LinHES Forums :: View topic - Concern about security

< if ( /^Illegal user (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
---
> if ( /^Illegal user (.*) from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
269c269
< elsif ( /^Failed .* for illegal user (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
---
> elsif ( /^Failed .* for illegal user (.*) from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
282c282
< elsif ( /^Did not receive identification string from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
---
> elsif ( /^Did not receive identification string from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
296c296
< elsif ( /^Failed .* for (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ || /^Postponed .* for (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ ) # general failure, give them 4 chances - one more than sshd gives
---
> elsif ( /^Failed .* for (.*) from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ || /^Postponed .* for (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ ) # general failure, give them 4 chances - one more than sshd gives
313c313
< elsif ( /^Accepted [^ ]* for (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ ) # a success from an ip means removing it from the list, if it exists
---
> elsif ( /^Accepted [^ ]* for (.*) from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ ) # a success from an ip means removing it from the list, if it exists
336c336
< elsif ( /^Received signal ([0-9][0-9]*); terminating./ ) # sshd quitting, Received signal... more reliable then waiting for close of pipe
---
> elsif ( /^Received signal :*f*:([0-9][0-9]*); terminating./ ) # sshd quitting, Received signal... more reliable then waiting for close of pipe

Author:	alewman [ Wed Jul 27, 2005 1:40 am ]
Post subject:	Concern about security
I am concerned that knoppmyth users can have their system owned with a default install. This is because the mythtv user has a known password of mythtv at the end of the install. One, there are programs that constantly scan random IP addresses looking for ssh connections with known user accounts/passwords. You can likely see this if you: # grep illegal /var/log/auth.log sometime. I haven't seen anyone try the combination of mythtv/mythtv yet, but it is surely just a matter of time before those hackers add that to their list of accounts to check for. Two, you can find knoppmyth installs via searching on google and test for yourself that a lot of them have ssh exposed and haven't changed mythtv's password. I think it would be a good idea to have knoppmyth prompt to change the mythtv password somewhere during the install. Or in the very least, mention in the main docs that it would be a good idea to change the password if the system will be exposed on the internet. -Aubrey

Author:	khrusher [ Wed Jul 27, 2005 7:32 am ]
Post subject:
good post. If I change the mythtv password at the command prompt. Code: passwd are there any other places it needs to be updated...scripts, config files, DB entry? I usually use non-standated ports for all exposed interfaces, not that it makes them more secure, but maybe a little bit harder for a random searcher to locate.

Author:	Xsecrets [ Wed Jul 27, 2005 7:43 am ]
Post subject:
you're right It is a good idea not to have known u/p on the internet, however we have always stated that knoppmyth is not a security distribution and that you should think carefully before exposing it to the internet. but it is certainly something to think about for the install.

Author:	tjc [ Wed Jul 27, 2005 5:36 pm ]
Post subject:
I've said it before and I'll say it again. If you don't have your KnoppMyth Sytem behind a buttoned down firewall, you should. Unless you're attempting some kind of honeynet sting, anything else is just dumb as a bag of hammers.

Author:	alewman [ Fri Jul 29, 2005 12:14 am ]
Post subject:
khrusher wrote: are there any other places it needs to be updated...scripts, config files, DB entry? Not that I'm aware of. It should work fine after changing the password. -Aubrey

LinHES Forums http://forum.linhes.org/

Concern about security http://forum.linhes.org/viewtopic.php?f=6&t=5503	Page 1 of 2

Author:	LaGaffe [ Fri Jul 29, 2005 11:49 pm ]
Post subject:	Bruteforce attack on SSH
Hey there, Lately I have seen a lot of brute force attack on my ssh port. Therefore yesterday I started looking around for some countermeasure. Google, being my friend, hinted me towards the following, very useful script: http://www.csc.liv.ac.uk/~greg/sshdfilter/ This scripts runs through the auth.log and whenever it finds a certain string, like 'Illegal user test' it adds a rule to iptables to block the ip. It's configureable as to how long to block the offending ip. To get it working I had to (and I'm writing this out of memory, so there might be something missing or some better ways to do it) 1) activate iptables. I didn't know how really, so I just Code: apt-get install iptables 2) Add a chain namend SSHD Code: iptables -N SSHD (As suggested on the above mentioned page) 3) Add a jump to the rule Code: iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD (As suggested on the above mentioned page) 4) For convenience I also added the webmin-firewall interface Code: apt-get install webmin-firewall 5) Download the script Code: wget http://www.csc.liv.ac.uk/~greg/sshdfilter-1.3.4.tar.gz 6) Follow the instructions in the INSTALL file 7) I remarked, that my auth.log adds a ::FFFF: in front of every IP and wasn't sure about the effects on the script. So I tweaked it slighty. Here's the diff Code: < if ( /^Illegal user (.) from ([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9])/ ) --- > if ( /^Illegal user (.) from :f:([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9])/ ) 269c269 < elsif ( /^Failed .* for illegal user (.) from ([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9])/ ) --- > elsif ( /^Failed . for illegal user (.) from :f:([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9])/ ) 282c282 < elsif ( /^Did not receive identification string from ([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9])/ ) --- > elsif ( /^Did not receive identification string from :f:([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9])/ ) 296c296 < elsif ( /^Failed . for (.) from ([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9]) port [0-9][0-9] ssh2/ \|\| /^Postponed .* for (.) from ([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9]) port [0-9][0-9] ssh2/ ) # general failure, give them 4 chances - one more than sshd gives --- > elsif ( /^Failed .* for (.) from :f:([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9]) port [0-9][0-9] ssh2/ \|\| /^Postponed .* for (.) from ([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9]) port [0-9][0-9] ssh2/ ) # general failure, give them 4 chances - one more than sshd gives 313c313 < elsif ( /^Accepted [^ ]* for (.) from ([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9]) port [0-9][0-9] ssh2/ ) # a success from an ip means removing it from the list, if it exists --- > elsif ( /^Accepted [^ ]* for (.) from :f:([0-9][0-9].[0-9][0-9].[0-9][0-9].[0-9][0-9]) port [0-9][0-9] ssh2/ ) # a success from an ip means removing it from the list, if it exists 336c336 < elsif ( /^Received signal ([0-9][0-9]); terminating./ ) # sshd quitting, Received signal... more reliable then waiting for close of pipe --- > elsif ( /^Received signal :f:([0-9][0-9]); terminating./ ) # sshd quitting, Received signal... more reliable then waiting for close of pipe And success!! A look at the auth.log of this morning reveals: Quote: Jul 30 06:12:22 mythtv sshd[8166]: Illegal user test from ::ffff:212.68.230.34 Jul 30 06:12:22 mythtv sshdfilt[8165]: Illegal user name, instant block of 212.68.230.34 Hint: If you locked yourself out, use webmin to delete the rule and you're back in the game... Enjoy Stefan

Author:	cesman [ Tue Aug 02, 2005 2:52 pm ]
Post subject:
Everything krusher, Xsecrets and what tjc stated... KnoppMyth is meant to installed on a box for use as a PVR. A PVR should be behind a firewall and not live on the Internet. If you want to place it on live on the Internet, then it is up to you to secure it. We do our best to try and ensure KnoppMyth is as secure as possible for it's intended purpose. Funny, I remember another fellow bringing this up over a year ago. He stated, he provide some scripts to help button things up. Well, I'm still waiting...

Author:	ceenvee703 [ Tue Aug 02, 2005 3:21 pm ]
Post subject:
cesman wrote: A PVR should be behind a firewall and not live on the Internet. How can this be reconciled with MythTV needing to connect to Zap2It (or similar service) to DL program guide data?

Author:	cesman [ Tue Aug 02, 2005 3:36 pm ]
Post subject:
If it is behind a firewall, it should have no issues downloading programing information. My boxen has always been behind a firewall.

Author:	tjc [ Tue Aug 02, 2005 7:05 pm ]
Post subject:
One of the little Linksys/Cisco Cab/e/DSL routers is a cheap and simple way to set this up if you're not comfortable turning an old machine into a firewall/router. The BEFSR41 can be had for under $50. It gives you a 4 port switch with a NATing firewall router builtin. The default firewall configuration is pretty reasonable, having all inbound connections blocked by default. Just make sure the firmware is up to date and don't open any ports that you don't need and have secured by other means.

Author:	jimmyfergus [ Sun Aug 07, 2005 7:51 am ]
Post subject:
tjc wrote: One of the little Linksys/Cisco Cab/e/DSL routers is a cheap and simple way to set this up if you're not comfortable turning an old machine into a firewall/router. Absolutely - they're trivially easy to use - for most people, you plug it in an never think about it again. The only reason most of us might have for configuring an old computer for the job is that we have it lying around and we don't want the computer to go to waste or to spend more money. Well, my take on this, is that an old computer, even with a low powered CPU, is going to draw 25 Watts as an absolute minimum, probably 40-60. My Linksys router draws 5W. One Watt costs me roughly US$1 a year, my candidate computer (PII 350) draws 40W diskless, 50W+ with a hard disk, so I'm saving at least $35 a year in power. On financial grounds, rolling your own router rarely makes sense. On ecological grounds, it gets a bit more complicated, because you have to consider whether the environmental impact of having the router manufactured outweighs the electrical savings. Electronics manufacture is a dirty business. While on the ecology note, I tried to have my Knoppmyth box shut down when idle and auto-restart with R4V5, but things went very wrong with commercial detection. I haven't retried with R5A16... some time when I have a chance...

Author:	Xsecrets [ Sun Aug 07, 2005 8:21 am ]
Post subject:
Of course with the latest FCC ruling that all firewalls are going to have backdoors for the feds it's starting to make much more sense to roll your own with an old pc. Not that the feds would be interested in me, but if there's a backdoor there it's only a matter of time til the script kiddies get ahold of it.

Author:	jimmyfergus [ Sun Aug 07, 2005 8:34 am ]
Post subject:
Xsecrets wrote: Of course with the latest FCC ruling that all firewalls are going to have backdoors for the feds it's starting to make much more sense to roll your own with an old pc. Not that the feds would be interested in me, but if there's a backdoor there it's only a matter of time til the script kiddies get ahold of it. Then get a router that runs linux, like the Linksys WRT54G, and flash one of the open-source firmwares produced in a country outside Oceania . That also gives you much of the flexibility of a roll-your-own system - iptables etc. and all sorts of other goodness. Unless the spooks can get in at a sub-firmware level !?

Author:	tjc [ Sun Aug 07, 2005 11:58 am ]
Post subject:
jimmyfergus wrote: Then get a router that runs linux, like the Linksys WRT54G NOT recommended!!! Current wireless routers are inherently insecure, and you can find a dozen article about the exploitable flaws in WEP without even trying. An equivalent non-wireless router is greatly prefered if you have any concerns about security. Also "never think(ing) about it again" isn't a good idea either. A periodic check for firmware updates is small and worthwhile effort.

Page 1 of 2	All times are UTC - 6 hours
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/

Author:	jimmyfergus [ Sun Aug 07, 2005 12:31 pm ]
Post subject:
tjc wrote: jimmyfergus wrote: Then get a router that runs linux, like the Linksys WRT54G NOT recommended!!! Current wireless routers are inherently insecure, and you can find a dozen article about the exploitable flaws in WEP without even trying. An equivalent non-wireless router is greatly prefered if you have any concerns about security. Also "never think(ing) about it again" isn't a good idea either. A periodic check for firmware updates is small and worthwhile effort. Who mentioned WEP ? Wireless has its uses, and is very secure if you use WPA. Granted it can never be as secure as wired. It's possible to disable wireless on the router. I disable it except for the rare occasions I need wireless, when I use WPA. There's precious little price difference between a wireless and non wireless router (I got my WRT54G used for $30), and I'm not sure if there are any non-wireless routers with open source linux firmware in active development. You're absolutely right that you shouldn't just install and forget, but I disagree that non-wireless is preferable, unless you absolutely positively will never want to use wireless and don't care about third-party developed firmware features, and can find your wired router cheaper than wireless. I bought my wireless router in the knowledge that I didn't want to use the wireless, but I wanted tweakable firmware for traffic shaping (very useful when using VOIP during downloads) and other options . I would maintain that it was a good decision.