LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-30-2006, 04:49 AM   #1
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Rep: Reputation: 31
shutting down sshd at night?


Hi!
I run a webserver and I can see every morning how each night some people try to intrude the server trough ssh. Those intrusions'attempt happen fast only at night because they come mostly from overeseas.
since none of our administrators does have to work between 2 a.m and 6 a.m I though that I could shut doen the ssh daemon during this time.
now my questions:
1) would it make sense to shut down my sshd every night?
2) if yes, how am I supposed to do so? when I shut down my sshd, I use kill. But how am I supposed to shut it down using cron?

thanks.
 
Old 11-30-2006, 06:33 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
would it make sense to shut down my sshd every night?
Best way is to first harden the boxen, sshd (protocol, allowed access, passphrases) and network access to them and implement one method of http://www.linuxquestions.org/questi...d.php?t=340366. "Server" implies services should be continuously accessable. I know a lot of people who work on servers when other people sleep, so I wouldn't do it. Besides, in case of emergency, how are you going to access the box? Or do you use a web-based admin interface? In any case I'd discuss it with the responsable people first.
If you however feel you need to shut down services then at least use the proper initscript command like "/etc/init.d/sshd {stop,start}".
 
Old 11-30-2006, 06:44 AM   #3
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
Something I've found quite useful (it keeps those Korean and Chinese sites out of your pants) is http://denyhosts.sourceforge.net. It's a daemon that monitors your system logs for unsuccessful ssh login attempts (such as the Korean and Chinese [and too many other] dictionary or brute force attacks) and quickly adds the attacker's IP address to /etc/hosts.deny, effectively making you a black hole to them. It also shares bad guy addresses with other DenyHosts users around the world and updates /etc/hosts.deny periodically -- significantly better than fooling around with iptables constantly in my book.

Worth a look-see.
 
Old 11-30-2006, 11:16 AM   #4
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Blog Entries: 5

Rep: Reputation: 191Reputation: 191
Bah don't shut it down, be more creative than that. Implement PORT KNOCKING

Port knocking will allow the port to remain closed so it doesn't show up in port scans until you knock on the door by touching the right numbered ports in the correct order and SHAZAM !! the port for ssh (or whatever service) is suddenly available for you to login.. It's like installing an electronic combination lock on your system.

more info
http://www.linuxjournal.com/article/6811
http://en.wikipedia.org/wiki/Port_knocking
http://doorman.sourceforge.net/ (knocking program including one for windows)
 
Old 11-30-2006, 11:29 AM   #5
derxob
Member
 
Registered: Apr 2006
Location: Los Angeles, California
Distribution: Slackware, Ubuntu
Posts: 68

Rep: Reputation: 16
Move SSHD to a different port to prevent automated attacks.

Check out Modify SSH to Maximize Security to learn some simple ways to improve your SSHD security.
 
Old 12-01-2006, 04:55 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Moving a listening port can be considered "security by obscurity". The only reason the foogazi article uses for changing ports is that it thwarts botnet tools but fails to mention that if you scan a port range and combine it with a banner scan you will find the port anyway. The article also doesn't mention using passphrases instead of passwords and limiting exposure through either iptables or hosts/allow (if compiled with -libwrap) if access allows it (as in admin access vs. pub access). It also doesn't mention the tools posted in http://www.linuxquestions.org/questi...d.php?t=340366 (of which DenyHosts is one).


I don't see how Port knocking enhances security. AFAIK it does not use any form of authentication or authorisation, so if no other restrictions are in place then brute-forcing the sequence should give you access to sshd. I'm tempted to call it a form of "security by obscurity" as well.
 
Old 12-01-2006, 12:48 PM   #7
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
If you're sure no one's going to login at night why not simply run a cron job which shuts down sshd at 12:00pm midnight? Another cron job could turn it on 8:00am or whenever you need it.

Also I'd suggest doing:
1.Move Sshd to another port. Reason being it'd probably stop a lot of automated codes which brute force anything running on port 22 if they find it open.

2.True.. A full scan with a version scan will catch Sshd running on port 54657 but its still better thn running it on 22. Wastes more attacker time.

3.Harden SSH .. there are loads of guides available.

4.Why allow it over the Internet?? If you have firewall block it off over the Internet...except for your own home IP maybe...soemthing like...

allow MyIP Linuxserver 22
deny everyone Linuxserver 22

The cron should do the job though if you're sure no one's gonna login to your box or theres no application running which internally uses SSH during the hours when sshd is off.

Cheers
Arvind
 
Old 12-01-2006, 05:18 PM   #8
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Blog Entries: 5

Rep: Reputation: 191Reputation: 191
Quote:
Originally Posted by unSpawn
I don't see how Port knocking enhances security. AFAIK it does not use any form of authentication or authorisation, so if no other restrictions are in place then brute-forcing the sequence should give you access to sshd. I'm tempted to call it a form of "security by obscurity" as well.

True someone could brute force the sequence, but they would have to think to try.. They would need to know what port they are trying to unlock otherwise how would they know when they hit the combination? and there are how many ports per IP addess (65537 UDP ports alone) ? The ASCII charachter set doesn't provide that many possibilites.. so 65537 ports would make how many sequence combinations ? which would also depend on how many knocks you set your combination for. quite a huge number of possibilities if I set a combination that reqired knocking on 10 different ports in a specific sequence.

I'm not saying it's a perfect solution but if all your services are 'locked' with port knocking a scan against your machine will show no open ports.. is a cracker really going to bother to continue to go after that machine ? how long would it take to attempt to brute force that knocking sequence ? and theres still a username and password once you get the port open. or would they move on to a softer target. you know some person that has a ton of services running by default and all their ports open.. a true playground..

I dont think that I would agree with calling port knocking security through obscurity.. although I can see your point.
 
Old 12-02-2006, 06:57 AM   #9
Tortanick
Member
 
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299

Rep: Reputation: 30
You could also set the firewall to block all forign IP addresses from your SSH port. If one of you're admins goes on holiday just allow that country for a few weeks.

As for port knocking, its security through obsucrity because not knowing that the ports arn't really closed, and not knowing the combination is what keeps attackers out. However passwords are also security through obsurity and we all know their usefull Port knocking is a great tool.

Last edited by Tortanick; 12-02-2006 at 07:02 AM.
 
Old 12-02-2006, 08:21 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
True someone could brute force the sequence, but they would have to think to try.. (..)
But I don't need to think about it if I can use a brute-forcing tool.


quite a huge number of possibilities if I set a combination that reqired knocking on 10 different ports in a specific sequence.
Yes, but people don't like (password) complexity so chances are knock sequences will not be complex too.
Also knocking definately is overhead since it requires you to do something "extra".


I would really like to see people focus on basic host and network hardening before thinking about "fancy stuff".
 
Old 12-02-2006, 08:27 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
However passwords are also security through obsurity
Can you explain why you find using passwords provides a false sense of security?
 
Old 12-02-2006, 01:16 PM   #12
Tortanick
Member
 
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299

Rep: Reputation: 30
I don't, I'm just repeating Linus Torvalds when he says that security through obscurity isn't bad by definition. In practice it usually is but there are exceptions such as passwords and port knocking
 
Old 12-02-2006, 03:26 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I don't, I'm just repeating Linus Torvalds when he says that security through obscurity isn't bad by definition. In practice it usually is but there are exceptions such as passwords and port knocking
I can't see anyone marking using passwords as an example of "security through obscurity" so I'm afraid I have to conclude you're just skewing things out of true.
 
Old 12-02-2006, 04:10 PM   #14
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
I wouldn't consider Port Knocking to be Security by Obscurity. In order to brute force a sequence of just 4 knocks it would require 65537* 65537* 65537* 65537 combinations = 1.84478700E+19!!! At this point you're basically at the level of difficulty on par with breaking encryption algorithms. Can it be done with brute force? Sure, but the number of years required to accomplish it with current computing power and network bandwidth would mean that the system you're trying to crack will be obsolete before you even have a 1% chance of getting in.

My personal definition of SbO is: Any measure that only trivially increases the amount of effort required by a savvy attacker.

Moving a service to a different port isn't going to fool a savvy attacker. They will simply run nmap, or another port scanner against your system and quickly find out that SSH is on a different port. This will generally only take a minute or two, thus it's trivial. The same would be true of something like changing the banner for your Sendmail daemon to say that it was Postfix. Any savvy attacker is going to fingerprint the service (again, namp) and find out that it's really Sendmail, or they won't even waste time attempting to discover if the MTA is likely to be vulnerable, they'll just run their exploit and find out that it works without even caring how it identified itself.

Port Knocking essentially has similar properties to cryptography, which is far from SbO. Using passwords significantly increases the difficulty over simply guessing a correct username (assuming you have a minimum length of 8 characters and some complexity requirements). Passwords are not SbO, either.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FC4-Starting sshd: Privilege separation user sshd does not exist FAILED kiranherekar Fedora 5 12-29-2005 02:22 PM
What does SuSE do at night? magicsam Linux - Newbie 8 12-22-2005 12:12 AM
Silent Night... gnunoob Mandriva 10 03-28-2004 11:07 PM
Enabling SSH in mandrake 9.2 - sshd vs. sshd-xinetd DogTags Linux - Newbie 7 11-25-2003 12:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration