[SlugLUG] War Stories

Rick Moen rick at linuxmafia.com
Mon Jun 12 09:36:18 PDT 2006 

Quoting Erich Blume (eblume at ucsc.edu):

> So, I had a -lot- of fun earlier today reading through my logfiles. It turns
> out yesterday I was the subject of a massive brute-force attempt to break in
> to my system.

Welcome to the Internet. ;->

> Firstly, how can I set up sshd to shut out an IP temporarily after say, six
> failed logins? 

There are a bunch of implementations, e.g., using the hashlimit module in
iptables:  http://www.tummy.com/journals/entries/jafo_20050716_152920

Personally, I don't bother, because my system enforces strong passwords
on its users, and the attacker has to have those plus the usernames
right.  I worry a lot more about my users' security tokens getting stolen on
compromised hosts elsewhere, where they expose those tokens to the bad
guys.

That's
(http://linuxmafia.com/faq/Security/breakin-without-remote-vulnerability.html)
what happened a few years back at an unnamed Linux firm where an idiot
sysadmin sshed out from the crown-jewels corporate network into a public
shell server (**COUGH**shells.sourceforge.net**COUGH**) and sshed or
scped back _into_ that same corporate network -- thereby giving the bad
guys his/her corporate-access tokens, because the shell server's ssh
client had been trojaned.

The IT department's head was clueless about the resulting total failure
of LAN security and probable compromise of the company's entire
computing environment until the kiddie showed up on the internal IRC
server, taunting him.

> Secondly, how can I set up my logger (metalog) to email me (at
> eblume at ucsc.edu) when a lot of this bad stuff starts happening?

By reading the metalog docs.  ;->  (Metalog looks nice, but I wouldn't
call it a commonly used piece of software.)  

In http://metalog.sourceforge.net/README, I see:

  A section defines several things :
  [...]
  - Actions : they are taken only when all previous conditions are met.
    Only two actions are currently possible : write the message to a log
    file, and/or launch an external script.
                 ^^^^^^^^^^^^^^^^^^^^^^^^^
I suspect you're going to make friends with bash programming and the
formail utility.

> Thirdly, any other suggestions?

If you're that concerned, maybe you should be running a file-based IDS?
http://linuxgazette.net/issue98/moen.html


> On this note, though: I've noticed something that seemed liked a very good
> idea. This might be really obvious and common practice, but I figured it out
> on my own, and I'd like to put this to you RFC. See, I set my system
> password to something like a twenty-digit random sequence. I don't remember
> it, the idea is that it's a scrambled password. I have sudo set up to let
> people in wheel have root access, though. Is this a bad idea? Am I in
> trouble, doing that?

No, that's one possible standard system regimen.  The thing is, you're
ahead of the game already in the sense that you're developing a
conscious security policy in response to your ponderings about threat
models.  Consider what threats are worth worrying about and to what
extent, analyse your computing behaviour and software to identify risks,
and then implement policies to cope with and minimise those threats.

I will also immodestly point out:
http://security.itworld.com/4352/LWD000829hacking/pfindex.html

More information about the Sluglug mailing list