Hi. Err... had to create a HN account to reply, whyrusleeping on #go-nuts told me this was here.
Feel free to file issues on github and consider that the "source of truth" for my code, and please ignore my site. I don't have time to throw together a web presence, too busy at work ;-)
Out of interest, has anyone else who's had their personal server mentioned on HN's frontpage noticed an uptick in SSH scans from those lovely folks in the PRC? Certainly did here.
Welp, 221.192.143.73/24 is going in the firewall config.
Unless you're a service provider who supplies SSH access to generic customers, there's no reason to continue running sshd on port 22. Use some other port and your random scans will drop by ~100%.
Those scans/bruteforce attempts are mostly harmless anyways, so there is very little benefit in changing the port. Has there been yet a single drive-by 0day attack against opensshd, because that's essentially the only thing the port change would help against.
The benefit in changing the port is that if you do reporting/logging of these things, the potentially-harmful scans aren't hidden under a morass of benign dictionary attacks.
This is unrelated, but I keep getting emails from my home server every two weeks or so that someone made three incorrect sudo attempt to run "sudo sh /tmp/somefile". There's nobody logged in via SSH, I have key-only author anyway, and the user who's trying to do this is apparently me. It doesn't originate in a console, and the only thing running as me is the Dropbox daemon. Anyone have any idea what's going on, and if I should be worried?
Dictionary attacks are by definition not benign. If a compromised host is sending any packets your way, it's best to drop them on the floor where they belong. Then, if for any reason, the person controlling that other host happens to e.g. run portscans to find other services or point nessus / metasploit your way, they are going to have a much harder time of doing so.
Install fail2ban to protect against these scans. With its default settings, it will ban an IP for ten minutes if it fails to login six times. That doesn't inconvenience real users but it makes it impractical to brute-force a password. It's probably available from your distribution's package repository.
1. SSH - security related - modify sshd config - no password auth, only key based, no root login, other than that the default sshd config for Ubuntu 12.04 is pretty ok.
PermitRootLogin no
If you do not use IPv6, you can disable sshd to use it.
#ListenAddress ::
ListenAddress 0.0.0.0
2. SSH - ease of maintenance related - change default port from 22 to smth else. This will not help against targeted attacks, but this will reduce the noise in the logs and will allow better visibility of attack attempts.
#Port 22
Port 63777 (or whatever)
Don't forget to reload ssh for changes to take effect and check with netstat what's running where.
If you are concerned with getting locked out you can do this:
2.1. enable sshd to listen on multiple ports simultaneously
Port 22
Port 63777 (or whatever)
2.2. Login through Port 63777, and only then disable Port 22.
3. The PRC thing - fail2ban and hosts is simple but not the best tools for the job.
3.1. You can disable access to your site for all China (or any other country for this matter) using ipset. Much better speed and ease of maintenance, it's even better then using iptables itself [ipset is iptables module], one set can contain/block up to 65000+ IPs.
3.2. If you want smth more targeted, then consider either sshguard or psad. They can be configured to block inline and dynamically add rules [perm/temp] to iptables.
Edit: forgot to mention another cute recipe. see below
If you are on AWS and are using security groups (you should), after you are done on the server, you can go to the security group in AWS Mgt Console and remove ingress for ssh ports. Now your server is accessible only on 80/443 and ssh is NOT accessible to anyone. Later, when you need to access the server - enable ingress for the ssh ports, do your job and disable again.
Thanks to all, and especially this post, for detailed security recommendations. I hope they convince others that security is important and not to be taken lightly.
I don't really think that security-by-obscurity alone is a good enough solution. I already disable both root logins and passwords on my shell, and have something that tails logs to firewall IPs that are doing nasty things that show up in my logs. It's cute that you assume I'm running Linux though ;-)
I ended up firewalling the entire /14 that /24 was assigned from, because, well, China bothers me...
Good it was helpful. Have a look at ipset. It is easy to use and very powerful. According to one of the sources China is appr. 5000 IP sub-nets only. one ipset can block up to 65000+. One of the sources for IP is MaxiMind - they shall have a free set of fresh IPs.
This is great. Not just because it's good code, but because I can understand it. I don't know if it's the comments, the clean code, or Go itself that makes it this easy, but it is. I used to believe "It's easier to write code than it is to read it.", but now I'm thinking of rephrasing it "It's easier to write mediocre code than it is to read it."
I'm not a software developer, computer scientist, or any kind of paid engineer. I'm an amateur. I started to learn to code in late middle school, and just kept at it on and off until now, near the close of high-school. Now with the menacing sign of college (or work?) on the horizon I'm left with a little doubt. I have had a jump start on programming and I haven't just been doing Fizzbuzz and "Hello, World!" programs all this time. I got some fun things done with Pyglet, LÖVE, sockets, file I/O, and IRCBots, but besides the lack of any significant projects in a MANLY language (i.e. C, C++, Assembly) and the creation of any projects that have been useful to others beyond mild entertainment, the biggest deficiencies I have are that I've never worked in a large group project and I have great difficulty reading other peoples code.
I have a git-hub. I write code. I've worked collaboratively on some simple things with people, but usually everyone involved, including me, loses interest and the project stagnates. I tried contributing to open source software. There's this great site called OpenHatch. It taught me the basics about how to send in issues, generate patch files, and use subversion. All the projects that OpenHatch displayed issues for tended to be in Python. This was right up my alley, or so I thought. I had never used twisted, but twisted was the code base with the most "easy-to-fix" bugs. I made a mistake though. Because I was trying to fix a massive project I had never used before and barely understood I ran into some difficulty. As the result of all my efforts, I may or may not have fixed a typo in a python docstring. I wasn't used to the issue system so I didn't open the issue for review and someone else made an identical patch with the same name. To this day I'm still not sure which was accepted. Oh well, it probably wouldn't have counted for much anyway. I wouldn't really have been able to call myself an "Open Source Developer!" anyway.
Twisted was an extreme issue, but understanding other peoples code was always difficult. Oh sure, I could follow along with a tutorial or example video, but if I ever tried to explore git-hub I never ran into anything that made sense to me and wasn't very basic.
I'm writing all this because this feels like a turning point for me and I have no where else to say it.
It's a turning point because I really "grokked" your code. It made sense and I don't even really know Go that well. I definitely haven't created any large projects in it, or even any small useful ones. My only experience with Go was my own old very basic IRCBot framework that pales in comparison to the one that's linked and doesn't even work, the tour of Go, and a few lectures by Rob Pike. The bot framework was meant to be an "OOP IRC Bot Framework in Go". I was really missing the point of the language, and it wasn't until nearly a year after trying to build that basic project that I started to watch talks on the language and really work at the online tour.
I have no where else to say this because no one else that I'm friends with codes. They might have coded or be interested in coding, but they don't actively code. It's not a hobby for them. Saying "I can read moderately complicated code on git-hub and it makes sense! :D" doesn't really carry any weight.
So thanks. I can finally say "I can read moderately complicated code on git-hub and it makes sense! :D", so I will.
I can read moderately complicated code on git-hub and it makes sense! :D
This bot is composed of some of the most useful code I've seen yet, and I haven't even compiled it.
I think Go, as a language, makes it much easier to write code that is both well-structured and readable. Of course, I have consumed a non-trivial quantity of the kool-aid, and I am convinced by the arguments that Rob Pike et al. made when outlining their design choices.
28 comments
[ 0.21 ms ] story [ 65.0 ms ] threadFeel free to file issues on github and consider that the "source of truth" for my code, and please ignore my site. I don't have time to throw together a web presence, too busy at work ;-)
Welp, 221.192.143.73/24 is going in the firewall config.
I've never heard of dropboxd doing anything like that. My inclination would be to nuke the box.
http://www.debian.org/security/2008/dsa-1571
Basic:
1. SSH - security related - modify sshd config - no password auth, only key based, no root login, other than that the default sshd config for Ubuntu 12.04 is pretty ok.
PermitRootLogin no
If you do not use IPv6, you can disable sshd to use it.
#ListenAddress ::
ListenAddress 0.0.0.0
2. SSH - ease of maintenance related - change default port from 22 to smth else. This will not help against targeted attacks, but this will reduce the noise in the logs and will allow better visibility of attack attempts.
#Port 22
Port 63777 (or whatever)
Don't forget to reload ssh for changes to take effect and check with netstat what's running where.
If you are concerned with getting locked out you can do this:
2.1. enable sshd to listen on multiple ports simultaneously
Port 22
Port 63777 (or whatever)
2.2. Login through Port 63777, and only then disable Port 22.
3. The PRC thing - fail2ban and hosts is simple but not the best tools for the job.
3.1. You can disable access to your site for all China (or any other country for this matter) using ipset. Much better speed and ease of maintenance, it's even better then using iptables itself [ipset is iptables module], one set can contain/block up to 65000+ IPs.
3.2. If you want smth more targeted, then consider either sshguard or psad. They can be configured to block inline and dynamically add rules [perm/temp] to iptables.
Edit: forgot to mention another cute recipe. see below
If you are on AWS and are using security groups (you should), after you are done on the server, you can go to the security group in AWS Mgt Console and remove ingress for ssh ports. Now your server is accessible only on 80/443 and ssh is NOT accessible to anyone. Later, when you need to access the server - enable ingress for the ssh ports, do your job and disable again.
I don't really think that security-by-obscurity alone is a good enough solution. I already disable both root logins and passwords on my shell, and have something that tails logs to firewall IPs that are doing nasty things that show up in my logs. It's cute that you assume I'm running Linux though ;-)
I ended up firewalling the entire /14 that /24 was assigned from, because, well, China bothers me...
I'm not a software developer, computer scientist, or any kind of paid engineer. I'm an amateur. I started to learn to code in late middle school, and just kept at it on and off until now, near the close of high-school. Now with the menacing sign of college (or work?) on the horizon I'm left with a little doubt. I have had a jump start on programming and I haven't just been doing Fizzbuzz and "Hello, World!" programs all this time. I got some fun things done with Pyglet, LÖVE, sockets, file I/O, and IRCBots, but besides the lack of any significant projects in a MANLY language (i.e. C, C++, Assembly) and the creation of any projects that have been useful to others beyond mild entertainment, the biggest deficiencies I have are that I've never worked in a large group project and I have great difficulty reading other peoples code.
I have a git-hub. I write code. I've worked collaboratively on some simple things with people, but usually everyone involved, including me, loses interest and the project stagnates. I tried contributing to open source software. There's this great site called OpenHatch. It taught me the basics about how to send in issues, generate patch files, and use subversion. All the projects that OpenHatch displayed issues for tended to be in Python. This was right up my alley, or so I thought. I had never used twisted, but twisted was the code base with the most "easy-to-fix" bugs. I made a mistake though. Because I was trying to fix a massive project I had never used before and barely understood I ran into some difficulty. As the result of all my efforts, I may or may not have fixed a typo in a python docstring. I wasn't used to the issue system so I didn't open the issue for review and someone else made an identical patch with the same name. To this day I'm still not sure which was accepted. Oh well, it probably wouldn't have counted for much anyway. I wouldn't really have been able to call myself an "Open Source Developer!" anyway.
Twisted was an extreme issue, but understanding other peoples code was always difficult. Oh sure, I could follow along with a tutorial or example video, but if I ever tried to explore git-hub I never ran into anything that made sense to me and wasn't very basic.
I'm writing all this because this feels like a turning point for me and I have no where else to say it.
It's a turning point because I really "grokked" your code. It made sense and I don't even really know Go that well. I definitely haven't created any large projects in it, or even any small useful ones. My only experience with Go was my own old very basic IRCBot framework that pales in comparison to the one that's linked and doesn't even work, the tour of Go, and a few lectures by Rob Pike. The bot framework was meant to be an "OOP IRC Bot Framework in Go". I was really missing the point of the language, and it wasn't until nearly a year after trying to build that basic project that I started to watch talks on the language and really work at the online tour.
I have no where else to say this because no one else that I'm friends with codes. They might have coded or be interested in coding, but they don't actively code. It's not a hobby for them. Saying "I can read moderately complicated code on git-hub and it makes sense! :D" doesn't really carry any weight.
So thanks. I can finally say "I can read moderately complicated code on git-hub and it makes sense! :D", so I will. I can read moderately complicated code on git-hub and it makes sense! :D
This bot is composed of some of the most useful code I've seen yet, and I haven't even compiled it.
I think Go, as a language, makes it much easier to write code that is both well-structured and readable. Of course, I have consumed a non-trivial quantity of the kool-aid, and I am convinced by the arguments that Rob Pike et al. made when outlining their design choices.