[CentOS] an actual hacked machine, in a preserved state

Nataraj incoming-centos at rjl.com
Tue Jan 3 08:50:08 UTC 2012


On 01/02/2012 10:48 PM, Bennett Haselton wrote:
>
> True but I travel a lot and sometimes need to connect to the machines 
> from subnets that I don't know about in advance.
You could secure another system somewhere on the internet (could be a
$20/month virtual host), leave no pointers to your production systems on
that system, and allow remote logins on your production systems from
that other host.  It's called a back door.  You could also take a look
at something like fwknop.  That in combination with some type of back
door for the situation where you don't have your keys available should
cover any situation where you need to get to your system.  But access
using the key authentication should be preferred and only use the back
door for emergencies.
> If I used openvpn to connect, and then connected via ssh over openvpn, 
> this seems like essentially security through obscurity :) by just 
> replacing the public ssh daemon with a different public daemon (with a 
> different connection protocol) which an attacker could try to 
> brute-force the same way they could try to brute-force sshd.
Pretty much all security is based on something that you know/have that
the attacker doesn't know/have. This is true for computer access, the
locks on your front door and the safe at the bank.   What your getting
from the people on this list is their experience, comments based on what
they did that worked and what they did that didn't.  Check the past 10
years of cert advisories and count the number of security advisories for
sshd and then count the number for openvpn.
> However it still seems that this would only matter if the attacker got 
> in by brute-forcing the login.  If they obtained the ability to run 
> privileged commands any other way, then (1) they could continue to run 
> privileged commands that way anyway, or (2) as their first action they 
> could just remove all the IP address restrictions on ssh connections at 
> which point they could connect normally via ssh from anywhere.
The more security mechanisms you have in place, the greater is the
probability that even if they made a partial compromise of your system,
they might fail when they try to get through to the next level and if
you have warning systems, such as daily reports or even alerts sent to
your cell phone, you might be able to stop them first.
> So if this only matters when the attacker is trying to brute-force the 
> login, and I still think that a 12-character random password is 
> un-bruteforceable which makes the IP restrictions moot.
Experience has shown that passwords can be cracked much more easily then
private/public keys.  Your the one telling us that your system has been
compromised.  Others sharing this fact may not have their systems
compromised, or if they did, they learned from it.
> If I'm wrong, then why?  What do you think -- if my password is already 
> a 12-character random string, do think it adds additional security to 
> restrict ssh logins to only subnets that I'm logging in from?  If so, 
> then what's a specific scenario where the attacker would be able to 
> break in (or would have a larger chance of breaking in) if I'm not 
> restricting ssh logins by IP, but would not be able to break in if I 
> were restricting ssh logins?
That's a straight probability calculation.  How many billion systems are
on the Internet?  If I allow logins from even 100,000 systems versus
several billion, I've substantially reduced the probability of a
sucessful brute force attack.

I have had problems with password guessing attacks on my pop and ftp
servers (my ssh port is totally closed).
Since I'm providing services to users, I can't just close those ports. 
I've been running fail2ban now for some time and it has helped, but I
wanted to further reduce having even a handful of guesses.  I discovered
that the majority of attacks are coming from Asia, Russia, eastern
Europe, South America and the middle east.  Well I don't have any ftp
users in those areas, so I blocked access to these countries and in fact
now only allow access from regions where I have users.  Things have been
pretty darn quiet since I did that.

By allowing access from only a handful of systems that you might be
familiar with, you probably won't have bot attacks.

Nataraj




More information about the CentOS mailing list