Ideas for a Network

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

Hello folks,

I am currently searching for ideas on improving my home-network.

The Situation:

Big Bad World <---->[ISP]<---(Transport Net)--->[Router-Box]<-----> Subnets, LAN, Link to another network

- The Router is a gentoo-Box with 5 real NICs and some tunnel devices
- The Subnets have official IPs
- The server machines in the subnets are gentoo-boxes
- Firewall Setup is rather restrictive - everything which is not allowed is forbidden
- every machine with an official IP needs port 22 open for maintenance, troubleshooting (putty via mobile phone, i.e.)

For the ones who look at the word 'home-network' in a strange way now, thinking that this girl here (me) has gone mad... yes it is my home-net. I like to do some overkill for it is good training and fun.

Problems on this network are the ssh login messages in the logs - I do not really care about bruteforce. Certificates for login. The way to do it would be blocking bad traffic at the router, but I do not have a clue how to setup a secure communication.
Commands over SSH with sudo? Parsing a file by cron filled with echo text >> file?

Thank you for your help

Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

Genone · Posted: Tue Jul 05, 2005 11:16 am Post subject:

Easiest solution: configure ssh to listen on a different port.
Other options: disable password logins (only allow keys) or disable root logins.

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

avendesora · Posted: Tue Jul 05, 2005 11:56 am Post subject:

have you tried lowering sshd's LogLevel?

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

mseigneurin, why letting that traffic in anyways?
I am more thinking about detecting such bruteforce trials and blocking them.

Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

avendesora · Posted: Tue Jul 05, 2005 1:20 pm Post subject:

Sorry, I misundestood what you meant by "don't care about brute force attacks".
You should look into blacklisting (dynamically) the IPs that try those attacks, or indeed use different ports
for ssh as Genome suggests.

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

My idea is like detecting an attack on one of my hosts and denying that IP on the gateway machine.

Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

avendesora · Posted: Tue Jul 05, 2005 3:36 pm Post subject:

Then look for an IDS systems (snort for instance) that can do what you're saying. There's plenty of doc out there for this.

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

snort itself would only run correctly on the gateway box (network is switched), which I personally consider as a security risk.

Rei

Status update:

Currently I am monitoring my SSHd on each box with app-admin/swatch which works by analyzing the syslog. This is not realtime, but a good start. If bruteforcing is found, a command is executed to set a deny rule on the firewall - (Howto from gentoo-wiki)
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

think4urs11 · Posted: Tue Jul 05, 2005 7:48 pm Post subject:

might be a good starting point for your issue...

http://www.pettingers.org/code/SSHBlack.html
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself