Re: SSH hacked?

musicman wrote:
On Tue, Jan 13, 2009 at 10:03 AM, Charlie Brune <Ubuntu@xxxxxxxxxxxxxx> wrote:
3. I only allow a few hard-to-guess users to log in via ssh. I do this
by adding a line like this
to /etc/sshd_config

AllowUsers xg17, ffd42y, jfjfkk11

Once a user, such as "xg17" logs in, they use the "su" command to
become the user they
really want to be.


Doesn't that then mean you have no idea which of the three accounts is
problematic or from which IP someone has broken in from should
something nefarious happen?

is it possible to/already happening that su commands are logged?

very interesting discussion btw

Wouldn't it also mean you're creating additional accounts that can be
exploited on the system, while limiting which of the accounts can be
logged into by SSH alone?

It's easy for this discussion to get down to the micro-level for "this
is how you secure it" until it reaches an insane level of complexity for
a home user probably protecting his personal bank records at most...?
Not good, but unless he's a head of state or celebrity, I don't know
who'd be targeting him to jump through so many hoops when there are
hundreds or thousands of easier targets already, as long as the basics
have been followed.

I.e., he's behind a NAT router with only necessary ports open.

he doesn't have root allowed to log in via SSH

he doesn't have an easy to guess password.

He runs an application like denyhosts configured for downloading
additional blocked-IP's. Give three tries and you're blacklisted. (If
your password can be guessed in an automated attack in three guesses, I
think you need a new password scheme.)

If you're comfortable doing it, move SSH to another port for listening
by the outside net on the NAT router (as another poster suggested).

Periodically run chkrootkit and rkhunter.

Of course keep up with updates.

These alone should be all that's really necessary...more than necessary,
really...for the average home user.

If you want REALLY secure, you need to do things like...

set up a second network card on another subnet with a small system
dedicated just to Syslog (if your system is compromised, you CANNOT
trust logs).

No wireless in your network range. It can be cracked by anyone with
tenacity.

Rotate your passwords on a monthly basis.

Audit everything with an MD5-checksum program, saving results and
comparing on a read-only media.

Encrypt all of your data into pseudo-volumes mounted as needed, so
attackers can only gain access to information mounted at the time.

encrypt backups (you do make backups already, right?). Preferably to a
storage device kept in another area of the home or to another building
if you have one on your property, like a temperate garage, so if there's
a home disaster the backup will survive.

Run scripts to audit ARP requests and note any unusual MAC addresses
that show up on your network.

Do not run any form of DHCP, hard code everything and check that they're
the only devices on the network.

I'm sure there are others but you get the idea...

Oh, and if you suspect the system's been compromised, there is really no
"fix". You can't trust it. Any backups made after the point of
compromise are also worthless. The system could have trojans on it and
compromised binaries. The work that would go into restoring everything,
and again you can't 100% trust you didn't overlook something, would be
saved by wiping and reinstalling and then putting back your
non-executable personal files. If you think it was compromised and are
now asking for advice on securing SSH it's like hardening your home
against intruders while the dude under the stairs dressed in black with
a gun is biding his time with a Nintendo DS and giggling listening to
you putting in the new locks and bars on the windows.

And of course all of this is pointless if you have other users and can't
trust them to be careful with their passwords and accounts. Try running
a password cracker on the system periodically to audit their password
difficulty...run a dictionary attack or something like that. If you can
crack it quickly, an attacker can too.

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Re: SCO 3.2 Back to the Future
    ... > production environment. ... > I tried getting this machine on the network to make some backups. ... > network cards were already installed and configured (3Com Etherlink III ... If I have to do similar job, I'll only trust in a serious and solid ...
    (comp.unix.sco.misc)
  • Fwd: CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
    ... poorly protected file shares. ... Intruders have been able to leverage poorly ... The network scanning associated with this activity is widespread but ... W32/Deloder attempts to compromise the Administrator ...
    (Bugtraq)
  • Re: Scanning a Mapped Drive on a LAN
    ... I don't trust my ability to avoid conflic on the mapped drive. ... >> concern with as a simple home LAN user with my machines behind a router. ... > feel very secure using it. ... > butt when it comes to sites that can compromise your system. ...
    (alt.computer.security)
  • CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
    ... reports of systems running Windows 2000 and XP compromised due to ... poorly protected file shares. ... The network scanning associated with this activity is widespread but ... W32/Deloder attempts to compromise the Administrator ...
    (Cert)
  • [Full-Disclosure] Is Marty Lying?
    ... The compromise must definately have been limited to ... their network so if it gets compromised, ... Snort/Sourcefire network's security. ... booger at night - I'm the security snot." ...
    (Full-Disclosure)