
    KEY="off"
    ;;

And here is the one for network.opts:


cafenet,*,*,*)
     # Leave it all up to dhcpcd:
     DHCP="y"
     ;;

You can now connect to CafeNET by inserting your card and changing the scheme to cafenet:

# cardctl scheme cafenet

Schemes are described in the Card Services documentation. They’re are a handy way of packaging configuration options for different circumstances which can then be called with a single command on the fly.

It is worth noting that Schemes persist across boots. This is useful for me at the moment as I can leave the scheme set to ‘cafenet’ and get connected simply by inserting the card which will automatically try to connect – I don’t have to type anything at all. But this might not be the behaviour you want. You should be able to set a variable ($SCHEME, funnily enough) in your init scripts to set the scheme at boot time, under Slackware you can set this in /etc/rc.d/rc.pcmcia. There are various ways of controlling this, check out the docs.

To disconnect you should just be able to eject the card using cardctl. Unfortunately there is a slight problem with the network script supplied with Slackware 9 – it sends dhcpcd a SIGTERM when it needs a SIGHUP to exit cleanly (see the man page for more). This is easily fixed. In the network script in the section of the ‘stop’ case dealing with killing dhcpcd replace the line:

kill -TERM $PID

with:

kill -s HUP $PID

This is line 182 in my original network script.

This small change will make sure that everything is left nice and tidy. You could, of course, kill dhcpcd by hand and then eject the card, but why type two commands when one will do?!?

So, there we are – it all works quite well and working it out has taught me quite a bit about the Card Services tools and about both wireless networks and networking in general, all areas I didn’t know a great deal about before. Perhaps this stuff will be useful to someone else.

One final point: while researching all this stuff, it became apparent that there is at least one other option for this particular card in terms of drivers. The orinoco_cs driver is a generic solution – it supports several types of card, and is distributed with the Card Services package as a standard module. According to the orinoco page at Jean Tourrilhe’s site (a great resource for Wireless and Linux stuff generally), the support for Prism II cards is ‘not yet fully functional’, and for Prism 2.5/3 cards the alternative linux-wlan-ng system should definitely be used.

The linux-wlan drivers and subsystem provide an alternative to the orinoco/wireless extensions system described above – not only is the driver different, but the wireless extension tools (e.g. iwconfig) are not used either. Right now, I’m still using orinoco_cs (it works), but I might take a look at the linux-wlan package if I’ve got the time as it is specifically designed for the Prism-type cards of which the ZoomAir 4100 is an example.

Sony Vaio PCG-C1F

Posted on by

So, I got this Sony Vaio PCG-C1F, right. My mate Gavin loaned it to me. The particularly good thing about it is it’s size – small enough to carry round without any hassle.

[Sony Vaio PCG-C1F]

Thing is, I’ve put a nice new Slackware 9 install on it. Sounds good – but I’ve got to do all the configuration myself. If I didn’t know any better I’d assume that Gavin thought I needed a project to keep my mind busy. Still, I suppose it gives me something else to post about, too.

Linux can be a little bit of a pain to install on laptops sometimes – there’s a lot of scope for non-standard hardware and the like for which no-one has got around to hacking out device drivers for yet. Still, at first glance, installing a recent distro on the little Vaio seems like a fairly straigtforward task. Touch wood.

The basic install goes well. The machine boots, and the kernel recognises the cards that came with the machine – the ethernet card Just Works. The modem and wireless cards are recognised, and just need some configuration – I can easily whip up a chatscript for the modem, but I’m a bit less certain about what to do with the wireless card, having never used this technology before. Still, one thing at a time, and the first thing I want to do is to get XFree86 running satisfactorily.

The standard XF86Config file installed alongside with Slackware is actually enough to start X despite the fact that it thinks the screen is 1024×768 whereas it is actually 1024×480. A bit of manpage reading and a quick surf later, and I have a nice little example of an XF86Config file as hacked together by Jochen Topf for his Sony Vaio. (This page has a lot of other stuff on it, too. I plan to read it a bit more thoroughly, and it might be useful to you if you’ve arrived at this page because you’re researching getting linux running on a Vaio.) This doesn’t quite work – he uses the svga driver which I don’t seem to have, and one or two other little minor errors crop up – but a quick glance in /usr/X11R6/lib/modules/drivers turns up a rather promising little file called neomagic_drv.o. The Vaio uses the NeoMagic MagicMedia 256AV, so this looks good.

And sure enough, between this, Topf’s mode line for 1024×480 and a bit of a ripoff from the stock config file, I’ve pulled together an XF86Config file that allows me to startx quite happily and launch the XFce Desktop Environment, which for some reason Gavin and I selected as the default window manager when we were doing the original install without knowing much about at the time.

Despite prioritising getting the X server running, I find that I’m spending very little time using it anyway. Oh well. Next thing I did was to get my digital camera working, a Nikon Coolpix 3100, which proved very simple. This simple: plug in the USB cable, and type


# mkdir /mnt/flash
# mount -t vfat /dev/sda1 /mnt/flash

And off we go. Straight out of the box, as they say.

Next up: the modem and wireless cards. Not to mention a bit of trimming in /etc/rc.d/ to cut down on a raft of unnecessary services.

Linux in Space

Posted on by

From the BBC:

The technology to link spacecraft to the web is being tested on the current space shuttle mission and briefly turned the Columbia craft into a node on the net.

(…)

To test the technology the Columbia space shuttle was fitted with an embedded PC that has a 233 MHz processor, 128 MB of RAM and a solid-state 144 MB hard drive.

The computer is running Red Hat, a version of the Linux operating system, and is maintaining a connection with the Goddard Space Flight Center which will to try to contact the onboard PC more than 140 times over the duration of the shuttle mission STS-107.