Debian GNU/Linux - Institut für Experimentelle und Angewandte ...

ieap.uni.kiel.de

Debian GNU/Linux - Institut für Experimentelle und Angewandte ...

Debian GNU/Linux: Sicherheit

Debian GNU/Linux

Unix Sicherheit

Christian T. Steigies

Institut für Experimentelle und Angewandte Physik

Christian-Albrechts-Universität zu Kiel

Debian crash course – 21.02.2007

Christian T. Steigies

Debian GNU/Linux


Debian GNU/Linux: Sicherheit

Anmelden am System

◮ login an der Konsole

◮ login per xdm/gdm/kdm

◮ remote login mit telnet, rsh, ftp

◮ secure login mit ssh, scp, slogin

◮ Pluggable Authentication Modules (PAM)

◮ pam_cracklib: Mindestanforderungen an Passwort

◮ pam_opie: one time passwords

Christian T. Steigies

Debian GNU/Linux


Debian GNU/Linux: Sicherheit

Remote-Logins

◮ nur per SSH, niemals mit telnet, ftp vermeiden

◮ verschlüsselte Kommunikation mit SSH, dadurch kein Abhören

◮ (password im Klartext auch bei fetchmail ohne ssl oder ssh

tunneling)

◮ kein login als root

◮ keine leeren Passworte

◮ nur ssh2, nicht ssh1

◮ login per authorized_keys

Christian T. Steigies

Debian GNU/Linux


Debian GNU/Linux: Sicherheit

Verbesserung der Sicherheit

◮ /etc/ssh/sshd_config

◮ ändern des ports (security by obscurity)

◮ PasswordAuthentication no

◮ PermitRootLogin no (Problem mit faubackup?)

◮ restrict users

◮ /etc/hosts.allow|deny

◮ iptables (ssh_blocking)

Christian T. Steigies

Debian GNU/Linux


Debian GNU/Linux: Sicherheit

ssh-keygen

◮ ssh-keygen -trsa

◮ passphrase statt password

◮ .ssh/id_rsa.pub

◮ kopieren nach .ssh/authorized_keys auf remote host

◮ ssh-copy-id user@machine

◮ ssh-add

◮ .ssh/config

Christian T. Steigies

Debian GNU/Linux


~/.ssh/config

Debian GNU/Linux: Sicherheit

Host 192.168.1.9

ForwardAgent yes

ForwardX11 yes

PasswordAuthentication no

StrictHostKeyChecking no

Port 2201

Christian T. Steigies

Debian GNU/Linux


Debian GNU/Linux: Sicherheit

Ssh-faker

Ssh-faker 1.1

There’s a worm out there that tries to log in through ssh using a long

list of popular usernames and passwords. If you don’t want it to succeed,

it’s a good idea to not let it connect to your actual sshd program.

Ssh-faker was initially written to deal with buffer overflow attacks

back when sshd was vulnerable (it may still be), but it works well for

this too.

This program is called by /etc/hosts.deny whenever someone connects to

port 22. Unless they type in a plaintext password or type the wrong

password, they get an ssh-compatible error message, and a syslog message

is generated. If they type in the right password, they are added to

/etc/hosts.allow, and their next connection will reach the real sshd.

In my opinion, this is better than denying ip addresses as soon as they

fail ssh logins three times because:

- I don’t want to be locked out of my own computer if I

can’t type my password right for some reason (broken key on

keyboard/fingers on wrong keys/too much caffeine+sugar?)

- This way, the /etc/hosts.deny file or iptables deny list

doesn’t grow all the time.

- The bad guys can’t get more chances just by changing their

ip address.

Christian T. Steigies

Debian GNU/Linux


Debian GNU/Linux: Sicherheit

http://www.aerospacesoftware.com/ssh-kiddies.html

SSH vs Script Kiddies How-to Guide

Some idiot created a SSH worm that uses a dictionary attack to try to

log into a computer over port 22. The worm tries to set up shop on

your computer and tries to find the next vulnerable computer. This

clogs up networks with bazillions of SSH login attempts.

A number of people created scripts that scan the system log files to

identify the IP address of attackers and block them either using

TcpWrappers or Netfilter. The problem with these approaches is that

it consumes local computer resources. It also creates the risk that

you can lock yourself out accidentally - maybe not a problem if the

computer is in the next room, but it is a serious concern if the

computer is far away on the other side of the globe.

Another solution is to set SSHD to use a different port. This will work,

till the attacker adds a port scanner to his worm.

What is needed is a simple solution that consumes the resources of

the attacker instead of your own. This little guide shows how to slow

down SSH password authentication to accomplish this in a single line

of code. This simple modification has been proven to completely

defeat the attack, as Christian discussed T. Steigies below. Debian GNU/Linux


Debian GNU/Linux: Sicherheit

Feb 20 09:53:54 batdaf sshd[17915]: Invalid user lpd from 218.75.69.132

Feb 20 09:53:58 batdaf sshd[17917]: Invalid user lpa from 218.75.69.132

Feb 20 09:54:01 batdaf sshd[17919]: Invalid user admin from 218.75.69.132

Feb 20 09:54:08 batdaf sshd[17921]: Invalid user admin from 218.75.69.132

Feb 20 09:54:13 batdaf sshd[17923]: Invalid user admin from 218.75.69.132

Feb 20 09:54:17 batdaf sshd[17925]: Invalid user ftpuser from 218.75.69.132

Feb 20 09:54:21 batdaf sshd[17927]: Invalid user ftpuser from 218.75.69.132

Feb 20 09:54:26 batdaf sshd[17929]: Invalid user ftpuser from 218.75.69.132

Feb 20 09:54:34 batdaf sshd[17931]: Invalid user ftpuser from 218.75.69.132

Feb 20 09:54:41 batdaf sshd[17933]: Invalid user ftpuser from 218.75.69.132

Feb 20 09:54:47 batdaf sshd[17935]: Invalid user ftpuser from 218.75.69.132

Feb 20 09:54:54 batdaf sshd[17937]: Invalid user ftpuser from 218.75.69.132

Feb 20 09:54:59 batdaf sshd[17939]: Invalid user mailtest from 218.75.69.132

Feb 20 09:55:03 batdaf sshd[17941]: Invalid user mailtest from 218.75.69.132

Feb 20 09:55:07 batdaf sshd[17943]: Invalid user mailtest from 218.75.69.132

Feb 20 09:55:11 batdaf sshd[17945]: Invalid user mailtest from 218.75.69.132

Feb 20 09:55:17 batdaf sshd[17947]: Invalid user mailtest from 218.75.69.132

Feb 20 09:55:25 batdaf sshd[17950]: Invalid user mailtest from 218.75.69.132

Feb 20 09:55:29 batdaf sshd[17952]: Invalid user testuser from 218.75.69.132

Feb 20 09:55:36 batdaf sshd[17954]: Invalid user testuser from 218.75.69.132

Feb 20 09:55:40 batdaf sshd[17956]: Invalid user testuser from 218.75.69.132

Feb 20 09:55:43 batdaf sshd[17958]: Invalid user testuser from 218.75.69.132

Feb 20 09:55:47 batdaf sshd[17960]: Invalid user testuser from 218.75.69.132

Feb 20 09:55:51 batdaf sshd[17962]: Invalid user testuser from 218.75.69.132

Feb 20 09:55:56 batdaf sshd[17964]: Invalid user sales from 218.75.69.132

Feb 20 09:56:00 batdaf sshd[17966]: Invalid user sales from 218.75.69.132

Feb 20 09:56:03 batdaf sshd[17968]: Invalid user sales from 218.75.69.132

Feb 20 09:56:13 batdaf sshd[17970]: Invalid user sales from 218.75.69.132

Feb 20 09:56:18 batdaf sshd[17972]: Invalid user sales from 218.75.69.132

Feb 20 09:56:22 batdaf sshd[17974]: Invalid user sales from 218.75.69.132

Feb 20 09:56:27 batdaf sshd[17976]: Invalid user sales from 218.75.69.132

...

Christian T. Steigies

Debian GNU/Linux


mit ssh_blocking

Debian GNU/Linux: Sicherheit

Feb 20 14:31:33 batdaf sshd[1721]: Invalid user lpd from 210.118.94.55

Feb 20 14:31:35 batdaf sshd[1723]: Invalid user lpa from 210.118.94.55

Feb 20 14:31:38 batdaf sshd[1725]: Invalid user admin from 210.118.94.55

Feb 21 13:48:16 batdaf sshd[2492]: Invalid user delta from 131.206.19.202

Feb 21 13:48:19 batdaf sshd[2494]: Invalid user admin from 131.206.19.202

Feb 21 13:48:22 batdaf sshd[2496]: Invalid user test from 131.206.19.202

Feb 21 13:53:56 batdaf sshd[2517]: Invalid user project from 131.206.19.202

Feb 21 13:59:32 batdaf sshd[2531]: Invalid user jeeto from 131.206.19.202

Feb 21 14:05:10 batdaf sshd[3421]: Invalid user http from 131.206.19.202

Feb 21 14:53:01 batdaf sshd[3484]: Invalid user delta from 210.115.43.58

Feb 21 14:53:03 batdaf sshd[3487]: Invalid user admin from 210.115.43.58

Feb 21 14:58:36 batdaf sshd[3490]: Invalid user violet from 210.115.43.58

Feb 21 16:14:09 batdaf sshd[5355]: Invalid user from 202.8.178.250

Christian T. Steigies

Debian GNU/Linux


Debian GNU/Linux: Sicherheit

#!/bin/bash

# block annoying ssh login attemps

# allow 10 attemps per hour, remembers attemps for one hour

# needs iptables from unstable, ie 1.3.2-1

case "$1" in

start)

iptables -v -I INPUT -p tcp --syn -d 0.0.0.0/0 --dport 22 -j ACCEPT \

-m hashlimit --hashlimit 10/hour --hashlimit-mode srcip,dstip \

--hashlimit-burst 3 --hashlimit-name ssh --hashlimit-htable-expire 3600000

iptables -v -A INPUT -p tcp --syn -d 0.0.0.0/0 --dport 22 -j REJECT \

--reject-with icmp-host-prohibited

;;

stop)

iptables -D INPUT 1

iptables -D INPUT 1

;;

show)

iptables -L -vn

echo ""

echo "/proc/net/ipt_hashlimit/ssh"

echo ""

cat /proc/net/ipt_hashlimit/ssh

;;

*)

echo "start stop show"

;;

esac

Christian T. Steigies

Debian GNU/Linux


Debian GNU/Linux: Sicherheit

Misc

◮ Sound konfigurieren mit alsaconf

◮ Volume einstellen mit aumix, alsamixer

◮ Drucker einrichten mit lprng (einfach)

oder CUPS (AMD64: drucken aus OO, Acroread, . . . )

◮ faubackup

Christian T. Steigies

Debian GNU/Linux

More magazines by this user
Similar magazines