| Author |
Message |
|
alewman
|
 Posted: Wed Jul 27, 2005 1:40 am |
|
|
Joined: Sun Jul 24, 2005 1:37 am
Posts: 42
|
|
I am concerned that knoppmyth users can have their system owned with a default install. This is because the mythtv user has a known password of mythtv at the end of the install.
One, there are programs that constantly scan random IP addresses looking for ssh connections with known user accounts/passwords. You can likely see this if you:
# grep illegal /var/log/auth.log
sometime. I haven't seen anyone try the combination of mythtv/mythtv yet, but it is surely just a matter of time before those hackers add that to their list of accounts to check for.
Two, you can find knoppmyth installs via searching on google and test for yourself that a lot of them have ssh exposed and haven't changed mythtv's password.
I think it would be a good idea to have knoppmyth prompt to change the mythtv password somewhere during the install. Or in the very least, mention in the main docs that it would be a good idea to change the password if the system will be exposed on the internet.
-Aubrey
|
|
| Top |
|
 |
|
khrusher
|
Posted: Wed Jul 27, 2005 7:32 am |
|
|
Joined: Tue Apr 13, 2004 6:51 pm
Posts: 890
Location:
Groton, MA
|
good post.
If I change the mythtv password at the command prompt. Code: passwd are there any other places it needs to be updated...scripts, config files, DB entry?
I usually use non-standated ports for all exposed interfaces, not that it makes them more secure, but maybe a little bit harder for a random searcher to locate.
_________________
R5F1 - Dell P4 2.4Ghz 500MB - PVR250 x 2 - GeForce FX 5200 - Onboard sound/NIC 80GB ATA/250GB ATA/400GB SATA
|
|
| Top |
|
|
|
Xsecrets
|
Posted: Wed Jul 27, 2005 7:43 am |
|
|
Joined: Mon Oct 06, 2003 10:38 am
Posts: 4978
Location:
Nashville, TN
|
|
you're right It is a good idea not to have known u/p on the internet, however we have always stated that knoppmyth is not a security distribution and that you should think carefully before exposing it to the internet. but it is certainly something to think about for the install.
_________________ Have a question search the forum and have a look at the KnoppMythWiki.
Xsecrets
|
|
| Top |
|
|
|
tjc
|
Posted: Wed Jul 27, 2005 5:36 pm |
|
|
Joined: Thu Mar 25, 2004 11:00 am
Posts: 9551
Location:
Arlington, MA
|
|
I've said it before and I'll say it again. If you don't have your KnoppMyth Sytem behind a buttoned down firewall, you should. Unless you're attempting some kind of honeynet sting, anything else is just dumb as a bag of hammers.
|
|
| Top |
|
|
|
alewman
|
Posted: Fri Jul 29, 2005 12:14 am |
|
|
Joined: Sun Jul 24, 2005 1:37 am
Posts: 42
|
khrusher wrote: are there any other places it needs to be updated...scripts, config files, DB entry?
Not that I'm aware of. It should work fine after changing the password.
-Aubrey
|
|
| Top |
|
|
|
LaGaffe
|
Posted: Fri Jul 29, 2005 11:49 pm |
|
|
Joined: Fri Jun 11, 2004 6:39 am
Posts: 20
Location:
Zurich, Switzerland
|
Hey there,
Lately I have seen a lot of brute force attack on my ssh port.
Therefore yesterday I started looking around for some countermeasure.
Google, being my friend, hinted me towards the following, very useful script:
http://www.csc.liv.ac.uk/~greg/sshdfilter/
This scripts runs through the auth.log and whenever it finds a certain string, like 'Illegal user test' it adds a rule to iptables to block the ip.
It's configureable as to how long to block the offending ip.
To get it working I had to (and I'm writing this out of memory, so there might be something missing or some better ways to do it)
1) activate iptables. I didn't know how really, so I just
Code: apt-get install iptables 2) Add a chain namend SSHD Code: iptables -N SSHD (As suggested on the above mentioned page) 3) Add a jump to the rule Code: iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD (As suggested on the above mentioned page) 4) For convenience I also added the webmin-firewall interface Code: apt-get install webmin-firewall 5) Download the script Code: wget http://www.csc.liv.ac.uk/~greg/sshdfilter-1.3.4.tar.gz 6) Follow the instructions in the INSTALL file 7) I remarked, that my auth.log adds a ::FFFF: in front of every IP and wasn't sure about the effects on the script. So I tweaked it slighty. Here's the diff Code: < if ( /^Illegal user (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
---
> if ( /^Illegal user (.*) from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
269c269
< elsif ( /^Failed .* for illegal user (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
---
> elsif ( /^Failed .* for illegal user (.*) from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
282c282
< elsif ( /^Did not receive identification string from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
---
> elsif ( /^Did not receive identification string from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*)/ )
296c296
< elsif ( /^Failed .* for (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ || /^Postponed .* for (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ ) # general failure, give them 4 chances - one more than sshd gives
---
> elsif ( /^Failed .* for (.*) from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ || /^Postponed .* for (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ ) # general failure, give them 4 chances - one more than sshd gives
313c313
< elsif ( /^Accepted [^ ]* for (.*) from ([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ ) # a success from an ip means removing it from the list, if it exists
---
> elsif ( /^Accepted [^ ]* for (.*) from :*f*:([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*) port [0-9][0-9]* ssh2/ ) # a success from an ip means removing it from the list, if it exists
336c336
< elsif ( /^Received signal ([0-9][0-9]*); terminating./ ) # sshd quitting, Received signal... more reliable then waiting for close of pipe
---
> elsif ( /^Received signal :*f*:([0-9][0-9]*); terminating./ ) # sshd quitting, Received signal... more reliable then waiting for close of pipe
And success!! A look at the auth.log of this morning reveals:
Quote: Jul 30 06:12:22 mythtv sshd[8166]: Illegal user test from ::ffff:212.68.230.34
Jul 30 06:12:22 mythtv sshdfilt[8165]: Illegal user name, instant block of 212.68.230.34
Hint: If you locked yourself out, use webmin to delete the rule and you're back in the game...
Enjoy
Stefan
_________________
Shuttle SN41G2V2
AMD Athlon XP-3000+
Lite-On 832S IDE, +/-R
200 GB Western Digital
Hauppauge PVR-350
Xbox Frontend
|
|
| Top |
|
|
|
cesman
|
Posted: Tue Aug 02, 2005 2:52 pm |
|
|
Joined: Fri Sep 19, 2003 7:05 pm
Posts: 5088
Location:
Fontana, Ca
|
|
Everything krusher, Xsecrets and what tjc stated... KnoppMyth is meant to installed on a box for use as a PVR. A PVR should be behind a firewall and not live on the Internet. If you want to place it on live on the Internet, then it is up to you to secure it. We do our best to try and ensure KnoppMyth is as secure as possible for it's intended purpose. Funny, I remember another fellow bringing this up over a year ago. He stated, he provide some scripts to help button things up. Well, I'm still waiting...
_________________
cesman
When the source is open, the possibilities are endless!
|
|
| Top |
|
|
|
ceenvee703
|
Posted: Tue Aug 02, 2005 3:21 pm |
|
|
Joined: Fri Apr 02, 2004 10:08 am
Posts: 1637
Location:
Virginia, USA
|
cesman wrote: A PVR should be behind a firewall and not live on the Internet.
How can this be reconciled with MythTV needing to connect to Zap2It (or similar service) to DL program guide data?
|
|
| Top |
|
|
|
cesman
|
Posted: Tue Aug 02, 2005 3:36 pm |
|
|
Joined: Fri Sep 19, 2003 7:05 pm
Posts: 5088
Location:
Fontana, Ca
|
|
If it is behind a firewall, it should have no issues downloading programing information. My boxen has always been behind a firewall.
_________________
cesman
When the source is open, the possibilities are endless!
|
|
| Top |
|
|
|
tjc
|
Posted: Tue Aug 02, 2005 7:05 pm |
|
|
Joined: Thu Mar 25, 2004 11:00 am
Posts: 9551
Location:
Arlington, MA
|
|
One of the little Linksys/Cisco Cab/e/DSL routers is a cheap and simple way to set this up if you're not comfortable turning an old machine into a firewall/router. The BEFSR41 can be had for under $50. It gives you a 4 port switch with a NATing firewall router builtin. The default firewall configuration is pretty reasonable, having all inbound connections blocked by default. Just make sure the firmware is up to date and don't open any ports that you don't need and have secured by other means.
|
|
| Top |
|
|
|
jimmyfergus
|
Posted: Sun Aug 07, 2005 7:51 am |
|
|
Joined: Tue Jan 18, 2005 12:11 pm
Posts: 100
Location:
MA, USA
|
tjc wrote: One of the little Linksys/Cisco Cab/e/DSL routers is a cheap and simple way to set this up if you're not comfortable turning an old machine into a firewall/router.
Absolutely - they're trivially easy to use - for most people, you plug it in an never think about it again. The only reason most of us might have for configuring an old computer for the job is that we have it lying around and we don't want the computer to go to waste or to spend more money.
Well, my take on this, is that an old computer, even with a low powered CPU, is going to draw 25 Watts as an absolute minimum, probably 40-60. My Linksys router draws 5W. One Watt costs me roughly US$1 a year, my candidate computer (PII 350) draws 40W diskless, 50W+ with a hard disk, so I'm saving at least $35 a year in power.
On financial grounds, rolling your own router rarely makes sense. On ecological grounds, it gets a bit more complicated, because you have to consider whether the environmental impact of having the router manufactured outweighs the electrical savings. Electronics manufacture is a dirty business.
While on the ecology note, I tried to have my Knoppmyth box shut down when idle and auto-restart with R4V5, but things went very wrong with commercial detection. I haven't retried with R5A16... some time when I have a chance...
|
|
| Top |
|
|
|
Xsecrets
|
Posted: Sun Aug 07, 2005 8:21 am |
|
|
Joined: Mon Oct 06, 2003 10:38 am
Posts: 4978
Location:
Nashville, TN
|
|
Of course with the latest FCC ruling that all firewalls are going to have backdoors for the feds it's starting to make much more sense to roll your own with an old pc. Not that the feds would be interested in me, but if there's a backdoor there it's only a matter of time til the script kiddies get ahold of it.
_________________ Have a question search the forum and have a look at the KnoppMythWiki.
Xsecrets
|
|
| Top |
|
|
|
jimmyfergus
|
Posted: Sun Aug 07, 2005 8:34 am |
|
|
Joined: Tue Jan 18, 2005 12:11 pm
Posts: 100
Location:
MA, USA
|
Xsecrets wrote: Of course with the latest FCC ruling that all firewalls are going to have backdoors for the feds it's starting to make much more sense to roll your own with an old pc. Not that the feds would be interested in me, but if there's a backdoor there it's only a matter of time til the script kiddies get ahold of it.
Then get a router that runs linux, like the Linksys WRT54G, and flash one of the open-source firmwares produced in a country outside Oceania  . That also gives you much of the flexibility of a roll-your-own system - iptables etc. and all sorts of other goodness.
Unless the spooks can get in at a sub-firmware level  !?
|
|
| Top |
|
|
|
tjc
|
Posted: Sun Aug 07, 2005 11:58 am |
|
|
Joined: Thu Mar 25, 2004 11:00 am
Posts: 9551
Location:
Arlington, MA
|
jimmyfergus wrote: Then get a router that runs linux, like the Linksys WRT54G
NOT recommended!!! Current wireless routers are inherently insecure, and you can find a dozen article about the exploitable flaws in WEP without even trying. An equivalent non-wireless router is greatly prefered if you have any concerns about security.
Also "never think(ing) about it again" isn't a good idea either. A periodic check for firmware updates is small and worthwhile effort.
|
|
| Top |
|
|
|
jimmyfergus
|
Posted: Sun Aug 07, 2005 12:31 pm |
|
|
Joined: Tue Jan 18, 2005 12:11 pm
Posts: 100
Location:
MA, USA
|
tjc wrote: jimmyfergus wrote: Then get a router that runs linux, like the Linksys WRT54G NOT recommended!!! Current wireless routers are inherently insecure, and you can find a dozen article about the exploitable flaws in WEP without even trying. An equivalent non-wireless router is greatly prefered if you have any concerns about security. Also "never think(ing) about it again" isn't a good idea either. A periodic check for firmware updates is small and worthwhile effort. Who mentioned WEP  ? Wireless has its uses, and is very secure if you use WPA. Granted it can never be as secure as wired.
It's possible to disable wireless on the router. I disable it except for the rare occasions I need wireless, when I use WPA. There's precious little price difference between a wireless and non wireless router (I got my WRT54G used for $30), and I'm not sure if there are any non-wireless routers with open source linux firmware in active development.
You're absolutely right that you shouldn't just install and forget, but I disagree that non-wireless is preferable, unless you absolutely positively will never want to use wireless and don't care about third-party developed firmware features, and can find your wired router cheaper than wireless.
I bought my wireless router in the knowledge that I didn't want to use the wireless, but I wanted tweakable firmware for traffic shaping (very useful when using VOIP during downloads) and other options . I would maintain that it was a good decision.
|
|
| Top |
|
|
View unanswered posts
View active topics
Print view
Previous topic Next topic 
LinHES Home
Board index
FAQ
Search
Login 
Register
