| View previous topic :: View next topic |
| Author |
Message |
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
 Posted: Wed Feb 16, 2005 9:58 am Post subject: Only allowing ssh access from a host with dynamic IP |
 |
|
I'm trying to restrict ssh access to my work box so that only the local network and my home box are allowed in.
At first I thought about using the mac match target of iptables, but it turns out that the gateway at work rewrites the mac address to
it's own, so I can't know what MAC is trying to access my box.
So now I think I have to restrict by ip address in my INPUT chain. But having iptables doing a DNS lookup every time a packet gets in would
not be the most effective thing in the world...
So now the only option I can think of is having cron run a small script that updates my /etc/hosts with my dynamically assigned address (via no-ip.com), maybe every five minutes or so, so that iptables gets the address from there.
That should work, but I would like to know if anyone has any better ideas? This seems a bit to hackish to me... 
_________________
Banana Republic |
|
| Back to top |
|
 |
nevynxxx
Veteran
Joined: 12 Nov 2003
Posts: 1123
Location: Manchester - UK
|
| Posted: Wed Feb 16, 2005 10:14 am Post subject: |
|
|
Why?
Isn't ssh secure enough for you?
I would recomend two things.
1) only allow public key authentication, this can be done in sshd.conf. Remember to keep your secret key very safe, i.e. on you person at all times, and password protected.
2) port knocking.
_________________
My Public Key
Wanted: Instructor in the art of Bowyery |
|
| Back to top |
|
|
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
| Posted: Wed Feb 16, 2005 11:51 am Post subject: |
|
|
| nevynxxx wrote: | Why?
Isn't ssh secure enough for you?
|
I thought it was, until my box got cracked. So now I'm a bit more paranoid.
| Quote: |
I would recomend two things.
1) only allow public key authentication, this can be done in sshd.conf. Remember to keep your secret key very safe, i.e. on you person at all times, and password protected.
2) port knocking. |
This could prove more cumbersome since I sometimes have to connect to my box from a staff member's computer, and they usually run Windows. I don't know if putty can do port knocking, but I don't think so.
Likewise with the public key: it seems easier to just allow certatin IP:s. Also, using iptables is one less point of failure, since sshd isn't involved at all, and hence can't be cracked.
_________________
Banana Republic |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 12:06 pm Post subject: |
|
|
| NiklasH wrote: |
This could prove more cumbersome since I sometimes have to connect to my box from a staff member's computer, and they usually run Windows. I don't know if putty can do port knocking, but I don't think so.
Likewise with the public key: it seems easier to just allow certatin IP:s. Also, using iptables is one less point of failure, since sshd isn't involved at all, and hence can't be cracked. |
You are trusting a third-party service (some DynDNS provider) more then to your private keys? Hmm, something must be wrong.  |
|
| Back to top |
|
|
nevynxxx
Veteran
Joined: 12 Nov 2003
Posts: 1123
Location: Manchester - UK
|
| Posted: Wed Feb 16, 2005 1:43 pm Post subject: |
|
|
| NiklasH wrote: |
I thought it was, until my box got cracked. So now I'm a bit more paranoid.
|
What was cracked though? Was it ssh or some other service?
Was it ssh via them obtaining your password or brute forcing it or what?
| NiklasH wrote: |
This could prove more cumbersome since I sometimes have to connect to my box from a staff member's computer, and they usually run Windows. I don't know if putty can do port knocking, but I don't think so.
Likewise with the public key: it seems easier to just allow certatin IP:s. Also, using iptables is one less point of failure, since sshd isn't involved at all, and hence can't be cracked. |
The public key thing is easy, get the cheepest smallest usb disk you can, put putty, and your keyson it.
Then make putty work on 1 windows pc, and export the regisrty entries it creates.
Store that on the usb thing too.
Look at the file in a text editor, it's easy to find the bits that mention the drive letter, then on any new pc, change the drive letter in the file and import into that registry.
Delete when finnishes if you like.
The port knocking you should be able to make work just using telnet and a bash script I would expect. All you actually need to do is hit the correct ports in the correct order, that will open a high port you know up, and you use putty to connect from there.
If your going to be this paranoid, you will need to put some work in.
It would be nice is sshd_conf would allow you to restrict to specific IP's though.
_________________
My Public Key
Wanted: Instructor in the art of Bowyery |
|
| Back to top |
|
|
Casper Gasper
Tux's lil' helper
Joined: 07 Sep 2004
Posts: 75
Location: London
|
| Posted: Wed Feb 16, 2005 1:43 pm Post subject: |
|
|
I post this same suggestion whenever anyone asks about securing ssh, but here goes: run sshd on a different port. Place it on a high port number, and you'll see the rogue attempts at access drop to zero.
Casper. |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 1:47 pm Post subject: |
|
|
| nevynxxx wrote: |
The public key thing is easy, get the cheepest smallest usb disk you can, put putty, and your keyson it.
Then make putty work on 1 windows pc, and export the regisrty entries it creates.
Store that on the usb thing too.
Look at the file in a text editor, it's easy to find the bits that mention the drive letter, then on any new pc, change the drive letter in the file and import into that registry.
Delete when finnishes if you like.
|
You just need putty.exe and the key on your USB keychain. No registry entries, nothing. Works on every Windows computer that has USB. |
|
| Back to top |
|
|
nevynxxx
Veteran
Joined: 12 Nov 2003
Posts: 1123
Location: Manchester - UK
|
| Posted: Wed Feb 16, 2005 1:52 pm Post subject: |
|
|
| j-m wrote: | | You just need putty.exe and the key on your USB keychain. No registry entries, nothing. Works on every Windows computer that has USB. |
True, but if you want to access more than 1 machine, and don't like keep typing in the FQDN and all the other niggling little setting in putty, the reg file is useful.
@Casper. Yes that helps, but not an awul lot, the script kiddies will soon enough just raise the range of ports they use. The better option is the port knocking. Don't matter how high a range they go for then, they wont even know you have ssh running, and you can even set the port knock software to detect network scans and shut all access off for a short time if you like, make your computer not exist while thet are scanning.
_________________
My Public Key
Wanted: Instructor in the art of Bowyery |
|
| Back to top |
|
|
nobspangle
Veteran
Joined: 23 Mar 2004
Posts: 1318
Location: Manchester, UK
|
| Posted: Wed Feb 16, 2005 7:10 pm Post subject: |
|
|
I'd still like to know what got hacked, I thought sshd was totally secure. The only ways in I can see are by someone knowing your password or brute force cracking your password.
Personally I just have a private key and have passwords disabled, I can't see anybody cracking that. |
|
| Back to top |
|
|
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
| Posted: Wed Feb 16, 2005 8:38 pm Post subject: |
|
|
| nobspangle wrote: | I'd still like to know what got hacked, I thought sshd was totally secure. The only ways in I can see are by someone knowing your password or brute force cracking your password.
|
I really don't know what was hacked, but suddenly there was an ssh service listening on port 56676. The only service I remember having activated was ssh. But it might have been some other method. I haven't had time to check the logs and stuff yet.
But as general principle, nothing is totally secure. There have been flaws in sshd, and I'm sure some new will come up. And it's not always the good guys that find the flaws first.
So I have (once again) lost my belief that keeping a system up to date is enough to keep it secure, and now I want to be a bit more paranoid.
Especially since we're on a Gigabit network, so I would imagine putting up ftp servers and such on our boxes is pretty attractive for a certain type of people.
| Quote: |
Personally I just have a private key and have passwords disabled, I can't see anybody cracking that. |
No, generally I wouldn't think that either. But I take a sort of pride in being a Linux guy among Windows people in my team, and this was a great blow to my pride...
_________________
Banana Republic |
|
| Back to top |
|
|
NiklasH
Apprentice
Joined: 30 Aug 2002
Posts: 211
Location: On top of something
|
| Posted: Wed Feb 16, 2005 8:43 pm Post subject: |
|
|
| j-m wrote: | | NiklasH wrote: |
This could prove more cumbersome since I sometimes have to connect to my box from a staff member's computer, and they usually run Windows. I don't know if putty can do port knocking, but I don't think so.
Likewise with the public key: it seems easier to just allow certatin IP:s. Also, using iptables is one less point of failure, since sshd isn't involved at all, and hence can't be cracked. |
You are trusting a third-party service (some DynDNS provider) more then to your private keys? Hmm, something must be wrong. |
Good point 
Although I have to admit that I have made the leap of faith and started trusting that they actually give the right IP address to my box.
There's always some point where you have to go on faith, and to crack a rule that only allows a certain IP, they would have to know what address to fake. The chances of that seem pretty slim to me.
_________________
Banana Republic |
|
| Back to top |
|
|
j-m
Retired Dev
Joined: 31 Oct 2004
Posts: 975
|
| Posted: Wed Feb 16, 2005 8:59 pm Post subject: |
|
|
OK, back to your previous post, this looks almost for sure like a weak root password. Another reason to start using keys for authentication.  |
|
| Back to top |
|
|
slycordinator
Advocate
Joined: 31 Jan 2004
Posts: 3065
Location: Korea
|
| Posted: Tue Apr 26, 2005 6:24 pm Post subject: |
|
|
| nobspangle wrote: | | I'd still like to know what got hacked, I thought sshd was totally secure. |
NOTHING connected to the web is TOTALLY SECURE. |
|
| Back to top |
|
|
DNAspark99
Guru
Joined: 03 Sep 2004
Posts: 321
|
| Posted: Tue Apr 26, 2005 7:02 pm Post subject: |
|
|
1: stronger passwords, no unused accounts
2: ssh key authenticaion only (UsePAM = NO!)
3: port knocking (yes there is a windows client) + a good firewall (I recommend FireHOL: "server ssh accept with knock SSH" ) |
|
| Back to top |
|
|
transcend
n00b
Joined: 05 Nov 2003
Posts: 42
Location: NYC, NY
|
| Posted: Tue Apr 26, 2005 7:09 pm Post subject: |
|
|
| SSH keys and port knocking (firehol with knock) is all I use, and me logs are crystal clean. good thing, cause my passwords are weak and pretty hackable |
|
| Back to top |
|
|
justanothergentoofanatic
Guru
Joined: 29 Feb 2004
Posts: 337
|
| Posted: Tue Apr 26, 2005 8:36 pm Post subject: |
|
|
There are two ways to implement every linux authentication setup -- the easy way, and the PAM WAY. The easy way is to add the following line to /etc/ssh/sshd_config:
AllowUsers *@domain1.com *@domain2.com *@localhost
The PAM WAY is to add the following line to /etc/pamd./sshd:
account required /lib/security/pam_access.so
Then in /etc/security/access.conf, add:
+:ALL:.domain1.com .domain2.com
+:ALL:LOCAL
-:ALL:ALL
You must also compile sshd with the 'pam' use flag for this to work.
-Mike |
|
| Back to top |
|
|
|
Networking & Security
