Re: Phishing - Linux boxes are vulnerable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2007-10-04 at 14:32 -0500, Les Mikesell wrote:
> Mike Wright wrote:
> > Jacques B. wrote:
> > <snip />
> >> I'm no expert on this topic. But I do know a case where the
> >> application that was running on the web server was exploited due to a
> >> vulnerability in that application, not in Apache or the Linux box.  I
> >> suspect that is the case more often than not.  Someone compromises a
> >> web site that is running a vulnerable application.  That site happens
> >> to be hosted on a Linux box (because let's face it, a lot of web
> >> servers out there run on *nix).
> >>
> > 
> > Hi Jacques.
> > 
> > I think you're right on the money there.  Google for phpbb and hack for 
> > an example of your point.
> 
> There's also a huge amount of ssh password-guessing going on, and with 
> most distos, ssh is enabled by default on port 22.   What I've seen 
> appears to be very carefully time-constrained as though the programs 
> doing it are trying large numbers of machines at once and limiting the 
> attempts to any single machine to avoid notice.
> 

In order to reduce the chance of someone successfully hacking in 
through ssh unnoticed there a couple things I have been using for 
a number of years.

Change the default sshd config or add this one in hosts.allow :
--- snip ---
sshd : .domain.tld \
       <IP_ADDR/MASK> \
       : severity auth.info \
       : allow
sshd : ALL \
       : severity auth.notice \
       : deny
--- snip ---
It will allow you to monitor both rejected and successful ssh 
authentications, which you can grep from the logs and email 
irregularities. It also allows you to restrict the IP addresses, 
and/or host names allowed to connect to ssh. Make sure to 
disable the 'allow all' stuff. Also adding a "catch all" at 
the end of the hosts.allow like ;
--- snip ---
ALL : ALL \
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."
--- snip---
can help you monitor other undefined daemons.


Edit sshd_config and add something like :
--- snip ---
AllowGroups staff
--- snip ---
This allows you to restrict ssh access to users assigned to group
'staff'. Using this you can assign only the users that should be 
allowed ssh access to successfully authenticate. Also stay far 
away from allowing access to user names like "john", especially 
since "john" is installed by default by the password cracker of 
the same name making your machine especially tasty.

You can also experiment with using 'spawn' in hosts.allow to 
send immediate alerts or log to 'hidden' files like this:
--- snip ---
sshd : KNOWN EXCEPT PARANOID \
       : spawn ( /bin/date "+%%b %%d %%T" | \
        /usr/bin/sed 's,$, %H %d[%p] allowed %u from %n [%a],' >> \
        /var/log/.wrapper.`date +%%Y-%%m-%%d`.log ) & \
       : allow
--- snip ---

Be careful to configure something to filter the things you don't 
want to be alerted to when setting up automatic alerts. I use 
'fgrep -vf <filterfile> <logfile>' in a cron job to mail 
root {me} any unusual ssh attempts. The filter file looks like :
--- snip ---
logfile turned over
Received signal
Server listening on
refused connect from
host name/name mismatch
host name/address mismatch
can't verify hostname
Did not receive identification string from 123.45.67.89
Accepted keyboard-interactive/pam for mister.tee from 45.67.89.123
Accepted keyboard-interactive/pam for john.frakes from 67.89.123.45
Accepted keyboard-interactive/pam for mr.magoo from 89.123.45.67
--- snip ---
Remember these are the things you don't want to see.

Hope this gives some of you food for thought. It would be nice if some 
of it made it into the default setup, but I have given up trying to get 
helpful stuff added. Go ahead and try if you want.

Happy hacker hunting, and Thanksgiving / Columbus Day to those 
celebrating this weekend.


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux