Slackware Server On The Internet.

Cesare · 06-30-2014, 03:51 PM

A command like this:

Code:

ssh -l "hokus pokus 0.0.0.0/0" myhost.com

will result in a log entry like this:

Code:

Jun 30 22:06:12 myhost sshd[10140]: Invalid user hokus pokus 0.0.0.0/0 from 192.168.23.42

When awk then reads column #5 it gets 0.0.0.0/0 instead of the actual IP and the resulting iptables rule will drop all traffic from every IP.

The iplist seems to be permanent, so if this happens on a remote system where ssh is your only means of access, if the cron job runs frequently enough you're very likely completely locked out.

Don't let this discourage you from developing your own implementation of the "fail2ban" idea. But be very, very careful when handling any sort of user provided input (see xkcd).

eloi · 06-30-2014, 05:13 PM

Quote:

Originally Posted by Cesare

A command like this:

Code:

ssh -l "hokus pokus 0.0.0.0/0" myhost.com

will result in a log entry like this:

Code:

Jun 30 22:06:12 myhost sshd[10140]: Invalid user hokus pokus 0.0.0.0/0 from 192.168.23.42

When awk then reads column #5 it gets 0.0.0.0/0 instead of the actual IP and the resulting iptables rule will drop all traffic from every IP.

The iplist seems to be permanent, so if this happens on a remote system where ssh is your only means of access, if the cron job runs frequently enough you're very likely completely locked out.

Don't let this discourage you from developing your own implementation of the "fail2ban" idea. But be very, very careful when handling any sort of user provided input (see xkcd).

Well that's ingenious except for you must know the script to come up with that trick. What if I change '{ print $5 }' for '{ print $NF }'? This is the principal advantage of using your own scripts instead of a public source like falibar of funny2bar or whatever you're selling me.

Jokes doesn't offend me but the next time put "for fun" by title, please, so we laugh together.

ttk · 07-03-2014, 03:30 PM

There are folks who find and exploit such vulnerabilities for fun. They are mostly the same people who fiddle with SQL injection attacks. They're accustomed to not knowing how the back-end script is written, but have learned what common mistakes many developers make when coming up with their own ad hoc security solutions.

At a NBLUG meeting last year, I watched a demonstration illustrating some ways you could get a commodity home DSL modem to run arbitrary shell commands via form content injection tricks on its web-GUI administrative interface. It was obvious that the guy really relished his craft.

I don't know how many folks like him are out there, or if any of them might decide to poke at your server's security, but would you want to take that risk?

eloi · 07-08-2014, 12:30 PM

And you avoid the risk of learning yourself how to secure your system downloading some software that someone in some forum told you is good and installing it.

ttk · 07-09-2014, 12:03 AM

Quote:

Originally Posted by eloi

And you avoid the risk of learning yourself how to secure your system downloading some software that someone in some forum told you is good and installing it.

Not at all. It's good to learn skills. Everyone starts as a beginner. But as a beginner, you are better off working on a team of more-experienced developers and administrators who can point out mistakes as you make them, and teach you best practices.

You can learn by filling your internet-facing server with amateurish solutions and watching it burn, but it's not the best idea.