LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 06-15-2009, 09:38 PM   #16
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 546Reputation: 546Reputation: 546Reputation: 546Reputation: 546Reputation: 546

Quote:
I went about making a little bash script to give me my temp/fan information instead.
Would conky be a nice solution? I use conky to display fan speeds, temps, etc.

Quote:
I discovered that Ksysguard no longer worked for me either
Hmm. I don't have Seamonkey installed and KSysguard is working fine here.
 
Old 06-16-2009, 02:23 AM   #17
Dinithion
Member
 
Registered: Oct 2007
Location: Norway
Distribution: Slackware 14.1
Posts: 446

Rep: Reputation: 59
I have some (not much) experience in fail2ban. Essentially it's the same as the iptables filter given by Ilgar. The main advantage I can see is that fail2ban can be configured to unban after a given amount of time. That way you won't lock your self out permanently if you're unlucky/clumsy. Fail2ban can be used on other service then ssh aswell. (i.e. apache, ftp etc).

Another way of securing ssh (Or other ports) is port knocking. There is a slackbuild for it here. It gives you an increased security, the intruder has to send 65535^4 packets to detect an open port. Then the brute forcing starts afterwards.

The disadvantage is of course that it is an extra action you have to perform to connect, i personally think it's not worth the trouble. Perhaps I should. Wikipedia also says that the knock daemon can die once in a while, in that case you won't be able to connect at all. Some knock daemons check for this restarts the daemon.
 
Old 06-16-2009, 10:44 AM   #18
Biggen
Member
 
Registered: Sep 2004
Location: Panama City Beach FL
Distribution: Slackware 12.2
Posts: 199

Rep: Reputation: 31
+1 for Fail2ban. Works wonders keeping script kiddies from trying to brute force their way into my ftp server. Also, changing your ssh port to something other than default is also an excellent idea. I run my sshd on port 9000.

I use to actually hunt down attackers by their ip address and report them to their ISP, but since the majority of attacks originate out of China or Russia, it is a waste of time to do that.

Last edited by Biggen; 06-16-2009 at 10:55 AM.
 
Old 06-16-2009, 03:01 PM   #19
C-Sniper
Member
 
Registered: Dec 2006
Distribution: Slackware
Posts: 507

Rep: Reputation: 33
Another vote for Fail2ban here.
Also take a look at Denyhosts. I have used that one in the past and was very impressed with it.

Using both of these i cut my attack logs from 98000 lines in a couple hours to around 300.
 
Old 06-17-2009, 08:19 PM   #20
orbit
Member
 
Registered: Sep 2006
Location: Australia
Distribution: Slackware
Posts: 176

Original Poster
Rep: Reputation: 30
Hi All,

Well after taking into account all of the excellent advice offered on this topic, I have now resolved my KSystemGuard processtable problem, and (hopefully ... will be watching closely) secured the ssh daemon.


What I have done:

1. After running 'swaret --dep' on my system, I determined that for some reason the lm_sensors was missing a dependency (maybe from removing previously mentioned Seamonkey Browser) ... I resolved this by reinstalling lm_sensors-2.10.6-i486-1.tgz package and re-running 'ldconfig' on the system.

2. I altered my Router NAT forwarded port 22 that was open for ssh, and have now NAT opened a >1000 port instead.

3. Editing of /etc/ssh/sshd_config: After backing up original file, I altered it so that:
a.) The Default Port is now changed from 22, to the new NAT forwarded port.
b.) Ensured that Protocol 2 is in use.
c.) Altered 'PermitRootLogin' variable to: no

4. I do not have a /etc/rc.d/rc.firewall file to add Ilgar's script to, so instead I installed the slackware package of Fail2Ban.

5. Chmod'ed +x /etc/rc.d/rc.fail2ban & ../rc.sshd

6. Started fail2ban daemon and ssh daemon.

7. Via LAN, attempted to ssh into server as root ... DENIED (Good).

8. Via LAN, attempted to login as [user-account] ... DENIED (Hmmm, that's not right).

9. Read about ssh options ....

10. Re-attempted to log into server as [user-account] with console string:
ssh <servername> -l <user-account> -p <assigned-port>

System allowed me to log in as [user-account], and then I was able to 'su' to root within the remote ssh terminal (Good).

11. Strengthened both 'root' and 'user-account' passwords using a combination of letters, numbers & punctuation.



I will be keeping an eye on the system log over the coming days to see whether I receive any more ssh attacks on my system.


Two small questions...

1. If I want to use Ilgar's connection limiting script, could I just create a new file /etc/rc.d/rc.firewall, and insert the contents of the script into it? ... or do I need to get a rc.firewall file from somewhere, then add the script content into that existing file?
(not sure why I don't have an rc.firewall file .. what package supplies it?).

2. Why does the remote LAN system now require that I have to input my modified port number?, and not just connect on the Server modified Default Port? (If I try to remotely ssh into the Server without specifying the actual new port, it attempts to connect on old port 22 ?, then is connection refused... shown here:
Quote:
### Remote ssh attempt without specific port statement:
root@Crazed-Weasel:~# ssh server
ssh: connect to host server port 22: Connection refused
root@Crazed-Weasel:~#
Ideas? , I'll look forward to your responses about these two questions.


I would like to wholeheartedly express my gratitude to every member of the forum that has contributed to this post ... Thank You!


Kind Regards

Last edited by orbit; 06-17-2009 at 08:42 PM.
 
Old 06-17-2009, 09:57 PM   #21
escaflown
Member
 
Registered: Apr 2009
Location: Canada
Distribution: Slackware
Posts: 238

Rep: Reputation: 31
Quote:
Originally Posted by orbit View Post
Hi All,
1. If I want to use Ilgar's connection limiting script, could I just create a new file /etc/rc.d/rc.firewall, and insert the contents of the script into it? ... or do I need to get a rc.firewall file from somewhere, then add the script content into that existing file?
(not sure why I don't have an rc.firewall file .. what package supplies it?).
You can get the rc.firewall script from here and optionally add some personal tweaks. Once you get the rc.firewall script just put it in /etc/rc.d/ and do a chown root:root and chmod 711. That's it: simplicity of Slackware ...
 
Old 06-18-2009, 12:13 AM   #22
C-Sniper
Member
 
Registered: Dec 2006
Distribution: Slackware
Posts: 507

Rep: Reputation: 33
Quote:
Originally Posted by orbit View Post
2. Why does the remote LAN system now require that I have to input my modified port number?, and not just connect on the Server modified Default Port? (If I try to remotely ssh into the Server without specifying the actual new port, it attempts to connect on old port 22 ?, then is connection refused... shown here:
Kind Regards
You could set the ssh_config to use your port as the default instead of the usual port 22.

The only downside is that you would have to remember this for future use.

-Or-

You could create a script that executes the commands for you so all you have to do is say ./<ssh connect script>


I think that all the script would have to be is
Code:
#!/bin/sh

#Connect to server with credentials

ssh <ip> -p <port> -l <username>

#end script
 
Old 06-18-2009, 01:45 AM   #23
Dinithion
Member
 
Registered: Oct 2007
Location: Norway
Distribution: Slackware 14.1
Posts: 446

Rep: Reputation: 59
Quote:
Originally Posted by orbit View Post
Hi All,
2. Why does the remote LAN system now require that I have to input my modified port number?, and not just connect on the Server modified Default Port? (If I try to remotely ssh into the Server without specifying the actual new port, it attempts to connect on old port 22 ?, then is connection refused... shown here:
That was why you changed the default port in the first place, right? If you use the standard port (22), you can connect directly. So can anyone on the Internet. They connect randomly and check if port 22 is listening for connections on every host on the Internet (Not the same person, but every computer will be checked by someone sooner or later). If it listens for connections, they start attacking you.

One solution was to change the default port to something else. That way, when they try to connect to port 22 they wont see anything and move to the next host on their list. A port scan of your computer will show that port 1000 (Or whatever sshd_config says) is listening for connections. A quick connection with telnet to that port will easily show it's listening for ssh. But every computer got 65535 ports to check, so to check all these ports will be a huge task (And it will be detected as abuse by their ISP). Therefor they usually only connect to the standard ports.

Your computer can't magically know that your server is listening on port 1000 instead of 22. Therefor you need to tell your client what port to connect. Did that make any sense?

If this is the only ssh server you connect to, you could make a simple solution with an alias:

alias ssh='ssh -p 1000'

Then it will try to connect to port 1000 instead of 22 for every ssh connection you will make. This will have to be in ~/.bashrc on every client computer you are using to connect to your ssh server.

Last edited by Dinithion; 06-18-2009 at 01:53 AM. Reason: There was some really bad english in there.. (Probably still some ;P)
 
Old 06-18-2009, 07:10 AM   #24
Ilgar
Senior Member
 
Registered: Jan 2005
Location: Istanbul, Turkey
Distribution: Slackware64 14.2, Slackwarearm-current
Posts: 1,035

Rep: Reputation: 149Reputation: 149
Quote:
Originally Posted by orbit View Post
1. If I want to use Ilgar's connection limiting script, could I just create a new file /etc/rc.d/rc.firewall, and insert the contents of the script into it?
Exactly, that's what I did. You may also need to make it executable (sorry I'm out of town, away from my computer, I can't check how I set it up).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: connection to host port: 22: Connection timed out lost connection cucolin@ Linux - Server 4 11-22-2011 06:15 AM
'remote connection' window.. am i being hacked? logicalfuzz Linux - Security 1 11-12-2005 12:59 AM
KDE Sysguard: Connection to localhost has been lost! manjusura Linux - Newbie 0 02-19-2004 01:46 PM
lp filename yields "cannot open connection to localhost - Connection refused" jjge Linux - General 3 12-28-2003 11:02 PM
lost localhost keithturner Linux - Newbie 2 01-29-2003 10:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration