What do Romania, France, North Korea, South Korea, China, Czechoslovakia and Bulgaria have in common? Simple, they're all countries that show up in my SSH Access Blacklist Table. Why am I talking about this? My place of work got h4x0r3d yesterday (our Nessus security scanning server -- how's that for irony?). I will preface this by saying that **I** did not set up the aforementioned server (and thus my "Incredibly Unhacked" record is untarnished). I'm not particularly upset by this. Irritated yes (especially with myself -- I never read those stupid "You last logged in from [x] at [y] O'clock" messages (nobody does)), but upset no. The poor guy who set up the Nessus box however, looked like he wanted to cry. And the look on his face when he told me was kinda sad - he's probably not reading this but if you are - don't worry about it. Machines get hacked, we post-mortem them and move on. Even I'm not perfect (my record notwithstanding) and I've found some HUGE security flaws on my systems over the years - I've just had good luck at finding them before other people do. We got hacked because the machine has SSH open to the world. That's not a bad thing in and of itself -- flexo.bsd-box.net (the server this blog lives on) has SSH open to the world. In hindsight, since there are a LOT of machines and nobody to check up on each one every day SSH should probably have been restricted to our "Border SSH Machine" (the one host that is SUPPOSED to have SSH wide open, and is carefully monitored), but this is only a symptom, not the Real Problem. By the By, our head CISCO guy (and head of network security) ran scans from this server, logging in from random places, AS ROOT. He should have known better and locked down the access (instead of using it), but that's neither here nor there... The Real problem is SSH was configured to allow root logins in the first place. Not JUST root logins, Root logins using a regular old UNIX Password. And SSH being less-than-smart will happily let you keep reconnecting and trying passwords until you get it right! (It took our friend over 20,000 password attempts to get root on the Nessus box) I have no problem with allowing root logins -- actually I have a HUGE problem with it but for practical reasons you can't just say "No remote Root logins" -- BUT the system should only allow Root to log in with an "appropriately huge" (2048 bit) Public Key authentication, and it HELPS if you can secure the access list for SSH to something more reasonable than "Everyone in the universe". Now of course using keys for root doesn't solve the problem of J. Random Hacker breaking in as a regular user -- Even if you disable Root logins they can still hack user accounts, and insisting all your users use 2048 Bit SSH Keys is somewhat unreasonable (it's hard enough getting them to use SSH and SFTP), so how do you deal with the jackasses trying to Brute Force their way in? My SSH Log rolls a few times every day because it gets over 100KB in size (that's a LOT of failed auth attempts!), surely someone will eventually persist at this game long enough to brute force even the most lengthy and random passwords, right? Well, I deal with them by using a little script, customized for FreeBSD and Security-Nazi-ism. Basically what it does is watch the SSH Authentication log, and after 4 failed password attempts (or 4 invalid usernames) it assumes that you are trying to hack my machine and adds you to a blacklist for a year (or until I manually remove you after you call me and explain how you mistyped your username four times in 10 minutes, which will of course require me to make merciless fun of you and shame you in to remembering your login ID). For everyone's enlightenment, the gory details are below Continue reading "Lions and Tigers and h4x0rZ OH MY!"