What do Romania, France, North Korea, South Korea, China, Czechoslovakia and Bulgaria have in common?
Simple, they're all countries that show up in my SSH Access Blacklist Table.
Why am I talking about this? My place of work got h4x0r3d yesterday (our Nessus security scanning server -- how's that for irony?). I will preface this by saying that **I** did not set up the aforementioned server (and thus my "Incredibly Unhacked" record is untarnished).
I'm not particularly upset by this. Irritated yes (especially with myself -- I never read those stupid "You last logged in from [x] at [y] O'clock" messages (nobody does)), but upset no. The poor guy who set up the Nessus box however, looked like he wanted to cry. And the look on his face when he told me was kinda sad - he's probably not reading this but if you are - don't worry about it. Machines get hacked, we post-mortem them and move on. Even I'm not perfect (my record notwithstanding) and I've found some HUGE security flaws on my systems over the years - I've just had good luck at finding them before other people do.
We got hacked because the machine has SSH open to the world. That's not a bad thing in and of itself -- flexo.bsd-box.net (the server this blog lives on) has SSH open to the world. In hindsight, since there are a LOT of machines and nobody to check up on each one every day SSH should probably have been restricted to our "Border SSH Machine" (the one host that is SUPPOSED to have SSH wide open, and is carefully monitored), but this is only a symptom, not the Real Problem.
By the By, our head CISCO guy (and head of network security) ran scans from this server, logging in from random places, AS ROOT. He should have known better and locked down the access (instead of using it), but that's neither here nor there...
The Real problem is SSH was configured to allow root logins in the first place.
Not JUST root logins, Root logins using a regular old UNIX Password. And SSH being less-than-smart will happily let you keep reconnecting and trying passwords until you get it right! (It took our friend over 20,000 password attempts to get root on the Nessus box)
I have no problem with allowing root logins -- actually I have a HUGE problem with it but for practical reasons you can't just say "No remote Root logins" -- BUT the system should only allow Root to log in with an "appropriately huge" (2048 bit) Public Key authentication, and it HELPS if you can secure the access list for SSH to something more reasonable than "Everyone in the universe".
Now of course using keys for root doesn't solve the problem of J. Random Hacker breaking in as a regular user -- Even if you disable Root logins they can still hack user accounts, and insisting all your users use 2048 Bit SSH Keys is somewhat unreasonable (it's hard enough getting them to use SSH and SFTP), so how do you deal with the jackasses trying to Brute Force their way in? My SSH Log rolls a few times every day because it gets over 100KB in size (that's a LOT of failed auth attempts!), surely someone will eventually persist at this game long enough to brute force even the most lengthy and random passwords, right?
Well, I deal with them by using a little script, customized for FreeBSD and Security-Nazi-ism.
Basically what it does is watch the SSH Authentication log, and after 4 failed password attempts (or 4 invalid usernames) it assumes that you are trying to hack my machine and adds you to a blacklist for a year (or until I manually remove you after you call me and explain how you mistyped your username four times in 10 minutes, which will of course require me to make merciless fun of you and shame you in to remembering your login ID).
For everyone's enlightenment, the gory details are below
Continue reading "Lions and Tigers and h4x0rZ OH MY!"
Mmm, party....
Details --
Where: Vin's place
When: 10/29/2005; 9PM - wheneverAM
What: (pre)Halloween Party
Who: Me, Dave, Lots of other SuperPad regulars and semi-regulars, YOU(?)
Why: Because Halloween is on a Monday and mike wants party!
I might bring some Invision people too, not sure yet.
I'm making the rounds on AIM to invite people, if I miss you and you're reading this consider yourself invited. Call me for details.
And bring alcohol, apparently the downstairs bar has been expanded, so I may actually spend time down there servng drinks.
Like... Wow.... I actually got COMMENT SPAM on my blog!
Well, actually it was a trackback to some jackass selling "p1lls and m3dz" or some such. Anyway, I've gone ahead and become a comment nazi. Y'all need to do the "type in the letters from a picture" bit now.
*sniffle* I feel all "Mister-Big-Time-Blogger" now. My crappy ass homegrown blog never got comment spam.
There will be a real entry at some point this week, promise.
Ugh...
Wednesday: Got to work at 9am, Juniper shat itself around noonish, left work around 5AM, finished rebuild from home, went to sleep around 6ish, got up at noon to go to work again.
Today (Thursday): Got to work at 1pm. Meeting at 2:30 for change management group. Server builds for new projects and web site fixes for a new client (garnered from one of our former clients who disappeared from the face of the earth). Cleaned up the mess we left in the datacenters and did an inventory of "old shit" that should be replaced.
- Sidenote, we own 24 Dell PowerEdge 4300s. Big Ole' Honkin Non-Rackable Boat Anchors they are too.
Put together a spreadsheet for tomorrow detailing what ancient hardware we have and any faults reported on the panels to present to management begging for replacement fundage and/or equipment.
Got out of work around 10pm.
Celebrated by watching Voodedoo episode of Foamy.
Tomorrow: Casual Friday. Walking out no later than 5:30.
GOOD NIIIGHT NURSE! :-)
So what made me chose Serendipity?
I wrote a pretty good Blogging engine a while back, DB Backed, Searchable, Secure and Safe comments, decent IFRAME-based front-page display, RSS Syndication....
Then my system crashed, and I lost that work, along with over 100 entries, lots of media and my will to rebuild the thing.
In its place, I found the desire to rebuild all of bsd-box.net in a unified way, with a CSS-Based theme, and so Serendipity (0.8) was chosen.
Serendipity brings a collection of nice features, but more to the point, it brings a nice, unified look and feel which will eventually be carried over into the rest of the site. Look for improvements at the usual (glacial) pace :)
What do Romania, France, North Korea, South Korea, China, Czechoslovakia and Bulgaria have in common?
Simple, they're all countries that show up in my SSH Access Blacklist Table.
Why am I talking about this? My place of work got h4x0r3d yesterday (our Nessus security scanning server -- how's that for irony?). I will preface this by saying that **I** did not set up the aforementioned server (and thus my "Incredibly Unhacked" record is untarnished).
I'm not particularly upset by this. Irritated yes (especially with myself -- I never read those stupid "You last logged in from [x] at [y] O'clock" messages (nobody does)), but upset no. The poor guy who set up the Nessus box however, looked like he wanted to cry. And the look on his face when he told me was kinda sad - he's probably not reading this but if you are - don't worry about it. Machines get hacked, we post-mortem them and move on. Even I'm not perfect (my record notwithstanding) and I've found some HUGE security flaws on my systems over the years - I've just had good luck at finding them before other people do.
We got hacked because the machine has SSH open to the world. That's not a bad thing in and of itself -- flexo.bsd-box.net (the server this blog lives on) has SSH open to the world. In hindsight, since there are a LOT of machines and nobody to check up on each one every day SSH should probably have been restricted to our "Border SSH Machine" (the one host that is SUPPOSED to have SSH wide open, and is carefully monitored), but this is only a symptom, not the Real Problem.
By the By, our head CISCO guy (and head of network security) ran scans from this server, logging in from random places, AS ROOT. He should have known better and locked down the access (instead of using it), but that's neither here nor there...
The Real problem is SSH was configured to allow root logins in the first place.
Not JUST root logins, Root logins using a regular old UNIX Password. And SSH being less-than-smart will happily let you keep reconnecting and trying passwords until you get it right! (It took our friend over 20,000 password attempts to get root on the Nessus box)
I have no problem with allowing root logins -- actually I have a HUGE problem with it but for practical reasons you can't just say "No remote Root logins" -- BUT the system should only allow Root to log in with an "appropriately huge" (2048 bit) Public Key authentication, and it HELPS if you can secure the access list for SSH to something more reasonable than "Everyone in the universe".
Now of course using keys for root doesn't solve the problem of J. Random Hacker breaking in as a regular user -- Even if you disable Root logins they can still hack user accounts, and insisting all your users use 2048 Bit SSH Keys is somewhat unreasonable (it's hard enough getting them to use SSH and SFTP), so how do you deal with the jackasses trying to Brute Force their way in? My SSH Log rolls a few times every day because it gets over 100KB in size (that's a LOT of failed auth attempts!), surely someone will eventually persist at this game long enough to brute force even the most lengthy and random passwords, right?
Well, I deal with them by using a little script, customized for FreeBSD and Security-Nazi-ism.
Basically what it does is watch the SSH Authentication log, and after 4 failed password attempts (or 4 invalid usernames) it assumes that you are trying to hack my machine and adds you to a blacklist for a year (or until I manually remove you after you call me and explain how you mistyped your username four times in 10 minutes, which will of course require me to make merciless fun of you and shame you in to remembering your login ID).
For everyone's enlightenment, the gory details are below
Continue reading "Lions and Tigers and h4x0rZ OH MY!"
