Re: SSHD: Limit login attempt rate

On Fri, 25 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <c115e89f-027d-4865-aaa3-9f9c7941f2d4@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
bmearns wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

Moe Trin mentioned that port-knocking doesn't block out remote hosts
who can't connect on obscure ports, but I don't see how? This is also
my main reason for not moving the server to another port: I need to
be able to access it from a handful of networks that lock down all
but standard ports (i.e., from within these networks, you can't
connect to remote hosts on ports other than, say, 80, 8080, 22, and
maybe a few others), so I'm not clear on how port knocking would be
any different in this aspect?

Mmmmm... not the greatest selection, but given those three ports ONLY
to work with, I'd put the SSH server on port 80, and have the knocker
daemon listening on 8080 (although these numbers are FAR from the
optimum selection). Idea is that 8080 is closed on this server. The
good guy out there uses any network application (web browser, telnet,
ftp, ssh - ANYTHING that can be told to try to connect to a specified
port) and tries to connect to 8080. Give it a couple of seconds (to
resolve the address, get it's head out of where-ever, and send a SYN
packet to that port) then kill it. On the server end, the knocking
daemon notes the (failed/incomplete) connection attempt to 8080 that
came from IP address $FOO. It then opens (via temporary firewall rule)
the server port (in this example, 80) to address $FOO - for one
minute only, and then it removes that rule. On the remote, you
then tell your SSH client to connect to the server on port 80. You
have one minute for the firewall on the server to see this connection,
and let it get ESTABLISHED (look that keyword up in the HOWTO), and
away you go.

Now I say that '80', '8080', and '22' is far from the optimum set of
ports to use - obviously because 80 and 8080 are commonly used for
web services, and these are likely to be scanned, probed, inspected,
folded, and mutilated by common port scanning tools. '443' is also
likely, but would be better than 80 by a small amount. You have to
know what ports are available and likely to be allowed past firewalls
(outbound to remote 25 is often blocked except from the mail server
in an effort to control zombie spam), verses the ports that skript
kiddiez and bots will be scanning. Not easy task to find something
that will work everywhere.

White-listing the addresses is similarly not a very practical option
for me. I wouldn't exactly call my self a "world traveler", but I do
have a tendency to connect back home from a wide variety of locations,
so I'd like to not blow off my "wobbly bits" as Moe Trin put it so
beautifully =).

Yeah, it's really bad when you are using a shotgun. None the less, I
would strongly recommend that you look at address ranges. You will see
that some ranges have no real need to connect to your server.

As of last night, I implemented PKA-only access to ssh and have
whitelisted just a few users who are actually allowed to connect

That _alone_ goes a long way to protect your systems.

The call was coming from inside the network, leading me to believe
that someone in the building had hacked my wireless network and was
now trying to hack the systems behind it.

<cringe>

But here's the funny part: I had apparently setup a myentunnel service
on my windows laptop, set to open a tunnel back home whenever the
system started. I vaguely recall doing this now, but totally forgot
about it in the meantime.

<CRINGE!!!>

I've disabled that service now, but I guess it all worked out for the
best, since it got me thinking about security.

And that also is a major help. (I hope that laptop was never leaving
the building - auto-connects with hard coded passwords are a massive
security hole.)

Old guy
.

Relevant Pages

  • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
    ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
    (Incidents)
  • Re: Add 2nd NIC after intial install?
    ... My biggest question with 1 NIC is: even if workstations are protected with individual firewall products, what is protecting the SBS server itself if ports are open for remote access through the Linksys firewall? ...
    (microsoft.public.windows.server.sbs)
  • Re: Source Code to Filter out WindowsMessenger POP-UPS
    ... Zone Alarm does NOT support 'server'. ... Very few ports are open, ... >What you are asking for amounts to a firewall. ... I would NOT search for source code to compile ...
    (microsoft.public.inetserver.iis.security)
  • Re: Using Office Outlook with exchange server behind windows firewall
    ... On our network I have windows firewall turned on, on both my small business server and my windows xp workstations. ... Based on an article I read about all the ports that exhange may use I also tried making exceptions for ports ...
    (microsoft.public.windows.server.sbs)
  • Re: NETFW.INF, Preconfigured Firewall settings and dialogs
    ... it is Windows Server 2003 SP1 firewall that i'm using. ... Using the document '832017 Port Requirements for the Microsoft Windows ... > to achieve the following goal: some ports are open by default and others ...
    (microsoft.public.windows.server.networking)