If you think someone could get in thru the ssh port (exploiting an undisclosed vulnerability or with brute force password cracking) moving it elsewhere is not a long term solution. fail2ban is good to avoid brute force attacks, but portknocking with i.e. fwknop will be safer in more situations. If a service is not meant for the public then they shouldn't be able to even notice that is there.
fail2ban and other programs that just grep a log file are a horrible idea as most of them can't properly parse a log entry and it's possible to inject an arbitrary ip address into the log file one way or another. I'm not sure if there are any outstanding exploits for the latest version of fail2ban right now but the whole concept of searching through log files that are in a format that can change at any time, aren't delimited properly, and subject to the sysadmin customizing is a precarious one at best.
Even if fail2ban and others were perfect, all it would take is the sysadmin customizing the log format to include some random field and all the sudden it's possible for an attacker to block every IP address with one request.
Does pam_abl work when you're not using PAM for authentication--only for authorization ("account") and session management? e.g., when UsePAM is enabled, but ChallengeResponseAuthentication and PasswordAuthentication are disabled.
I believe this is the problem with using pam_tally2. Then again, if you're only allowing PubkeyAuthentication then maybe you don't care about brute force login attempts so much.
If you're worried about that, it probably shouldn't be publicly accessible in the first place.
Yes, moving ports helps, but it's not a real defense. It just lowers bandwidth costs and prevents some not-so-harmful attacks (from people who don't know whether what they've compromised has any value.)
At the very least, use public-key authentication instead of password authentication for SSH.
It's indeed a large amount of traffic. But it's not scary. None of it will get through if your SSH software is up to date, you have it configured properly, and user accounts are managed sanely. The attacks to be scared of are those that are actually targeted at you. And they will find the port SSH is running on either way.
For complex setups you sooner or later have to dynamically add/remove rules, based on values only known at runtime (such as an IP address obtained by DHCP). Then, a simple list of rules doesn't suffice, and some kind of programming is needed.
To solve such problems elegantly I designed my "NCD programming language" (link: https://code.google.com/p/badvpn/wiki/NCD ). The language has built-in backtracking, so in the case of iptables, the language itself makes sure any iptables rule that was added is also removed when that is necessary, in a manner not unlike exception handling in C++ etc. Link to iptables module: https://code.google.com/p/badvpn/source/browse/trunk/ncd/mod...
The interpreter is a userspace program. You can run if from a terminal if you wish and use it as a general purpose scripting language (though it's not quite that useful in that regard, yet).
umm, iptables is a part of the kernel, and is exactly the same, regardless of distribution. I've used a bunch of different distros and iptables is always the same. What is this guy talking about??
He's talking about wrappers. Wrappers are dist specific. Some people like to use UFW and so on. It's their choice. But real men call iptables directly.
Note that this requires a commitment to using cdist. cdist may be great, but it's not much different from puppet or chef or bcfg2 or whatever your favorite configuration management system is.
Since iptables comes from upstream (and is closely linked to the kernel), distros running the same version of the kernel already have the same iptables quirks. (There aren't many.) The article discusses distributing an iptables config file and having it run on startup, a task which can be equally well handled by the other config management systems.
This is interesting, but I'd rather prefer something like Ript (a Ruby DSL for Iptables) than a very specific implementation along with its assumptions.
27 comments
[ 1.5 ms ] story [ 70.2 ms ] threadThe amount of toxic traffic hitting that port is scary.
Even if fail2ban and others were perfect, all it would take is the sysadmin customizing the log format to include some random field and all the sudden it's possible for an attacker to block every IP address with one request.
Source: http://seclists.org/fulldisclosure/2007/Jun/138
A better alternative is something like pam_abl which only protects logins to a user on the system but with it ssh is essentially unbruteforceable.
I believe this is the problem with using pam_tally2. Then again, if you're only allowing PubkeyAuthentication then maybe you don't care about brute force login attempts so much.
Yes, moving ports helps, but it's not a real defense. It just lowers bandwidth costs and prevents some not-so-harmful attacks (from people who don't know whether what they've compromised has any value.)
At the very least, use public-key authentication instead of password authentication for SSH.
So in the majority of cases, traffic will get through? :P
I get a kick out of viewing all the failed attempts in /var/log/auth
Added bonus is adding all those bad guy addresses to my blacklists.
To solve such problems elegantly I designed my "NCD programming language" (link: https://code.google.com/p/badvpn/wiki/NCD ). The language has built-in backtracking, so in the case of iptables, the language itself makes sure any iptables rule that was added is also removed when that is necessary, in a manner not unlike exception handling in C++ etc. Link to iptables module: https://code.google.com/p/badvpn/source/browse/trunk/ncd/mod...
Oh, and it also runs in the browser ;) http://badvpn.googlecode.com/svn/wiki/emncd.html
And yes, real men use iptables directly. I never understood the need for wrappers, just makes it harder to debug and see whats really going on.
Since iptables comes from upstream (and is closely linked to the kernel), distros running the same version of the kernel already have the same iptables quirks. (There aren't many.) The article discusses distributing an iptables config file and having it run on startup, a task which can be equally well handled by the other config management systems.
https://github.com/bulletproofnetworks/ript
So long as you can write Ruby, this works in Chef, Puppet, or whatever.