Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-30-2006, 04:49 AM
|
#1
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Rep:
|
shutting down sshd at night?
Hi!
I run a webserver and I can see every morning how each night some people try to intrude the server trough ssh. Those intrusions'attempt happen fast only at night because they come mostly from overeseas.
since none of our administrators does have to work between 2 a.m and 6 a.m I though that I could shut doen the ssh daemon during this time.
now my questions:
1) would it make sense to shut down my sshd every night?
2) if yes, how am I supposed to do so? when I shut down my sshd, I use kill. But how am I supposed to shut it down using cron?
thanks.
|
|
|
11-30-2006, 06:33 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
would it make sense to shut down my sshd every night?
Best way is to first harden the boxen, sshd (protocol, allowed access, passphrases) and network access to them and implement one method of http://www.linuxquestions.org/questi...d.php?t=340366. "Server" implies services should be continuously accessable. I know a lot of people who work on servers when other people sleep, so I wouldn't do it. Besides, in case of emergency, how are you going to access the box? Or do you use a web-based admin interface? In any case I'd discuss it with the responsable people first.
If you however feel you need to shut down services then at least use the proper initscript command like "/etc/init.d/sshd {stop,start}".
|
|
|
11-30-2006, 06:44 AM
|
#3
|
Senior Member
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
|
Something I've found quite useful (it keeps those Korean and Chinese sites out of your pants) is http://denyhosts.sourceforge.net. It's a daemon that monitors your system logs for unsuccessful ssh login attempts (such as the Korean and Chinese [and too many other] dictionary or brute force attacks) and quickly adds the attacker's IP address to /etc/hosts.deny, effectively making you a black hole to them. It also shares bad guy addresses with other DenyHosts users around the world and updates /etc/hosts.deny periodically -- significantly better than fooling around with iptables constantly in my book.
Worth a look-see.
|
|
|
11-30-2006, 11:16 AM
|
#4
|
LQ Guru
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Rep:
|
Bah don't shut it down, be more creative than that. Implement PORT KNOCKING
Port knocking will allow the port to remain closed so it doesn't show up in port scans until you knock on the door by touching the right numbered ports in the correct order and SHAZAM !! the port for ssh (or whatever service) is suddenly available for you to login.. It's like installing an electronic combination lock on your system.
more info
http://www.linuxjournal.com/article/6811
http://en.wikipedia.org/wiki/Port_knocking
http://doorman.sourceforge.net/ (knocking program including one for windows)
|
|
|
11-30-2006, 11:29 AM
|
#5
|
Member
Registered: Apr 2006
Location: Los Angeles, California
Distribution: Slackware, Ubuntu
Posts: 68
Rep:
|
Move SSHD to a different port to prevent automated attacks.
Check out Modify SSH to Maximize Security to learn some simple ways to improve your SSHD security.
|
|
|
12-01-2006, 04:55 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Moving a listening port can be considered "security by obscurity". The only reason the foogazi article uses for changing ports is that it thwarts botnet tools but fails to mention that if you scan a port range and combine it with a banner scan you will find the port anyway. The article also doesn't mention using passphrases instead of passwords and limiting exposure through either iptables or hosts/allow (if compiled with -libwrap) if access allows it (as in admin access vs. pub access). It also doesn't mention the tools posted in http://www.linuxquestions.org/questi...d.php?t=340366 (of which DenyHosts is one).
I don't see how Port knocking enhances security. AFAIK it does not use any form of authentication or authorisation, so if no other restrictions are in place then brute-forcing the sequence should give you access to sshd. I'm tempted to call it a form of "security by obscurity" as well.
|
|
|
12-01-2006, 12:48 PM
|
#7
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
If you're sure no one's going to login at night why not simply run a cron job which shuts down sshd at 12:00pm midnight? Another cron job could turn it on 8:00am or whenever you need it.
Also I'd suggest doing:
1.Move Sshd to another port. Reason being it'd probably stop a lot of automated codes which brute force anything running on port 22 if they find it open.
2.True.. A full scan with a version scan will catch Sshd running on port 54657 but its still better thn running it on 22. Wastes more attacker time.
3.Harden SSH .. there are loads of guides available.
4.Why allow it over the Internet?? If you have firewall block it off over the Internet...except for your own home IP maybe...soemthing like...
allow MyIP Linuxserver 22
deny everyone Linuxserver 22
The cron should do the job though if you're sure no one's gonna login to your box or theres no application running which internally uses SSH during the hours when sshd is off.
Cheers
Arvind
|
|
|
12-01-2006, 05:18 PM
|
#8
|
LQ Guru
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Rep:
|
Quote:
Originally Posted by unSpawn
I don't see how Port knocking enhances security. AFAIK it does not use any form of authentication or authorisation, so if no other restrictions are in place then brute-forcing the sequence should give you access to sshd. I'm tempted to call it a form of "security by obscurity" as well.
|
True someone could brute force the sequence, but they would have to think to try.. They would need to know what port they are trying to unlock otherwise how would they know when they hit the combination? and there are how many ports per IP addess (65537 UDP ports alone) ? The ASCII charachter set doesn't provide that many possibilites.. so 65537 ports would make how many sequence combinations ? which would also depend on how many knocks you set your combination for. quite a huge number of possibilities if I set a combination that reqired knocking on 10 different ports in a specific sequence.
I'm not saying it's a perfect solution but if all your services are 'locked' with port knocking a scan against your machine will show no open ports.. is a cracker really going to bother to continue to go after that machine ? how long would it take to attempt to brute force that knocking sequence ? and theres still a username and password once you get the port open. or would they move on to a softer target. you know some person that has a ton of services running by default and all their ports open.. a true playground..
I dont think that I would agree with calling port knocking security through obscurity.. although I can see your point.
|
|
|
12-02-2006, 06:57 AM
|
#9
|
Member
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299
Rep:
|
You could also set the firewall to block all forign IP addresses from your SSH port. If one of you're admins goes on holiday just allow that country for a few weeks.
As for port knocking, its security through obsucrity because not knowing that the ports arn't really closed, and not knowing the combination is what keeps attackers out. However passwords are also security through obsurity and we all know their usefull Port knocking is a great tool.
Last edited by Tortanick; 12-02-2006 at 07:02 AM.
|
|
|
12-02-2006, 08:21 AM
|
#10
|
Moderator
Registered: May 2001
Posts: 29,415
|
True someone could brute force the sequence, but they would have to think to try.. (..)
But I don't need to think about it if I can use a brute-forcing tool.
quite a huge number of possibilities if I set a combination that reqired knocking on 10 different ports in a specific sequence.
Yes, but people don't like (password) complexity so chances are knock sequences will not be complex too.
Also knocking definately is overhead since it requires you to do something "extra".
I would really like to see people focus on basic host and network hardening before thinking about "fancy stuff".
|
|
|
12-02-2006, 08:27 AM
|
#11
|
Moderator
Registered: May 2001
Posts: 29,415
|
However passwords are also security through obsurity
Can you explain why you find using passwords provides a false sense of security?
|
|
|
12-02-2006, 01:16 PM
|
#12
|
Member
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299
Rep:
|
I don't, I'm just repeating Linus Torvalds when he says that security through obscurity isn't bad by definition. In practice it usually is but there are exceptions such as passwords and port knocking
|
|
|
12-02-2006, 03:26 PM
|
#13
|
Moderator
Registered: May 2001
Posts: 29,415
|
I don't, I'm just repeating Linus Torvalds when he says that security through obscurity isn't bad by definition. In practice it usually is but there are exceptions such as passwords and port knocking
I can't see anyone marking using passwords as an example of "security through obscurity" so I'm afraid I have to conclude you're just skewing things out of true.
|
|
|
12-02-2006, 04:10 PM
|
#14
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
I wouldn't consider Port Knocking to be Security by Obscurity. In order to brute force a sequence of just 4 knocks it would require 65537* 65537* 65537* 65537 combinations = 1.84478700E+19!!! At this point you're basically at the level of difficulty on par with breaking encryption algorithms. Can it be done with brute force? Sure, but the number of years required to accomplish it with current computing power and network bandwidth would mean that the system you're trying to crack will be obsolete before you even have a 1% chance of getting in.
My personal definition of SbO is: Any measure that only trivially increases the amount of effort required by a savvy attacker.
Moving a service to a different port isn't going to fool a savvy attacker. They will simply run nmap, or another port scanner against your system and quickly find out that SSH is on a different port. This will generally only take a minute or two, thus it's trivial. The same would be true of something like changing the banner for your Sendmail daemon to say that it was Postfix. Any savvy attacker is going to fingerprint the service (again, namp) and find out that it's really Sendmail, or they won't even waste time attempting to discover if the MTA is likely to be vulnerable, they'll just run their exploit and find out that it works without even caring how it identified itself.
Port Knocking essentially has similar properties to cryptography, which is far from SbO. Using passwords significantly increases the difficulty over simply guessing a correct username (assuming you have a minimum length of 8 characters and some complexity requirements). Passwords are not SbO, either.
|
|
|
All times are GMT -5. The time now is 05:18 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|