Hi John,
All externally visible internet hosts are subject to port scans and
automated brute-force login attempts via SSH/HTTPS/other common services,
via bots - especially in the wake of the Debian OpenSSL weak key issue.
Restricting logins via IP is a very powerful means of protecting yourself
- and probably second on the priority list after only running
secure, encrypted services. The 3-way TCP handshake makes it very
difficult for people to reliably spoof an IP address within a TCP
connection - unless they have infiltrated an ISP somewhere.
Third would be to change off the default ports - I'm pretty sure port 22
receives more than its fair share of automated SSH cracks - likewise with
443 for HTTPS.
Obviously, the fewer services that are running the better, particularly
the fewer that are exposed (via firewall rules or otherwise) externally.
The American spooks have some reasonable basic security guidelines
available at:
http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/redhat/rhel5-pamphlet-i731.pdf
(They have an extended list, which covers other OSes also:
http://www.nsa.gov/snac/downloads_all.cfm )
A product which may be of interest is
http://www.yubico.com/products/yubikey/
It is a USB key that acts as a keyboard HID device - you select your
password field, then press a button on the key, and voila - a one-time
password is used to authenticate you.
My understanding is that there is an open-source PAM module available
for it for use with Linux.
Best Regards,
Ivan
On Wed, 27 Aug 2008, John Kinsella wrote:
> Hi,
> no flames please!
>> I'm being regularly subjected to what appear to auth.log (and me) to be
> attempted breakins on my office desktop machine (Ubuntu Hearty Heron with
> Firestarter firewall)
> e.g.
>> ==============8<===========
> Aug 27 11:56:18 jkcray sshd[15664]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.78.212.68 user=root
> Aug 27 11:56:20 jkcray sshd[15664]: Failed password for root from
> 200.78.212.68 port 34256 ssh2
> Aug 27 11:56:22 jkcray sshd[15666]: reverse mapping checking getaddrinfo for
> na-200-78-212-68.na.avantel.net.mx [200.78.212.68] failed - POSSIBLE BREAK-IN
> ATTEMPT!
> Aug 27 11:56:22 jkcray sshd[15666]: Invalid user magazine from 200.78.212.68
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): check pass; user
> unknown
> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.78.212.68
> Aug 27 11:56:24 jkcray sshd[15666]: Failed password for invalid user magazine
> from 200.78.212.68 port 34486 ssh2
> ==============8<===========
>> I'd like to keep sshd running so I can log in from home.
>> Other than changine firewall settings to block all but my ISP's IP addresses
> for access via ssh is there anything else that I should be looking at?
>> Thanks
>> John
>> --
> John A. Kinsella Ph: +353-61-202148 (Direct)
> +353-61-333644 x 2148 (Switch)
> Mathematics Dept. e-mail: John.Kinsella at ul.ie> University of Limerick FAX: +353-61-334927
> IRELAND Web: http://jkcray.maths.ul.ie>> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug> Who we are : http://www.linux.ie/> Where we are : http://www.linux.ie/map/>>
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
