From owner-freebsd-questions@FreeBSD.ORG Thu May 19 09:35:07 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A9B816A4CE for ; Thu, 19 May 2005 09:35:07 +0000 (GMT) Received: from mail.nativenerds.com (host-70-0-111-24.midco.net [24.111.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id E51C943D7C for ; Thu, 19 May 2005 09:35:06 +0000 (GMT) (envelope-from estover@nativenerds.com) Received: from [192.168.1.89] (host-133-35-230-24.midco.net [24.230.35.133]) j4J9nNbK030769; Thu, 19 May 2005 03:49:23 -0600 (MDT) (envelope-from estover@nativenerds.com) Message-ID: <428C5E35.50101@nativenerds.com> Date: Thu, 19 May 2005 03:36:53 -0600 From: Ed Stover Organization: Native Nerds User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050503) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Emanuel Strobl References: <200505181556.44648.kirk@strauser.com> <200505182311.25158@harrymail> In-Reply-To: <200505182311.25158@harrymail> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.nativenerds.com cc: freebsd-questions@freebsd.org Subject: Re: illegal user root user failed login attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: estover@nativenerds.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2005 09:35:07 -0000 Emanuel Strobl wrote: > Am Mittwoch, 18. Mai 2005 22:56 schrieb Kirk Strauser: > >>On Tuesday 17 May 2005 09:36, Peter Kropholler wrote: >> >>>As things stand, ssh is designed so you can't get at people's >>>passwords and I am leaving it alone. Focussing instead on the task of >>>making sure my passwords are strong, limiting AllowUsers to specific >>>users and trusted ip addresses, and moving ssh off port 22. >> >>Alternatively, scrap all that and force RSA authentication after >>disabling password login. I could give you my root password (and even >>my personal password) and there isn't jack you can do with it because no >>services authenticate off it; it's only useful for logging in locally. > > > IMHO that's the only way to cope with these crappy hacked boxes. > Additionally that was the original idea of SSH as far as I know. > Maybe time to think about disabling ChallangeResponseAtuh > in /etc/ssh/sshd_conf by default in FreeBSD? > > -Harry There is a wealth of things that we can do to for protection: 1:(mentioned earlier) move ssh off port 22 2:use tcp wrappers "/etc/hosts.allow" 3:don't allow users to have a shell or at least restrict the shell (rbash) 4:firewall incoming ssh connections One of my personal favorite things to do is: move ssh to port 1001 install portsentry have portsentry listen to port 22 log, report to abuse, and repeat you could even finger the machine that is trying to connect. It will tell you who was logged onto it when the incident happened.