Subject: Newbie with ssh-server running... Hacking attempts againstme...

12-05-2008, 02:54 AM

Nico Kadel-Garcia wrote:
> Santa Claus wrote:
>> Nico Kadel-Garcia wrote:
>>>>> Have you ever read up on 'zero-day' exploits, and cracking kits?
>>>>
>>>> Not really. I'm using:
>>>>
>>>> # telnet localhost 22
>>>> Trying 127.0.0.1...
>>>> Connected to localhost.
>>>> Escape character is '^]'.
>>>> SSH-2.0-OpenSSH_4.7
>>>> ^C^C
>>>> Connection closed by foreign host.
>>>>
>>>>
>>>> So its: OpenSSH_4.7p1, OpenSSL 0.9.7l 28 Sep 2006
>>>>
>>>>
>>>> Do I have to worry or upgrade? I just saw on openssh.com that
>>>> there's a new version: OpenSSH 5.0/5.0p1 released Apr 3, 2008.
>>>
>>> You need to stay up to date with patches, not necessarily the primary
>>> version. They started adding the capability for a chroot cage at
>>> about 4.7, after years of people like me lobbying and publishing
>>> patches to provide one.
>>>
>>>> I believe(d) that SSH even though it is from 2006, should be pretty
>>>> secure? Else I can upgrade in the coming days...
>>>> ** Posted from **
>>>
>>> Well, it depends on what you want to do. If you've got people
>>> accessing your site versus 'sftp', or scp with tools like 'WinSCP',
>>> you might want to update to version 5.0 and set up a real chroot cage
>>> to keep them away from the rest of your system.
>>
>> Ok. Thanks - I update when I get more time.
>>
>> ** Posted from **
>
> No sweat. If you need to give user file-access and want an easier, more
> managable 'chroot' configuration, seriously consider WebDAV over HTTPS.
> It handles symlinks, which SCP and sftp do not, and has much better
> resolution over upload, download, and filesystem access.
any good pointers on how to set it up i tried it once (few months back)
but couldn't even get a directory listen altough basic authentication
did work (without https)

12-05-2008, 04:55 AM

goarilla <"kevin<punt>paulus|"@|skynet punt> wrote:
> Nico Kadel-Garcia wrote:
>> Santa Claus wrote:
>>> Nico Kadel-Garcia wrote:
>>>>>> Have you ever read up on 'zero-day' exploits, and cracking kits?
>>>>>
>>>>> Not really. I'm using:
>>>>>
>>>>> # telnet localhost 22
>>>>> Trying 127.0.0.1...
>>>>> Connected to localhost.
>>>>> Escape character is '^]'.
>>>>> SSH-2.0-OpenSSH_4.7
>>>>> ^C^C
>>>>> Connection closed by foreign host.
>>>>>
>>>>>
>>>>> So its: OpenSSH_4.7p1, OpenSSL 0.9.7l 28 Sep 2006
>>>>>
>>>>>
>>>>> Do I have to worry or upgrade? I just saw on openssh.com that
>>>>> there's a new version: OpenSSH 5.0/5.0p1 released Apr 3, 2008.
>>>>
>>>> You need to stay up to date with patches, not necessarily the
>>>> primary version. They started adding the capability for a chroot
>>>> cage at about 4.7, after years of people like me lobbying and
>>>> publishing patches to provide one.
>>>>
>>>>> I believe(d) that SSH even though it is from 2006, should be pretty
>>>>> secure? Else I can upgrade in the coming days...
>>>>> ** Posted from **
>>>>
>>>> Well, it depends on what you want to do. If you've got people
>>>> accessing your site versus 'sftp', or scp with tools like 'WinSCP',
>>>> you might want to update to version 5.0 and set up a real chroot
>>>> cage to keep them away from the rest of your system.
>>>
>>> Ok. Thanks - I update when I get more time.
>>>
>>> ** Posted from **
>>
>> No sweat. If you need to give user file-access and want an easier,
>> more managable 'chroot' configuration, seriously consider WebDAV over
>> HTTPS. It handles symlinks, which SCP and sftp do not, and has much
>> better resolution over upload, download, and filesystem access.
> any good pointers on how to set it up i tried it once (few months back)
> but couldn't even get a directory listen altough basic authentication
> did work (without https)

I'm surprised it was difficult. I just read the documentation, and was careful
to use 'Directory' rather than 'Location' based settings, and it worked from
the limited documentation built into HTTPD.

12-05-2008, 06:52 AM

JD wrote:

> On Sun, 11 May 2008 20:08:35 +0200, Sebastian G. wrote:
>
>> JD wrote:
>>
>>> You trust things more than I would if I suspected a successful compromise.
>>
>> The kernel is always the ultimate authority in the system. If it decides
>> that root isn't the ueber-privileged user any more, it can enforce various
>> limitations. One is that the kernel's logging facility is completely
>> isolated, and all privileges that root could use to get access to kernel
>> memory or compromising the kernel are removed. That is, root might still
>> overwrite the privileges of any user, can change the system time, can debug
>> other processes, can read disks in raw mode etc. but he can't load any
>> drivers, do any kernel debugging, change the RTC time, write to the disk in
>> raw mode, or bypass access checks on the kernel's files and objects.
>
> I understand what you mean now. We just differ on our definitions.

I didn't claim that this model or approach is perfect or even a good idea.
But it's a non-theoretical productive OS where in a certain configuration
there simply is no ultimately powerful principal, and root is merely a
normal user with some privileges to manage non-system stuff.

12-05-2008, 08:49 AM

On 2008-05-10 19:07:30 -0400, Santa Claus <free_presents@greenland> said:

> Dear NG,
>
> Subject: Newbie with ssh-server running... Hacking attempts against
> me... I hope this question is appropriate - My log says:

- Use a non-standard SSH port immediately. I haven't used tcp/22 on any
of my servers in years.

- You sounded like you can code in PERL. Write a script that changes
your SSH port each day, or according to some date calculation you
invent to a non-standard port and promulgate the port information
inside your enterprise - this is easier than you think it is to do.

- Consider rolling your hosts behind a firewall that can use knockd or
something similar implementing a "knock, knock" protocol. This way, no
ports need to be open unless you send the properly formatted packets to
the right TCP ports in the right sequence in the right amount of time,
then the port "opens up". I use my own algorithm with ICMP packets that
contain cryptographic data that verifies to a limited degree the origin
of the sender.

- Be careful what information you share with the public in NG's and
other places about your problem.

- If you're using OS/X desktops, consider installing Little Snitch on
them for some added security.

/dmfh

--
_ __ _
__| |_ __ / _| |_ 01100100 01101101
/ _` | ' \| _| ' \ 01100110 01101000
\__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx

12-05-2008, 10:01 PM

Digital Mercenary For Honor wrote:
> On 2008-05-10 19:07:30 -0400, Santa Claus <free_presents@greenland> said:
>
>> Dear NG,
>>
>> Subject: Newbie with ssh-server running... Hacking attempts against
>> me... I hope this question is appropriate - My log says:
>
>
> - Use a non-standard SSH port immediately. I haven't used tcp/22 on any
> of my servers in years.

Yes, I read that's a really good idea...

> - You sounded like you can code in PERL. Write a script that changes

I can code i many languages - though not really in Perl - I want to
learn it however...

> your SSH port each day, or according to some date calculation you invent
> to a non-standard port and promulgate the port information inside your
> enterprise - this is easier than you think it is to do.

Great idea... This could be my first real perl-project, after having
done some tutorials... It sounds like I can do that (I think it should
be easy in perl)...

> - Consider rolling your hosts behind a firewall that can use knockd or
> something similar implementing a "knock, knock" protocol. This way, no
> ports need to be open unless you send the properly formatted packets to
> the right TCP ports in the right sequence in the right amount of time,
> then the port "opens up". I use my own algorithm with ICMP packets that
> contain cryptographic data that verifies to a limited degree the origin
> of the sender.

Wow... Great idea - exactly what I was looking for... Thanks a lot...

> - Be careful what information you share with the public in NG's and
> other places about your problem.

I know... I believe nobody should even be able to see my IP when posting
through teranews...

> - If you're using OS/X desktops, consider installing Little Snitch on
> them for some added security.

Thanks... I'll consider that...

** Posted from **

12-05-2008, 02:54 AM	#21
goarilla Guest Posts: n/a	Re: Subject: Newbie with ssh-server running... Hacking attempts againstme... Nico Kadel-Garcia wrote: > Santa Claus wrote: >> Nico Kadel-Garcia wrote: >>>>> Have you ever read up on 'zero-day' exploits, and cracking kits? >>>> >>>> Not really. I'm using: >>>> >>>> # telnet localhost 22 >>>> Trying 127.0.0.1... >>>> Connected to localhost. >>>> Escape character is '^]'. >>>> SSH-2.0-OpenSSH_4.7 >>>> ^C^C >>>> Connection closed by foreign host. >>>> >>>> >>>> So its: OpenSSH_4.7p1, OpenSSL 0.9.7l 28 Sep 2006 >>>> >>>> >>>> Do I have to worry or upgrade? I just saw on openssh.com that >>>> there's a new version: OpenSSH 5.0/5.0p1 released Apr 3, 2008. >>> >>> You need to stay up to date with patches, not necessarily the primary >>> version. They started adding the capability for a chroot cage at >>> about 4.7, after years of people like me lobbying and publishing >>> patches to provide one. >>> >>>> I believe(d) that SSH even though it is from 2006, should be pretty >>>> secure? Else I can upgrade in the coming days... >>>> Posted from >>> >>> Well, it depends on what you want to do. If you've got people >>> accessing your site versus 'sftp', or scp with tools like 'WinSCP', >>> you might want to update to version 5.0 and set up a real chroot cage >>> to keep them away from the rest of your system. >> >> Ok. Thanks - I update when I get more time. >> >> Posted from > > No sweat. If you need to give user file-access and want an easier, more > managable 'chroot' configuration, seriously consider WebDAV over HTTPS. > It handles symlinks, which SCP and sftp do not, and has much better > resolution over upload, download, and filesystem access. any good pointers on how to set it up i tried it once (few months back) but couldn't even get a directory listen altough basic authentication did work (without https)

12-05-2008, 04:55 AM	#22
Nico Kadel-Garcia Guest Posts: n/a	Re: Subject: Newbie with ssh-server running... Hacking attempts againstme... goarilla <"kevin<punt>paulus\|"@\|skynet punt> wrote: > Nico Kadel-Garcia wrote: >> Santa Claus wrote: >>> Nico Kadel-Garcia wrote: >>>>>> Have you ever read up on 'zero-day' exploits, and cracking kits? >>>>> >>>>> Not really. I'm using: >>>>> >>>>> # telnet localhost 22 >>>>> Trying 127.0.0.1... >>>>> Connected to localhost. >>>>> Escape character is '^]'. >>>>> SSH-2.0-OpenSSH_4.7 >>>>> ^C^C >>>>> Connection closed by foreign host. >>>>> >>>>> >>>>> So its: OpenSSH_4.7p1, OpenSSL 0.9.7l 28 Sep 2006 >>>>> >>>>> >>>>> Do I have to worry or upgrade? I just saw on openssh.com that >>>>> there's a new version: OpenSSH 5.0/5.0p1 released Apr 3, 2008. >>>> >>>> You need to stay up to date with patches, not necessarily the >>>> primary version. They started adding the capability for a chroot >>>> cage at about 4.7, after years of people like me lobbying and >>>> publishing patches to provide one. >>>> >>>>> I believe(d) that SSH even though it is from 2006, should be pretty >>>>> secure? Else I can upgrade in the coming days... >>>>> Posted from >>>> >>>> Well, it depends on what you want to do. If you've got people >>>> accessing your site versus 'sftp', or scp with tools like 'WinSCP', >>>> you might want to update to version 5.0 and set up a real chroot >>>> cage to keep them away from the rest of your system. >>> >>> Ok. Thanks - I update when I get more time. >>> >>> Posted from >> >> No sweat. If you need to give user file-access and want an easier, >> more managable 'chroot' configuration, seriously consider WebDAV over >> HTTPS. It handles symlinks, which SCP and sftp do not, and has much >> better resolution over upload, download, and filesystem access. > any good pointers on how to set it up i tried it once (few months back) > but couldn't even get a directory listen altough basic authentication > did work (without https) I'm surprised it was difficult. I just read the documentation, and was careful to use 'Directory' rather than 'Location' based settings, and it worked from the limited documentation built into HTTPD.

12-05-2008, 06:52 AM	#23
Sebastian G. Guest Posts: n/a	Re: Subject: Newbie with ssh-server running... Hacking attemptsagainst me... JD wrote: > On Sun, 11 May 2008 20:08:35 +0200, Sebastian G. wrote: > >> JD wrote: >> >>> You trust things more than I would if I suspected a successful compromise. >> >> The kernel is always the ultimate authority in the system. If it decides >> that root isn't the ueber-privileged user any more, it can enforce various >> limitations. One is that the kernel's logging facility is completely >> isolated, and all privileges that root could use to get access to kernel >> memory or compromising the kernel are removed. That is, root might still >> overwrite the privileges of any user, can change the system time, can debug >> other processes, can read disks in raw mode etc. but he can't load any >> drivers, do any kernel debugging, change the RTC time, write to the disk in >> raw mode, or bypass access checks on the kernel's files and objects. > > I understand what you mean now. We just differ on our definitions. I didn't claim that this model or approach is perfect or even a good idea. But it's a non-theoretical productive OS where in a certain configuration there simply is no ultimately powerful principal, and root is merely a normal user with some privileges to manage non-system stuff.

12-05-2008, 08:49 AM	#24
Digital Mercenary For Honor Guest Posts: n/a	Re: Subject: Newbie with ssh-server running... Hacking attempts against me... On 2008-05-10 19:07:30 -0400, Santa Claus <free_presents@greenland> said: > Dear NG, > > Subject: Newbie with ssh-server running... Hacking attempts against > me... I hope this question is appropriate - My log says: - Use a non-standard SSH port immediately. I haven't used tcp/22 on any of my servers in years. - You sounded like you can code in PERL. Write a script that changes your SSH port each day, or according to some date calculation you invent to a non-standard port and promulgate the port information inside your enterprise - this is easier than you think it is to do. - Consider rolling your hosts behind a firewall that can use knockd or something similar implementing a "knock, knock" protocol. This way, no ports need to be open unless you send the properly formatted packets to the right TCP ports in the right sequence in the right amount of time, then the port "opens up". I use my own algorithm with ICMP packets that contain cryptographic data that verifies to a limited degree the origin of the sender. - Be careful what information you share with the public in NG's and other places about your problem. - If you're using OS/X desktops, consider installing Little Snitch on them for some added security. /dmfh -- _ __ _ __\| \|_ __ / _\| \|_ 01100100 01101101 / _` \| ' \\| _\| ' \ 01100110 01101000 \__,_\|_\|_\|_\|_\| \|_\|\|_\| dmfh(-2)dmfh.cx

12-05-2008, 10:01 PM	#25
Santa Claus Guest Posts: n/a	Re: Subject: Newbie with ssh-server running... Hacking attempts againstme... Digital Mercenary For Honor wrote: > On 2008-05-10 19:07:30 -0400, Santa Claus <free_presents@greenland> said: > >> Dear NG, >> >> Subject: Newbie with ssh-server running... Hacking attempts against >> me... I hope this question is appropriate - My log says: > > > - Use a non-standard SSH port immediately. I haven't used tcp/22 on any > of my servers in years. Yes, I read that's a really good idea... > - You sounded like you can code in PERL. Write a script that changes I can code i many languages - though not really in Perl - I want to learn it however... > your SSH port each day, or according to some date calculation you invent > to a non-standard port and promulgate the port information inside your > enterprise - this is easier than you think it is to do. Great idea... This could be my first real perl-project, after having done some tutorials... It sounds like I can do that (I think it should be easy in perl)... > - Consider rolling your hosts behind a firewall that can use knockd or > something similar implementing a "knock, knock" protocol. This way, no > ports need to be open unless you send the properly formatted packets to > the right TCP ports in the right sequence in the right amount of time, > then the port "opens up". I use my own algorithm with ICMP packets that > contain cryptographic data that verifies to a limited degree the origin > of the sender. Wow... Great idea - exactly what I was looking for... Thanks a lot... > - Be careful what information you share with the public in NG's and > other places about your problem. I know... I believe nobody should even be able to see my IP when posting through teranews... > - If you're using OS/X desktops, consider installing Little Snitch on > them for some added security. Thanks... I'll consider that... Posted from

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

New To Site?	Need Help?
Register to Participate Meet our Staff Refer Forum Rules Contact Us	Frequently Asked Questions Did you forget your password? Mark Forums Read

Subject: Newbie with ssh-server running... Hacking attempts againstme...

Firewall