On Wed, Nov 15, 2006 at 12:34:48PM -0500, Michael Velez wrote:
That is, sshd appears to log the connection with GMT (or UCT) before the child sshd logs it with local time.
A hard link between /var/empty/sshd/etc/localtime to /etc/localtime changes the timestamp, although two messages still get reported.
This corrected the time issue. I can live with the double-reporting.
Thanks!
I have a file server that has ssh on a public IP. We've been using SCP/FTPS over ssh to get to the server, but since it's sshd the users can see the entire file system.
The problem is that the drive mount everyone needs to get to is outside of their home dir. Is their anyway I can setup chroot through sshd?
Or is it just a silly pursuit and I should just setup a proper FTPS server?
Thanks
On 15/11/06, Brian Marshall brian@smiz.biz wrote:
I have a file server that has ssh on a public IP. We've been using SCP/FTPS over ssh to get to the server, but since it's sshd the users can see the entire file system.
The problem is that the drive mount everyone needs to get to is outside of their home dir. Is their anyway I can setup chroot through sshd?
Or is it just a silly pursuit and I should just setup a proper FTPS server?
You can chroot SFTP/SCP specifically using rssh.
http://www.pizzashack.org/rssh/
There are numerous tutorials and how-tos on out there chrooting actual shells too.
Will.
--- Brian Marshall brian@smiz.biz wrote:
I have a file server that has ssh on a public IP. We've been using SCP/FTPS over ssh to get to the server, but since it's sshd the users can see the entire file system.
The problem is that the drive mount everyone needs to get to is outside of their home dir. Is their anyway I can setup chroot through sshd?
Or is it just a silly pursuit and I should just setup a proper FTPS server?
You can setup a chrooted ssh without any problem and another ssh outside the chroot for administration, but you'll need to run each one on a different port (or see the suggestions about running two ssh daemons on the same machine before on the list).
Gabriel
Thanks
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Send instant messages to your online friends http://uk.messenger.yahoo.com
I have a file server that has ssh on a public IP. We've been using SCP/FTPS over ssh to get to the server, but since it's sshd the users can see the entire file system.
I have a yum repository at http://tcs.uj.edu.pl/~buildcentos/ which includes the centos ssh rebuilt with a tiny patch which makes sshd chroot on login if it sees a /./ in the users home directory.
ie. setting a users home directory to /home/user/./home/user makes the sshd chroot into /home/user for the session. For this to be usable the /home/user chroot directory requires some basic libs, a shell, possibly /etc/passwd and /etc/shells maybe some others.
As an example I have: [root@gaia ~]# cat /etc/passwd | grep jail jail:x:1000:1000:Jail SSH Port Forwarding Receiver:/home/jail/./:/sbin/nologin [root@gaia ~]# ls -laR /home/jail /home/jail: total 56 drwx------ 6 jail jail 4096 Jul 4 23:55 . drwxr-xr-x 8 root root 4096 Jul 25 00:22 .. drwxr-xr-x 2 jail jail 4096 Jun 5 00:52 etc drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 lib -rw-r--r-- 1 jail jail 319 Jul 4 23:55 nologin.c drwxr-xr-x 2 jail jail 4096 Jul 4 23:55 sbin drwx------ 2 jail jail 4096 Jun 5 01:27 .ssh
/home/jail/etc: total 24 drwxr-xr-x 2 jail jail 4096 Jun 5 00:52 . drwx------ 6 jail jail 4096 Jul 4 23:55 .. -rw-r--r-- 1 jail jail 55 Jun 5 00:53 passwd
/home/jail/lib: total 140 drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 . drwx------ 6 jail jail 4096 Jul 4 23:55 .. -rwxr-xr-x 1 jail jail 106397 Mar 8 2006 ld-2.3.4.so lrwxrwxrwx 1 jail jail 11 Jun 5 00:47 ld-linux.so.2 -> ld-2.3.4.so drwxr-xr-x 2 jail jail 4096 Jun 5 00:48 tls
/home/jail/lib/tls: total 1452 drwxr-xr-x 2 jail jail 4096 Jun 5 00:48 . drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 .. -rwxr-xr-x 1 jail jail 1454546 Mar 8 2006 libc-2.3.4.so lrwxrwxrwx 1 jail jail 13 Jun 5 00:48 libc.so.6 -> libc-2.3.4.so
/home/jail/sbin: total 28 drwxr-xr-x 2 jail jail 4096 Jul 4 23:55 . drwx------ 6 jail jail 4096 Jul 4 23:55 .. -rwxr-xr-x 1 jail jail 4957 Jul 4 23:55 nologin
/home/jail/.ssh: total 24 drwx------ 2 jail jail 4096 Jun 5 01:27 . drwx------ 6 jail jail 4096 Jul 4 23:55 .. -rw-r--r-- 1 jail jail 2828 Jul 24 03:34 authorized_keys [root@gaia ~]# cat /home/jail/etc/passwd jail:x:1000:1000:Jail user:/home/jail/./:/sbin/nologin [root@gaia ~]# cat /home/jail/.ssh/authorized_keys command="/sbin/nologin",permitopen="x.x.x.x:22",no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3MAAACBAPBOE...7HgvH7w== maze@athena [root@gaia ~]# cat /home/jail/nologin.c #include <stdio.h> #include <time.h>
int main (void) { fprintf(stderr, "Infinite loop shell initialized...\r\n"); for (;;) { static struct timespec ts; ts.tv_sec = 86400; ts.tv_nsec = 0; nanosleep(&ts, &ts); }; return 0; };
What is perhaps not obvious is that the above allows the 'jail' user to login remotely with an ssh key getting a no-op infinite loop shell, which only permits port forwarding to the ssh port (which is not used) - but more importantly allows reverse port forwarding on any port.
I use this to allow dynamic ip'ed clients (laptops and the like) to always be accessible (for maintenance) at a static port (ie like an ssh daemon on a different port) on my server.
Use as you see fit...
Maciej
On Wednesday 15 November 2006 19:14, Maciej Zenczykowski wrote:
I have a yum repository at http://tcs.uj.edu.pl/~buildcentos/ which includes the centos ssh rebuilt with a tiny patch which makes sshd chroot on login if it sees a /./ in the users home directory.
This is especially nice as a solution for securing ftp/sftp access because you can allow ftp chroots the using the same /./ in the passwd file through vsftpd (although vsftpd doesn't require libs in the chroot, so it's not a "true" chroot).
I assume you are using the chrootssh (http://chrootssh.sourceforge.net) project's patch (as that's the name of the directory the rpms are in), which is worth mentioning for the security conscious people out there who might want to know how this was implemented.
Brian Marshall wrote:
I have a file server that has ssh on a public IP. We've been using SCP/FTPS over ssh to get to the server, but since it's sshd the users can see the entire file system.
The problem is that the drive mount everyone needs to get to is outside of their home dir. Is their anyway I can setup chroot through sshd?
Or is it just a silly pursuit and I should just setup a proper FTPS server?
It's doable, however actual implementation depends on how your users are accessing the server. Some of the possible options:
You could run chrooted sshd on different port.
You could use forced command option if they can only authenticate via RSA keys (which will throw them into jail and than execute either scp or sftp).
You could change the login shell so that it throws them into jail, and than executes the real shell.
Either of the above will work.
Hi All,
So I have a series of funny guys that are constantly trying to brute force my FTP server. They are always in China, India or Japan, of course.
Unfortunately my clients do exchange emails with some people in China and Japan so I can't just block off the entire region (as much as I'd love to).
Does anyone have suggestions on how I can script IPTables or put some other security measure in place that could detect brute-forcing and reject from their IP?
Thanks
You could try something like this:
http://freshmeat.net/projects/blocksshd/
From there readme:
BlockSSHD is a Perl script based on BruteForceBlocker v1.2.3 that dynamically adds IPTables rules for Linux and pf firewall rules for BSD that block SSH brute force attacks. It can also detect ProFTPd login failures.
Cheers, Mike
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Brian Marshall Sent: November 16, 2006 12:10 PM To: CentOS mailing list Subject: [CentOS] Re: IPTables Blocking Brute Forcers
Hi All,
So I have a series of funny guys that are constantly trying to brute force my FTP server. They are always in China, India or Japan, of course.
Unfortunately my clients do exchange emails with some people in China and Japan so I can't just block off the entire region (as much as I'd love to).
Does anyone have suggestions on how I can script IPTables or put some other security measure in place that could detect brute-forcing and reject from their IP?
Thanks
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sweeeet!
I'll give it a shot.
Thanks Mike.
From: mike.redan@bell.ca Reply-To: CentOS mailing list centos@centos.org Date: Thu, 16 Nov 2006 12:18:00 -0500 To: centos@centos.org Conversation: [CentOS] Re: IPTables Blocking Brute Forcers Subject: RE: [CentOS] Re: IPTables Blocking Brute Forcers
You could try something like this:
http://freshmeat.net/projects/blocksshd/
From there readme:
BlockSSHD is a Perl script based on BruteForceBlocker v1.2.3 that dynamically adds IPTables rules for Linux and pf firewall rules for BSD that block SSH brute force attacks. It can also detect ProFTPd login failures.
Cheers, Mike
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Brian Marshall Sent: November 16, 2006 12:10 PM To: CentOS mailing list Subject: [CentOS] Re: IPTables Blocking Brute Forcers
Hi All,
So I have a series of funny guys that are constantly trying to brute force my FTP server. They are always in China, India or Japan, of course.
Unfortunately my clients do exchange emails with some people in China and Japan so I can't just block off the entire region (as much as I'd love to).
Does anyone have suggestions on how I can script IPTables or put some other security measure in place that could detect brute-forcing and reject from their IP?
Thanks
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I personally prefer fail2ban: http://fail2ban.sourceforge.net/
http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/ http://beranger.org/index.php?article=1307
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Does anyone have suggestions on how I can script IPTables or put some other security measure in place that could detect brute-forcing and reject from their IP?
shorewall.net has features that will limit connection rates.
On Thursday 16 November 2006 12:10 pm, Brian Marshall wrote: [snip]
Does anyone have suggestions on how I can script IPTables or put some other security measure in place that could detect brute-forcing and reject from their IP?
You can use IPTables to limit the rate of connections. I allow only 2 connections from a given IP address within each 3 minute period.
That allows for a quick retry when I mis-type the password, but makes for a very sloooooooow brute force attack. Most script kiddies aren't willing to put in that kind of time on a single target. I hardly ever see more than 2 attempts to crack my box now.
On 17/11/06, Steve Snyder swsnyder@insightbb.com wrote:
On Thursday 16 November 2006 12:10 pm, Brian Marshall wrote: [snip]
Does anyone have suggestions on how I can script IPTables or put some other security measure in place that could detect brute-forcing and reject from their IP?
You can use IPTables to limit the rate of connections. I allow only 2 connections from a given IP address within each 3 minute period.
That allows for a quick retry when I mis-type the password, but makes for a very sloooooooow brute force attack. Most script kiddies aren't willing to put in that kind of time on a single target. I hardly ever see more than 2 attempts to crack my box now.
I know this is sloppy and lazy but can you post your iptables line that does this?
On 07:09, Fri 17 Nov 06, Sudev Barar wrote:
You can use IPTables to limit the rate of connections. I allow only 2 connections from a given IP address within each 3 minute period.
I know this is sloppy and lazy but can you post your iptables line that does this?
Something like:
# Don't have a limit on my_trusted_domain iptables -A INPUT -p tcp -s my_trusted_domain.org --dport 22 -j ACCEPT
# Don't have a limit the internal net iptables -A INPUT -p tcp -s internal_net --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset
Search iptables manual page for limit :).
Sarunas
-
Aleksandar Milivojevic -
Brian Marshall -
David Mackintosh -
first last -
John Thomas -
Kevan Benson -
Maciej Zenczykowski -
mike.redan@bell.ca -
Radu-Cristian FOTESCU -
Sarunas Vancevicius -
Steve Snyder -
Sudev Barar -
Will McDonald