14 Mar
2010
14 Mar
'10
8:51 a.m.
Hello,
This very long email is about possible pro-active measures I could
take to prevent customers being compromised by SSH dictionary
attacks. The first part is just a recap of how we got here and what
happens. If you want to make it shorter by skipping that, then skip
to line 59 which begins with "Being compromised by an SSH dictionary
attack..."
Every so often I get an alert about the number of outbound SSH
connections being much higher than usual. e.g. 100,000 instead of 4.
I then investigate, and most of the time it's harmless -- someone
doing a pentest or some sort of remote monitoring.
But once every month or two, it's a customer's VPS which has been
compromised and turned into an SSH scanning bot. As it happens,
there's been two instances of this in the last month.
When BitFolk first started, this sort of thing happened about three
times before I decided I'd have to have monitoring of it so it
wouldn't go on for days on end.
When this happens and I catch it in the act, I have to turn off the
customer's network, because their VPS is actively attacking remote
sites, often at a rate of several hundred thousand SSH connections
per hour. Aside from the hosts they may compromise, there will be abuse
reports to deal with and possible damage to BitFolk's reputation,
not to mention very large bandwidth usage that the customer is
unlikely to want to pay for.
I can't just block tcp/22 outbound because at this point the VPS is
compromised and the priority (after stopping it) is understanding
how it happened. Leaving the network working allows attackers more
opportunity to clean up after themselves and/or do more damage.
So, if you're the unlucky customer then at this point your VPS has
no network, you've received an email (assuming your email is
accessible from outside your VPS) about what's happened and you're
going to have to log in to the console and/or rescue environment to
try to work out how it happened. The rescue environment has access to
your block devices and has unrestricted network access, but I'm not
going to be able to turn networking back on for your VPS itself.
If the customer can work out what happened, how it happened, and
convince me that root access was not obtained, then I can turn their
network back on. If they can't convince me that root access was not
obtained then there's generally no option but to re-image the VPS.
I'm really loathe to re-image a VPS that's been compromised where we
don't know how, though, because it will likely just happen again.
The customer has to work it out, and that's maybe something they're
not used to doing, and/or don't want to be doing, while their
service is down the whole time.
Unfortunately I can't do it for them or help in any great detail
because this is a time consuming task, and is the sysadmin's
responsibility i.e. the customer.
Being compromised by an SSH dictionary attack is far and away the
most common thing that I see, and reacting to it by monitoring the
rate of outbound SSH connections is no longer good enough. Reacting
to it and cleaning up after it is wasting too much time, and when
I have customers that have it happen to them repeatedly at some
point I have to say enough is enough and not turn their service
back on at all.
Do you think there's any pro-active measures that would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
2) Don't use passwords at all, only keys.
3) Disable root login.
4) Restrict the list of usernames that are valid, in combination
with (1) and (3).
5) Install DenyHosts or Fail2Ban.
6) Move sshd to another port.
More?
I can't do anything about (1), since the password the VPS comes with
is strong and it's presumably made weaker later on.
A lot of people have trouble setting up SSH keys and I would guess
that very few customers have them before they get a VPS, so setting
it up out of the box to require keys would be rather limiting. So
that's (2) out.
(3) is already the case for Ubuntu of course, but not any of the
other distributions offered. I haven't kept track of how many
compromises have been of root and not some other user but disabling
root access by SSH and requiring some other username seems a
reasonable starting point, would at least limit the damage.
(4) sounds too confusing unless I stated in the setup email that SSH
has been locked down to only the one non-root user they had when set
up.
Doing (5) in the base images would be controversial but I think
actually very effective. Would it be an outrage for you to find
DenyHosts or Fail2Ban installed for you?
Moving the SSH port is probably the most effective of all, but I
think it would be really confusing and not accepted by people, to
find that their SSH was provisioned e.g on port 2022 to begin with.
Any thoughts?
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"It is I, Simon Quinlank. The chief conductor on the bus that is called
hobby." -- Simon Quinlank
14 Mar
14 Mar
9:12 a.m.
Hi Andy et al,
This very long email is about possible pro-active
measures I could
take to prevent customers being compromised by SSH dictionary
attacks.
*snip*
Yes, a very long email :)
Do you think there's any pro-active measures that
would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
I agree - there's very little you can do about this.
2) Don't use passwords at all, only keys.
That wouldn't be a bad idea, but as you rightly mention, those who
aren't used to using keys (or carrying them around [bad idea?]) would
be stuck here.
3) Disable root login.
I would say yes for every OS. There shouldn't really be any need to
log in as root (esp if you can su/sudo up to it).
4) Restrict the list of usernames that are valid, in
combination
with (1) and (3).
Difficult to implement, as you say.
5) Install DenyHosts or Fail2Ban.
I don't think there would be anything wrong with doing this. Yes, some
people might find it controversial, but surely they can remove it if
they please.
6) Move sshd to another port.
More of a security by obscurity approach, but it would limit the
inbound attacks.
More?
I don't really know how you 'filter' outbound connections (I expect
little is done) but could you set up an outbound SSH rule that dropped
any connections from a server that was making, say, 100 hundred
outbound connections in 10 seconds? Would any server have a legitimate
reason for doing this? It wouldn't stop the compromised host, but it
would limit the possibility of them compromising other hosts.
James
9:25 a.m.
Changing the port is a no no.
'PasswordAuthentication no' and ssh keys is the right solution. If a
customer can't figure out how to generate an ssh key with puttgen or
ssh-keygen, I wouldn't take them.
10:34 a.m.
On Sun, Mar 14, 2010 at 09:25:39AM +0000, Kai Hendry wrote:
'PasswordAuthentication no' and ssh keys is
the right solution. If a
customer can't figure out how to generate an ssh key with puttgen or
ssh-keygen, I wouldn't take them.
Frankly, I agree with Kai. If you can't figure out SSH keys, you have
no business whatsoever running public SSH (or any other) services on the
Internet.
On my network at home, I have key-only, no root login, and use Fail2Ban
(with other services too, not just ssh). It's worked perfectly well for
me for years. Fail2Ban might be too resource hungry on a busy machine
though.
Just my $0.02
Darren.
--
Darren Davison
Public Key: 0xE855B3EA
10:47 a.m.
Hi Darren,
On Sun, Mar 14, 2010 at 10:34:54AM +0000, Darren Davison wrote:
On Sun, Mar 14, 2010 at 09:25:39AM +0000, Kai Hendry
wrote:
Very few customers ask for provision with an SSH key. Of the
requests to set up rsync-over-ssh backups I've dealt with, many of
them involve a lot of back and forth because the customer was unable
to set up authentication by SSH key. A couple of people actually
gave up setting up backups because they couldn't figure it out. :/
Less than half of BitFolk's customer base is represented on this
mailing list, despite it saying at the bottom of the provisioning
email that you really should be on this list to hear about stuff.
All of this leads me to believe a few things:
- Most of BitFolk's customers are looking for personal hosting.
- They're not experienced sysadmins.
- They don't use SSH key auth.
- The people on this list are more into sysadmin than the average
BitFolk customer, and more likely to understand why they should be
using SSH keys.
I have had a poor success rate with enforced learning, and to me it
feels like it's going to be a real turn off for the average customer
if they find out they have to learn about SSH keys in order to buy a
VPS.
(this doesn't change the fact that I think that almost everyone
should be using SSH keys)
Do we know of any other VPS business that requires SSH key login? I
am aware of Steve Kemp's servers but I wouldn't really class them as
VPS businesses and that is pitched at much more technically adept
folks.
'PasswordAuthentication no' and ssh keys
is the right solution. If a
customer can't figure out how to generate an ssh key with puttgen or
ssh-keygen, I wouldn't take them.
Frankly, I agree with Kai. If you can't figure out SSH keys, you have
no business whatsoever running public SSH (or any other) services on the
Internet. On my network at home, I have key-only, no root login,
and use Fail2Ban
(with other services too, not just ssh). It's worked perfectly well for
me for years. Fail2Ban might be too resource hungry on a busy machine
though.
Like a lot of best practices, it's simple, effective and not widely
used due to ignorance/laziness.
The average BitFolk customer does not have backups or a firewall,
either. I can't even give away backups.
Cheers,
Andy
10:59 a.m.
On Sun, Mar 14, 2010 at 09:25:39AM +0000, Kai Hendry wrote:
Changing the port is a no no.
'PasswordAuthentication no' and ssh keys is the right solution. If a
customer can't figure out how to generate an ssh key with puttgen or
ssh-keygen, I wouldn't take them.
It might be the Right Thing, but restricting your customer base to
those people who can do it and are willing to do it, *and* spending
large amounts of time in training (or large amounts of time
discovering that they can't manage it or can't be bothered) isn't
really a good business plan.
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- argc, argv, argh! ---
6:06 p.m.
On 14/03/2010 09:25, Kai Hendry wrote:
Changing the port is a no no.
'PasswordAuthentication no' and ssh keys is the right solution. If a
customer can't figure out how to generate an ssh key with puttgen or
ssh-keygen, I wouldn't take them.
I almost always use keys, but keep password access (to my user account)
for the situations where I wasn't on a machine where I had my keys setup.
I used to have them solely on my laptop and home linux server.
This has improved now with ssh access (with a passworded key) from my phone.
Root access via ssh is disallowed (as it's all done via sudo from my
account or the console)
--
Dee Earley (dee(a)earlsoft.co.uk)
irc: irc://irc.blitzed.org/
web: http://www.earlsoft.co.uk
phone: +44 (0)780 8369596
9:46 a.m.
I'm no longer a bitfolk customer, but IMHO:
I'm not sure this gets you much -- many bots just want to send
email/packets to other networks which can be done with regular
accounts.
Running ssh on a non-standard port is the best option in terms of
setup time and effectiveness -- it won't deter a dedicated attack, but
it stops you being the low-hanging fruit.
Casper.
3) Disable
root login.
I would say yes for every OS. There shouldn't really be any need to
log in as root (esp if you can su/sudo up to it).
6) Move sshd to another port.
More of a security by obscurity approach, but it would limit the
inbound attacks.
10:11 a.m.
Hi Casper,
On Sun, Mar 14, 2010 at 09:46:35AM +0000, Casper Gasper wrote:
I'm not sure this gets you much -- many bots just want to send
email/packets to other networks which can be done with regular
accounts.
Absolutely. I was just really thinking from a best practice point of
view here. Although I haven't kept stats on how many compromises
were root vs user, I feel like if a customer can get a user account
compromised then it's maybe not much more difficult to imagine their
root account's password going the same way.
If they can convince me that root hasn't been obtained and they've
cleaned up the scanner then I'm usually happy enough to turn network
back on without re-imaging the VPS.
Hmm, this is a reactive thing again isn't it, so I'm off-topic
myself.
Running ssh on a non-standard port is the best option in terms of
setup time and effectiveness -- it won't deter a dedicated attack, but
it stops you being the low-hanging fruit.
I just feel like it would be too controversial and unacceptable for
this to happen before setup.
It's a good suggestion for people looking to defend against this,
Really doing anything at all helps you a lot, don't have to outrun
the bear, just have to outrun your slowest friend.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"The electric guitar - like making love - is much improved by a little
feedback, completely ruined by too much." -- The League Against Tedium
I'm no longer a bitfolk customer, but IMHO:
Ha, thanks for sticking around. :)
3) Disable root login.
I would say yes for every OS. There shouldn't really be any need to
log in as root (esp if you can su/sudo up to it). 6) Move sshd to another port.
More of a security by obscurity approach, but it would limit the
inbound attacks.
9:55 a.m.
HI James,
On Sun, Mar 14, 2010 at 09:12:08AM +0000, James Gregory wrote:
Indeed, but as I haven't seen individual customers targeted, just
moving the SSH port takes people out of the pool of potential
victims.[1]
Then again, so does doing almost anything else to protect yourself,
so I don't think anyone need feel bad about keeping their SSH on
port 22 as long as they know the risks.
Ah yes, I should have gone into that.
The hosts have a ulog target in their outbound iptables rules to log
all port 22 SYN packets, and I just monitor the "background" rate of
these to work out what is normal.
4 in 15 minutes is normal; 1000+ isn't. :)
Hi Andy et al,
Thanks for reading.
This very long email is about possible pro-active
measures I could
take to prevent customers being compromised by SSH dictionary
attacks.
*snip*
Yes, a very long email :) 6) Move sshd
to another port.
More of a security by obscurity approach, but it would limit the
inbound attacks. More?
I don't really know how you 'filter' outbound connections (I expect
little is done) but could you set up an outbound SSH rule that dropped
any
connections from a server that was making, say, 100 hundred
outbound connections in 10 seconds? Would any server have a
legitimate reason for doing this? It wouldn't stop the compromised
host, but it would limit the possibility of them compromising
other hosts.
Interesting idea. You're right that slowing down outbound SSH to
10/second or 100/10 seconds would severely limit SSH scanning to the
point of uselessness,
It would also interfere with legitimate scanning like pentests and
probably also remote monitoring (Nagios can be quite aggressive), so
would definitely have to be opt-out.
I'll have a think about it but my immediate thoughts are that I'm
loathe to do it because of the inconvenience for legitimate users,
and the amount of extra state it's going to involve keeping on the
host machines.
I'd still like to focus on what can be pro-actively done to stop us
getting to the point of having to try to contain an SSH scanning
run.
On that topic, it could of course be done inbound! I missed off
rate-limiting in the firewall as one of the ways people defend
against SSH dictionary attacks. BitFolk could actually do that for
you. Not sure I want to be responsible for that, or keep the state
though...
Cheers,
Andy
[1] If I was writing an ssh scanner I might be tempted to try ports
1222, 2222, 2022, etc. if 22 was blocked. It's only a handful
more connections when you're going to do thousands anyway if you
find the right port. At some point, trying all 65k ports will
be nothing compared to how many connections you'll make once you
find the open port. I've got TCP/22 SYN logs going back a few
months so I could work out how many tried
10:37 a.m.
James Gregory wrote:
I disagree, make ssh keys mandatory, especially if there is a super user
account involved, obviously this can be re-enabled but most people don't
mess with default settings.
The super user account could be called something other than "root", and
"root" username given no access to the system.
Doing semi-complete/complete backups via rsync/rsnapshot is difficult
using a non-SU account.
Or just don't have many/any system accounts, many things like web and
ftp have been able to have virtual/non-system accounts for years, and
jail processes where possible and drop privileges where possible, there
is lots of things that should be done here.
I've had no end of trouble with things like this in the past, it ended
up more trouble than it was worth.
I don't treat this as security by obsecurity, I treat this as limiting
dictionary attacks on my servers, it doesn't stop an attacker, it does
stop bots.
--
Best regards,
Duane
http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Global Communication for the 21st Century
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
1) Only use
strong passwords.
I agree - there's very little you can do about this. 2) Don't
use passwords at all, only keys.
That wouldn't be a bad idea, but as you rightly mention, those who
aren't used to using keys (or carrying them around [bad idea?]) would
be stuck here. 3) Disable
root login.
I would say yes for every OS. There shouldn't really be any need to
log in as root (esp if you can su/sudo up to it). 4) Restrict
the list of usernames that are valid, in combination
with (1) and (3).
Difficult to implement, as you say. 5) Install
DenyHosts or Fail2Ban.
I don't think there would be anything wrong with doing this. Yes, some
people might find it controversial, but surely they can remove it if
they please. 6) Move sshd
to another port.
More of a security by obscurity approach, but it would limit the
inbound attacks. 
10:11 a.m.
On 14 March 2010 08:51, Andy Smith <andy(a)bitfolk.com> wrote:
A lot of people have trouble setting up SSH keys and I
would guess
that very few customers have them before they get a VPS, so setting
it up out of the box to require keys would be rather limiting. So
that's (2) out.
With a small amount of clear documentation on the bitfolk support site
about generating your own key I couldn't see why it couldn't be made a
requirement for setting up a vps. admittedly it's been a very long
time since I first learnt about them but I can't imagine it being that
difficult a concept to grasp with step-by-step instructions to
follow!?
Ed
10:51 a.m.
Andy Smith wrote:
Hello,
[snip]
Any thoughts?
Having had to install fail2ban, I feel that installing that in the image
would be a positive bonus. Customers would need to be told about the
"changes from standard" that have been applied to their image.
I would like to see more "Newbie's Guides" in the support information. I
remember struggling when I first signed up because I did not know enough
about linux to know what I needed to do about security. I could do the
basics, but I was no sysadmin (still am not).
Perhaps add a wiki to the customer information that only customers can
edit? Then recommendations and standard procedures can be documented
and used without involving support. I do understand that adding to the
existing pages involves a lot of detail work, for no clear benefit.
The sort of thing that is needed, are some very basic guides covering
the absolute fundamentals. The content would appear to be "obvious" and
therefore unnecessary. Let me assure people that, when you don't know,
it isn't obvious, and it often isn't clear how to find out either.
Having a place to browse would be very helpful. If you know most if it,
you are reassured that you haven't forgotten anything obvious.
Regards
Ian
P.S. A "thumbs up" to the IRC support. It was very helpful and much
appreciated when I needed it. Thanks guys.
11:02 a.m.
On Sun, Mar 14, 2010 at 11:51, Andy Smith <andy(a)bitfolk.com> wrote:
2) Don't use passwords at all, only keys.
A lot of people have trouble setting up SSH keys and I would guess
that very few customers have them before they get a VPS, so setting
it up out of the box to require keys would be rather limiting. So
that's (2) out.
Forbidding passwords at all would be rude, but SSH keys definitely
should be strongly promoted, and the best way is a good and visible
guide explaining the very basic principles and setup details.
Keys might be encouraged by key authenication to all services (panel,
nagios, etc). IIRC, steps towards this were announced, but I still
have to reset my password every time I need to log in there! I have no
passwords on my VPS and apparently no working password on console, and
I would like to stop caring about them at all.
After this is implemented, new customers may be offered two options:
— Do you want keys or passwords for auth?
— WTF keys?
— http://bitfolk.com/keys.html
— Keys! Keys! Of course, keys!!!11111
— Kalan
11:35 a.m.
Hi Kalan,
On Sun, Mar 14, 2010 at 02:02:23PM +0300, Kalan wrote:
On Sun, Mar 14, 2010 at 11:51, Andy Smith
<andy(a)bitfolk.com> wrote:
The thing about good and visible guides..
Okay, here's a template for the provisioning email:
http://pastie.org/private/qylguieq4zvm7i9sht17w
It hasn't really changed in the last 2 years, You may notice a
subtle yet repeated bit of advice in there.
Maybe it's too subtle, because it didn't really do anything to
decrease the number of support requests to reset console password. I
had to implement email reset instead. It seemed easier than visiting
people in person to etch it on the inside of their eyelids.
I'm all for people learning the hard way, but when it impacts on me
as well I have to be pragmatic...
2) Don't use passwords at all, only keys.
A lot of people have trouble setting up SSH keys and I would guess
that very few customers have them before they get a VPS, so setting
it up out of the box to require keys would be rather limiting. So
that's (2) out.
Forbidding passwords at all would be rude, but SSH keys definitely
should be strongly promoted, and the best way is a good and visible
guide explaining the very basic principles and setup details. Keys might be encouraged by key authenication to all
services (panel,
nagios, etc). IIRC, steps towards this were announced, but I still
have to reset my password every time I need to log in there! I have no
passwords on my VPS and apparently no working password on console, and
I would like to stop caring about them at all.
Difficult to use ssh keys to access a web service. Would OpenID be
of any use to you?
I'll have a look at your other difficulties off-list as that
shouldn't be the case..
After this is implemented, new customers may be
offered two options:
— Do you want keys or passwords for auth?
— WTF keys?
— http://bitfolk.com/keys.html
— Keys! Keys! Of course, keys!!!11111
I'm wiling get unsubtle about it, but I fear there is no bounds to
what can be ignored for the sake of convenience..
Cheers,
Andy
11:46 a.m.
On Sun, Mar 14, 2010 at 11:35:42AM +0000, Andy Smith wrote:
Hi Kalan,
And even those of us that should know better don't always follow
the advice... <cough>
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- Well, sir, the floor is yours. But remember, the ---
roof is ours!
Forbidding passwords at all would be rude, but
SSH keys definitely
should be strongly promoted, and the best way is a good and visible
guide explaining the very basic principles and setup details.
The thing about good and visible guides..
Okay, here's a template for the provisioning email:
http://pastie.org/private/qylguieq4zvm7i9sht17w
It hasn't really changed in the last 2 years, You may notice a
subtle yet repeated bit of advice in there.
Maybe it's too subtle, because it didn't really do anything to
decrease the number of support requests to reset console password. I
had to implement email reset instead. It seemed easier than visiting
people in person to etch it on the inside of their eyelids.
12:14 p.m.
Andy Smith wrote:
Difficult to use ssh keys to access a web service.
Would OpenID be
of any use to you?
You can use SSL keys for web auth, and it's fairly simple to setup a
system that you can issue them, alternatively PGP keys can be converted
to SSL and SSH for that matter.
--
Best regards,
Duane
http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Global Communication for the 21st Century
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
11:06 a.m.
Thanks Andy; this served as a reminder to double check / tweak some of
my configuration.
Andy Smith wrote:
2) Don't use passwords at all, only keys.
As you say, probably not acceptable to some folks, but perhaps you can
at least default to asking only for an ssh key, and let people request a
password explicitly or set a password themselves if they can't cope with
keys?
3) Disable root login.
Certainly seems sensible; I thought most OSes denied it by default by I
guess I'm wrong. At the very least:
PermitRootLogin without-password
should be acceptable (and perhaps better, as people might otherwise just
change the 'no' to 'yes')
4) Restrict the list of usernames that are valid, in
combination
with (1) and (3).
No strong feeling on that one.
5) Install DenyHosts or Fail2Ban.
I'd be quite happy with this. It's something you'd probably want to
point out in the welcome email as well.
(Is either of these better than the other, and do they generally need
any tweaking from the default debian configuration?)
6) Move sshd to another port.
One possible downside to that is that a number of ISPs are doing traffic
prioritisation these days, and the default or normal settings for these
systems seem to put uncommon ports into low or lowest priorities. That
results in slow ssh connections if you're not careful in your port
choice. (I think, for example, plus.net will put traffic to port 2222 at
a low priority, but ssh traffic on the default jabber port seems fine.)
Joseph
11:42 a.m.
I agree that moving the sshd port is no guarantee of anything, but I
would still recommend it. That much noise is very bad (dozens/hundreds
of attempts 24/7) and makes it harder to see a real threat. I sleep
easier anyway :-)
I use both keys and strong passwords.
Another useful component is an intrusion detection kit - I use aide.
Again, no guarantee, but a useful part of the armoury.
--
Alastair Sherringham
12:11 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 14/03/2010 08:51, Andy Smith wrote:
6) Move sshd to another port.
[snip]
Moving the SSH port is probably the most effective of all, but I
think it would be really confusing and not accepted by people, to
find that their SSH was provisioned e.g on port 2022 to begin with.
I find this to be quite the best way of severely reducing, if not
removing, the incidence of untargeted SSH dictionary attacks (I do keys
/ valid username restriction / no root login too). I can't remember the
last time I saw a failed SSH attempt in the logs.
Cheers
Dominic
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuc0lYACgkQC9o1X6ZWkII8wQCgk0biSRYbyWOofXIrYWDsC0Xx
G5gAn3IZCjs+/ic6nR1uv6fK2b+uHOxj
=rdcE
-----END PGP SIGNATURE-----
6:26 p.m.
On Sun, Mar 14, 2010 at 08:51:12AM +0000, Andy Smith wrote:
Do you think there's any pro-active measures that
would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
Ideal, but plainly doesn't work.
2) Don't use passwords at all, only keys.
Will drive off potential customers quite rapidly -- nice to have
and to encourage, but is complex to set up right.
3) Disable root login.
I'm not sure how much this gets you -- as others have pointed out,
the default user in Ubuntu has root via sudo anyway, and there's
enough local root exploits floating around that it's probably not a
big hurdle.
4) Restrict the list of usernames that are valid, in
combination
with (1) and (3).
Again, I don't think this gets you much.
5) Install DenyHosts or Fail2Ban.
I think this could be a winner. Those who know they don't want it
are probably more technical, and thus more able to turn it off, in
comparison to those who need it because their systems are less secure
(by poor password selection).
6) Move sshd to another port.
This one is a case of simply not being low-hanging fruit. I'm still
surprised that the crackers haven't caught on to this yet.
More?
- Run your own password cracker and warn people about successful
keys? (Would require agreement beforehand to avoid legal issues,
but could go in the Ts&Cs...)
- Provision the standard VPS with logcheck set up to mail the admin
about login attempts. That might then shock them enough to read an
FAQ and act on it with some of the proactive measures above, such
as (1) and (2).
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- ... one ping(1) to rule them all, and in the ---
darkness bind(2) them.
15 Mar
15 Mar
11:37 a.m.
** Andy Smith <andy(a)bitfolk.com> [2010-03-14 16:22]:
Hello,
This very long email is about possible pro-active measures I could
take to prevent customers being compromised by SSH dictionary
attacks. The first part is just a recap of how we got here and what
happens. If you want to make it shorter by skipping that, then skip
to line 59 which begins with "Being compromised by an SSH dictionary
attack..."
<snip>
Being compromised by an SSH dictionary attack is far
and away the
most common thing that I see, and reacting to it by monitoring the
rate of outbound SSH connections is no longer good enough. Reacting
to it and cleaning up after it is wasting too much time, and when
I have customers that have it happen to them repeatedly at some
point I have to say enough is enough and not turn their service
back on at all.
Do you think there's any pro-active measures that would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
Is there any option to provide a facility to generate passwords to encourage
customers to use better passwords. Either an https based web system or
something like apg and some documentation. Perhaps a password change utility
that generates a password as part of the process. Anyone less familiar with
hosting would possible tend to use the documented system and hence get better
passwords.
2) Don't use passwords at all, only keys.
It may be less popular, but would it work by creating a key that is available
through the admin console with instructions on how to download it and use it to
access the server for the first time using openssh or putty? I had been
thinking about a slightly higher cost for a VPS with password access rather
than key, but it is too easy to go for one and switch to the other, and a major
nightmare to 'police'. A more practical suggestion may be an extra setup cost
for anyone wanting password access on installation, but key by default. That
would encourage learning how to use keys, and perhaps lead to continued usage.
The sales pitch is increased security and with decent documentation it
shouldn't be too much hassle.
3) Disable root login.
Should be standard to my mind, although as has been said, a compromised Ubuntu
account has sudo access with the password that has already been compromised.
4) Restrict the list of usernames that are valid, in
combination
with (1) and (3).
Possibly not workable, again it depends on how easy it is for non-technical
users to add usernames. SSH access my well be something that only the original
account needs for non-technical customers. Perhaps looking into a control panel
that allows some of these features to be set to make them easier to manage. Not
a quick fix though. As a comparison, I have to manually create mail addresses
allowed to be sent out through my ISP mail server relay for any domains not
part of the sub-domain they provide. The system could be much better in that
you can't use wildcards before the @ or delete entries without tech. support,
but I assume they don't have too much complaint about it.
5) Install DenyHosts or Fail2Ban.
I'd go for Fail2Ban as default personally, and it should be fairly easy to
promote this as a benefit to hosting for the less technical customers. Those
that are technical can easily disable it if preferred - again with some good
documentation :)
6) Move sshd to another port.
Not something I'm a big fan of. I suspect that many attacks will check for
something as basic as this, although I've not seen any evidence or analysis of
this theory!
More?
Perhaps some of this could be incorporated into the admin console, and this is
the first place you log into. How easy would it be to run a script on first
login to choose these options, with the defaults being the more secure choices?
With the right 'blurb' I would expect many of the less experienced would choose
those options described as more secure. Perhaps with a bit of gentle but firm
'encouragement' along with some custom documentation you can improve customer
setups without upsetting anyone!
I can't do anything about (1), since the password
the VPS comes with
is strong and it's presumably made weaker later on.
A lot of people have trouble setting up SSH keys and I would guess
that very few customers have them before they get a VPS, so setting
it up out of the box to require keys would be rather limiting. So
that's (2) out.
(3) is already the case for Ubuntu of course, but not any of the
other distributions offered. I haven't kept track of how many
compromises have been of root and not some other user but disabling
root access by SSH and requiring some other username seems a
reasonable starting point, would at least limit the damage.
(4) sounds too confusing unless I stated in the setup email that SSH
has been locked down to only the one non-root user they had when set
up.
Doing (5) in the base images would be controversial but I think
actually very effective. Would it be an outrage for you to find
DenyHosts or Fail2Ban installed for you?
Moving the SSH port is probably the most effective of all, but I
think it would be really confusing and not accepted by people, to
find that their SSH was provisioned e.g on port 2022 to begin with.
Any thoughts?
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"It is I, Simon Quinlank. The chief conductor on the bus that is called
hobby." -- Simon Quinlank
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
** end quote [Andy Smith]
--
Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001
======================================================================
Registered in England | Company No: 4905028 | Registered Office:
Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU
11:56 a.m.
On 15/03/2010 11:37, Paul Tansom wrote:
Paul,
I've kept my sshd listening on port 26 for as long as I can
remember, and have pretty much no attacks on it whilst my
webserver is hammered daily. Of course this is largely
circumstantial, but I really do believe that the port change
helps greatly!
Tom
6) Move sshd
to another port.
Not something I'm a big fan of. I suspect that many attacks will check for
something as basic as this, although I've not seen any evidence or analysis of
this theory! 
12:52 p.m.
On Mon, 15 Mar 2010 11:37:35 +0000
Paul Tansom <paul(a)aptanet.com> wrote:
Standard on my Debian Lenny system. I have never liked the use of
sudo with no root password as used by that other distro
Installed Fail2Ban this morning and hope I have set it up correctly.
My only 'complaint' so far is that I cannot do
'tail /varlog/fail2ban.log' without having to su first. I believe there
are ways round this but haven't followed this up as yet.
** Andy Smith <andy(a)bitfolk.com> [2010-03-14
16:22]:
Checking my /var/log/auth.log I realised I was getting hundreds if
not thousands of attempts to ssh into my server.
Hello,
This very long email is about possible pro-active measures I could
take to prevent customers being compromised by SSH dictionary
attacks. The first part is just a recap of how we got here and what
happens. If you want to make it shorter by skipping that, then skip
to line 59 which begins with "Being compromised by an SSH dictionary
attack..."
<snip> > 1) Only use strong passwords.
I have just updated my root password to something stronger (hopefully)
as a result of this thread.
> 2) Don't use passwords at all, only keys.
I set up a key for normal user ssh access right from the outset, I
didn't find it too difficult a task as there is plenty of 'help' just
a google away.
3) Disable
root login.
Should be standard to my mind, although as has been said, a
compromised Ubuntu account has sudo access with the password that has
already been compromised. 5) Install
DenyHosts or Fail2Ban.
I'd go for Fail2Ban as default personally, and it should be fairly
easy to promote this as a benefit to hosting for the less technical
customers. Those that are technical can easily disable it if
preferred - again with some good documentation :) > 6) Move sshd to another port.
I thought to do that as well but found it wasn't just a matter of
changing the port from 22 to summat else in /etc/ssh/sshd_config as I
couldn't then ssh in when I tested it from another terminal getting an
'unable to open port 22' error.
Thanks Andy for bringing this to our attention. 'Proper' sys-admins may
well be born knowing with this sort of stuff but us dabblers
need a bit of help from time to time.
One of these days I must have another go at use the spam filtering you
supply but don't want to end up giving you grief as I did last time ;-(
--
John Lewis
Debian & the GeneWeb genealogical data server
1:27 p.m.
On 15/03/2010 12:52, john lewis wrote:
Don't forget to update your firewall rules.
Tom
> 6) Move
sshd to another port.
I thought to do that as well but found it wasn't just a matter of
changing the port from 22 to summat else in /etc/ssh/sshd_config as I
couldn't then ssh in when I tested it from another terminal getting an
'unable to open port 22' error.
1:56 p.m.
On Mon, 15 Mar 2010 13:27:08 +0000
"Tomalak Geret'kal" <tom(a)kera.name> wrote:
On 15/03/2010 12:52, john lewis wrote:
Don't forget to update your firewall rules.
I did do 'iptables -L' to try to see if there was anything in the
firewall rules blocking me and got
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
which means nothing to me ;-(
--
John Lewis
Debian & the GeneWeb genealogical data server
> 6)
Move sshd to another port.
I thought to do that as well but found it wasn't just a matter of
changing the port from 22 to summat else in /etc/ssh/sshd_config as
I couldn't then ssh in when I tested it from another terminal
getting an 'unable to open port 22' error. 
11:30 p.m.
On 15 March 2010 13:56, john lewis <zen57162(a)zen.co.uk> wrote:
I did do 'iptables -L' to try to see if there
was anything in the
firewall rules blocking me and got
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
which means nothing to me ;-(
It means you don't have any firewall rules, which is ill-advised on a
Internet-facing server.
There are heaps of guides to creating a firewall policy, my favourite
method at the moment is to use "ufw". It's in Debian as of squeeze.
Make sure you can access your VPS console before you start experimenting :)
G
16 Mar
16 Mar
9:46 a.m.
On Mon, 15 Mar 2010 23:30:59 +0000
Graham Bleach <graham(a)darkskills.org.uk> wrote:
On 15 March 2010 13:56, john lewis
<zen57162(a)zen.co.uk> wrote:
OK
I did do 'iptables -L' to try to see if
there was anything in the
firewall rules blocking me and got
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
which means nothing to me ;-(
It means you don't have any firewall rules, which is ill-advised on a
Internet-facing server. There are heaps of guides to creating a firewall
policy, my favourite
method at the moment is to use "ufw". It's in Debian as of squeeze.
but not in lenny, so I looked for an online guide and found
http://www.mista.nu/iptables/ amongst others, some seemed very
complicated but I can almost understand what 'mista' generated:
#!/bin/sh
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
Comment:
This appears to remove any existing rules, setup defaults which
match what I currently have, then create some new rules.
# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
Comment:
I don't know what the 'TCP sessions' line means but it may well be a
good thing as is the loopback devices section.
# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -ACCEPT
$IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
Comment:
I presume I can change --dport 22 to my chosen port as set
in /etc/ssh/sshd_config and change 0.0.0.0/0 to the IP address of this
system to further restrict ssh access.
I guess I need to open up http access to everyone to avoid blocking
access to the webpages I have available.
I am not sure if I need the pop3 line. but I do use an @startx.co.uk
email address on the server.
# Accept outbound packets
$IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
Comment:
I guess I need to allow outgoing packets
Do these rules look OK and are they sufficient?
Make sure you can access your VPS console before you
start
experimenting :)
Yup!
--
John Lewis
Debian & the GeneWeb genealogical data server
17 Mar
17 Mar
4:31 p.m.
On 16 March 2010 09:46, john lewis <zen57162(a)zen.co.uk> wrote:
On Mon, 15 Mar 2010 23:30:59 +0000
Graham Bleach <graham(a)darkskills.org.uk> wrote:
Pretty much. The last 3 lines set the policy to drop all packets,
which means that anything you haven't specifically allowed will be
silently ignored.
There are heaps of guides to creating a firewall
policy, my favourite
method at the moment is to use "ufw". It's in Debian as of squeeze.
but not in lenny, so I looked for an online guide and found
http://www.mista.nu/iptables/ amongst others, some seemed very
complicated but I can almost understand what 'mista' generated:
#!/bin/sh
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
Comment:
This appears to remove any existing rules, setup defaults which
match what I currently have, then create some new rules. # Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP
Comment:
I don't know what the 'TCP sessions' line means but it may well be a
good thing as is the loopback devices section.
As the comment says, all TCP sessions should begin with a SYN. This
rule enforces that. I'm not convinced it's necessary, but it should be
harmless.
# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -ACCEPT
$IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
Comment:
I presume I can change --dport 22 to my chosen port as set
in /etc/ssh/sshd_config and change 0.0.0.0/0 to the IP address of this
system to further restrict ssh access.
0.0.0.0/0 means "every possible IP address". In the case of ssh you
could replace 0.0.0.0/0 with all the IP addresses you wish to ssh from
(-s means source address). Keep in mind that your home IP may be
dynamic and change and also try to remember other places you ssh from.
I personally don't bother restricting it at all, but I have password
authentication turned off, so dictionary attacks don't worry me much.
I guess I need to open up http access to everyone to
avoid blocking
access to the webpages I have available.
Correct.
I am not sure if I need the pop3 line. but I do use an
@startx.co.uk
email address on the server.
It depends if you're running a POP3 daemon on the server? Again, like
ssh you might want to restrict it to a set of known clients.
# Accept outbound packets
$IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
Comment:
I guess I need to allow outgoing packets
These rules only allow the server to make DNS queries and reply to
connections made to it. You might find that is a bit too restrictive,
as it won't for example, allow you to download package updates or talk
to the shared spamd. I have an ACCEPT policy on my OUTPUT rule.
Do these rules look OK and are they sufficient?
They're a good start!
Cheers,
G
15 Mar
15 Mar
1:31 p.m.
On 15 March 2010 12:52, john lewis <zen57162(a)zen.co.uk> wrote:
Installed Fail2Ban this morning and hope I have set it
up correctly.
My only 'complaint' so far is that I cannot do
'tail /varlog/fail2ban.log' without having to su first. I believe there
are ways round this but haven't followed this up as yet.
Er, sudo?
You can have a root password _and_ use sudo for tasks such as this.
Having sudo and a root password are not mutually exclusive setups.
Cheers,
Al.
1:59 p.m.
On Mon, 15 Mar 2010 13:31:23 +0000
Alan Pope <alan(a)popey.com> wrote:
On 15 March 2010 12:52, john lewis
<zen57162(a)zen.co.uk> wrote:
I haven't used sudo on any system I have installed (exclusively Debian
for the past 10 years) so it didn't spring to mind ;-)
--
John Lewis
Debian & the GeneWeb genealogical data server
Installed Fail2Ban this morning and hope I have
set it up correctly.
My only 'complaint' so far is that I cannot do
'tail /varlog/fail2ban.log' without having to su first. I believe
there are ways round this but haven't followed this up as yet.
Er, sudo?
You can have a root password _and_ use sudo for tasks such as this.
Having sudo and a root password are not mutually exclusive setups.
4 p.m.
** john lewis <zen57162(a)zen.co.uk> [2010-03-15 13:15]:
** end quote [john lewis]
Not wanting to state the obvious, but are you using the -p switch when
connecting? eg:
ssh -p 26 myhost.mydomain.com
if you've moved to port 26 by adjusting the port line in /etc/ssh/sshd_config:
Port 26
to make things more convenient you can create a file in ~/.ssh called config to
set default settings, so:
Host myhost
Hostname myhost.mydomain.com
Port 26
User john
IdentityFile ~/.ssh/id_rsa
would allow you to use:
ssh myhost
and automatically use the correct port to get to the server, as well as start
the login with the user john and appropriate key file.
Sorry if that's all obvious :)
--
Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001
======================================================================
Registered in England | Company No: 4905028 | Registered Office:
Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU
On Mon, 15 Mar 2010 11:37:35 +0000
Paul Tansom <paul(a)aptanet.com> wrote:
> ** Andy Smith <andy(a)bitfolk.com> [2010-03-14 16:22]:
> > This very long email is about possible pro-active measures I could
> > take to prevent customers being compromised by SSH dictionary
> > attacks. The first part is just a recap of how we got here and what
> > happens. If you want to make it shorter by skipping that, then skip
> > to line 59 which begins with "Being compromised by an SSH dictionary
> > attack..."
> <snip>
<snip>
> 6) Move
sshd to another port.
I thought to do that as well but found it wasn't just a matter of
changing the port from 22 to summat else in /etc/ssh/sshd_config as I
couldn't then ssh in when I tested it from another terminal getting an
'unable to open port 22' error.
10:21 p.m.
On Mon, 15 Mar 2010 16:00:16 +0000
Paul Tansom <paul(a)aptanet.com> wrote:
** end quote [john lewis]
Not wanting to state the obvious, but are you using the -p switch when
connecting? eg:
ssh -p 26 myhost.mydomain.com
now doing that
> 6) Move sshd to another port.
I thought to do that as well but found it wasn't just a matter of
changing the port from 22 to summat else in /etc/ssh/sshd_config as
I couldn't then ssh in when I tested it from another terminal
getting an 'unable to open port 22' error. if you've moved to port 26 by adjusting the port
line
in /etc/ssh/sshd_config:
Port 26
to make things more convenient you can create a file in ~/.ssh called
config to set default settings, so:
Host myhost
Hostname myhost.mydomain.com
Port 26
User john
IdentityFile ~/.ssh/id_rsa
would allow you to use:
ssh myhost
and automatically use the correct port to get to the server, as well
as start the login with the user john and appropriate key file.
Sorry if that's all obvious :)
not obvious to me so very welcome, thanks Paul
--
John Lewis
Debian & the GeneWeb genealogical data server
8:49 p.m.
On Mon, Mar 15, 2010 at 12:52:32PM +0000, john lewis wrote:
On Mon, 15 Mar 2010 11:37:35 +0000
Paul Tansom <paul(a)aptanet.com> wrote:
You must be in group adm to see (i.e. read) it.
Thanks,
Rodrigo
I'd go for Fail2Ban as default personally,
and it should be fairly
easy to promote this as a benefit to hosting for the less technical
customers. Those that are technical can easily disable it if
preferred - again with some good documentation :)
Installed Fail2Ban this morning and hope I have set it up correctly.
My only 'complaint' so far is that I cannot do
'tail /varlog/fail2ban.log' without having to su first. I believe there
are ways round this but haven't followed this up as yet. 
2:24 p.m.
On 03/14/2010 09:51 AM, Andy Smith wrote:
Hello,
This very long email is about possible pro-active measures I could
take to prevent customers being compromised by SSH dictionary
attacks. The first part is just a recap of how we got here and what
happens. If you want to make it shorter by skipping that, then skip
to line 59 which begins with "Being compromised by an SSH dictionary
attack..."
Lots of people have already said lots of smart things, so I'll keep it
short.
I REALLY appreciate the fact that Bitfolk gives me a VM with full
absolutely full access to and from the net. I do however see all the
potential problems. So, my view on "what to do"
* Monitor/ratelimit outgoing connections. Fine by me, as long as the
limits are high enough. Yes, I do need the occational outgoing nmap.
* Strong passwords. Default password should certainly be strong, I
wouldn't mind a default install of pam_cracklib to keep passwords strong
* Default ssh for root should be without-password or no. I use
without-password + keys for off-site backup and would be somewhat
annoyed if I had to jump through sudo-hoops as well.
* Fail2Ban/DenyHosts - I use fail2ban everywhere, and would probably be
happy with denyhosts as well. Would not mind default images to be set up
with either.
* A field for ssh-pubkey(s) in the signup-form would be nice.
* OpenID for web-based stuff would be NICE!
Please don'ts :
* Please don't move sshd to another port. It will stop a host from being
low-hanging fruit, but it'll only give a false sense of security untill
the bots get just a bit smarter.
* Please don't restrict valid usernames for ssh. But, documentation for
how-to-restrict it (AllowGroups/AllowUsers in sshd_config) would be nice.
No matter what gets or doesn't get implemented. Documentation is king. I
think I'd go with a wiki and tie the authentication to the customer-db
or something.
Ok, I lied. This wasn't short at all - however, I'm sure I'm entitled to
parttake in the "Reply-to:" poll now :-)
- Ole-Morten Duesund
16 Mar
16 Mar
12:41 a.m.
Andy Smith wrote:
Do you think there's any pro-active measures that
would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
2) Don't use passwords at all, only keys.
3) Disable root login.
4) Restrict the list of usernames that are valid, in combination
with (1) and (3).
5) Install DenyHosts or Fail2Ban.
6) Move sshd to another port.
More?
Well, I understand your problem. I only really like options 2, 3 and 5
(I like 1 but 2 is better)
Fundamentally if you really want to admin a server part of the deal is
about being a good neighbor. I understand you don't want to scare
customers away and education is really, really difficult.
Maybe there are some customers who don't really need admin access to a
box, or rather, do need admin access to do what they require but don't
have enough knowledge to do it safely.
I have been thinking about this for a while and see a couple of
alternatives in addition to promoting 1, 2, 3 and 5 above.
- Allow password or key based provisioning but have some form of
incremental tightening of security on boxes that have been compromised
as part of the TOS.
- Provide a financial incentive for the customer to request key-based
provisioning and points 1, 2, 3, and 5 above. Think of it like
insurance, your premiums are higher if you are more of a risk.
- Offer sysadmin services for customers who require fine control over a
machine but do not have the requisite knowledge to administer the machine.
n
NB: Yes, I had my machine provisioned via password but the first thing I
did was lock it down with 2 and 3 above.
17 Mar
17 Mar
11:17 a.m.
Hi,
Any thoughts?
Can this be done with policy rather than a technical solution?
There seems to be consensus that there needs to be documentation on the
Bitfolk website explaining why keys are recommended and that everyone
with an SSH server should be using them.
However, there is, justifiably, a lot of friction over whether passwords
represent a reasonable compromise in the light of being good for business.
Given that Bitfolk is clearly aimed at "technical" users and (IIRC), the
ssh daemon is not installed by default, at least on a fresh Debian
install, would it not be reasonable to provision a new machine with Xen
console access only?
This way several problems would be solved or reduced:
+ People might be more likely to be aware of their console passwords.
+ People who want SSH will have to install it.
I imagine that this will be a lot of people, but there is then some
reasonable recourse when Bitfolk Best Practices are ignored and the
customer falls foul of them.
+ People aren't *forced* to use keys but Bitfolk have more leverage
when or if trouble occurs.
+ The console hosts can be hardened wrt incoming SSH scans without
impacting customer activity.
+ A console server breach is still serious but can be more effectively
contained wrt guest shell access albeit not guest availability.
i.e. an intruder doesn't get a shell on the guest but they can
still shut it down.
+ This seems to be aligned with Andy's desire to not be involved with
guest operations.
+ It can be "sold" with the positive spin of a "control panel".
I'm not privy to any information regarding the security of the console
servers but it seems that a "high enough" level of security is being
maintained with the auto generated passwords that are issued during the
provisioning process.
Regards,
@ndy
--
andyjpb(a)ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF
4:03 p.m.
Hi Andy,
Thank you for this. Although I would consider myself an experience Linux
administrator, I often ignore some of the advice I dole out to other people.
This email (well, mainly the fact that if my VPS is compromised, I might not
get it reinstated) has urged me to look at the issues raised in respect to
my own VPS. I have always used keys, and always log on as root. I also
always left password auth available to root, in case I was ever at a PC
where I didn't have my keys available. I have now changed this so that root
only accepts keys, and primarily I log onto another user account (albeit my
first action is the "su -", but hey... one step at a time!). I have
installed fail2ban, which I'm slowly configuring for my own needs. I have
also instigated a full audit of everything I do on my VPS, to ensure that I
only run those processes/jobs as root if they need to be - I used to run
everything as root out of sheer laziness!
So, thank you for the prompt, and for the suggestions. As far as my own
input goes, please see below. Please note that I am a non-standard user with
Bitfolk, as I use CentOS, not Debian, so some of my suggestions may be
distro-specific (or at least, harder to implement on Debian).
1) Strong passwords can be generated at the shell using "mkpasswd", e.g.
"mkpasswd -l 12 -d 3 -c 3 -C 3 -s 3 -2" will create a 12-digit password,
with at least 3 numerical characters, 3 lowercase letters, 3 uppercase
letters and 3 special characters. The "-2" option causes the characters to
be chosen so that they alternate between the left and right hands, making
for easier (and quicker!) typing. You can also use mkpasswd set the password
immediately, which means it might be possible to script it into a web
interface (e.g. when provisioning VPSes or resetting passwords).
2) I can see this deterring customers quite quickly, although I don't
exactly know what an 'average' customer is - there seem to be people on this
list with a lot less knowledge than others. In general, anything that's
forced on you can cause angst - for example, if I had a 2-digit strong
password, I could argue that I'm at far lower risk that most people from SSH
hacking, and the benefit from forcing me to use keys is much smaller (albeit
it still there) that for others, and it might just put my back up.
3) Disabling root access over SSH wouldn't be too bad - there's console
access for those times when you *really* screw things up, and the rest of
the time you can just "su -" or "sudo". While I'm touching on that
- I
really don't like sudo being suggested as a protective mechanism in this
sense - it was originally designed to allow some administrative
functionality to be given to non-admins, without giving them full-blown root
access. These days, it's more of a protection from yourself (e.g. "Do I
really want to sudo rm -rf /* ?"). If a user account has been compromised,
then the hacker probably has the password, which means they can probably
"sudo /bin/bash" and now have root access. Not good. Of course, "su -"
is
only better if your user and root passwords are different (and strong)!
The problem with this idea is that it might lull you into a false sense of
security - a new user might log in and immediately re-enable the root
account login, without following any of the other security guidelines. I
think it's best to provide try and tighten security against 'defaults'
without using too many non-standard practices, otherwise you're back to
square one when those practices are reverted to standard!
5) A good idea, although I've never used them before. I'll see how it goes
on my box before I cast judgement. As an aside, I've been running some
firewall rules for quite a while which are meant to limit the number of
incoming SSH connections, as I used to see thousands of attempts per day
(but no breaches luckily!):
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
6) I don't like this. I agree it removes you as "low hanging fruit", but
there are a lot of firewalls that block all outgoing ports <1024, apart from
common ones. This would be a PITA for that situation. It would be ever more
annoying as often you could use an SSH tunnel as a way of getting around
these types of firewalls (e.g. for un-proxied web traffic), but this action
would shoot yourself in the foot.
That's my $0.02! :-)
Paul
-----Original Message-----
From: users-bounces+bitfolk=pjlewis.org(a)lists.bitfolk.com
[mailto:users-bounces+bitfolk=pjlewis.org@lists.bitfolk.com] On Behalf Of
Andy Smith
Sent: 14 March 2010 08:51
To: users(a)lists.bitfolk.com
Subject: [bitfolk] The perils of opening tcp/22 to the Internet
Hello,
This very long email is about possible pro-active measures I could
take to prevent customers being compromised by SSH dictionary
attacks. The first part is just a recap of how we got here and what
happens. If you want to make it shorter by skipping that, then skip
to line 59 which begins with "Being compromised by an SSH dictionary
attack..."
Every so often I get an alert about the number of outbound SSH
connections being much higher than usual. e.g. 100,000 instead of 4.
I then investigate, and most of the time it's harmless -- someone
doing a pentest or some sort of remote monitoring.
But once every month or two, it's a customer's VPS which has been
compromised and turned into an SSH scanning bot. As it happens,
there's been two instances of this in the last month.
When BitFolk first started, this sort of thing happened about three
times before I decided I'd have to have monitoring of it so it
wouldn't go on for days on end.
When this happens and I catch it in the act, I have to turn off the
customer's network, because their VPS is actively attacking remote
sites, often at a rate of several hundred thousand SSH connections
per hour. Aside from the hosts they may compromise, there will be abuse
reports to deal with and possible damage to BitFolk's reputation,
not to mention very large bandwidth usage that the customer is
unlikely to want to pay for.
I can't just block tcp/22 outbound because at this point the VPS is
compromised and the priority (after stopping it) is understanding
how it happened. Leaving the network working allows attackers more
opportunity to clean up after themselves and/or do more damage.
So, if you're the unlucky customer then at this point your VPS has
no network, you've received an email (assuming your email is
accessible from outside your VPS) about what's happened and you're
going to have to log in to the console and/or rescue environment to
try to work out how it happened. The rescue environment has access to
your block devices and has unrestricted network access, but I'm not
going to be able to turn networking back on for your VPS itself.
If the customer can work out what happened, how it happened, and
convince me that root access was not obtained, then I can turn their
network back on. If they can't convince me that root access was not
obtained then there's generally no option but to re-image the VPS.
I'm really loathe to re-image a VPS that's been compromised where we
don't know how, though, because it will likely just happen again.
The customer has to work it out, and that's maybe something they're
not used to doing, and/or don't want to be doing, while their
service is down the whole time.
Unfortunately I can't do it for them or help in any great detail
because this is a time consuming task, and is the sysadmin's
responsibility i.e. the customer.
Being compromised by an SSH dictionary attack is far and away the
most common thing that I see, and reacting to it by monitoring the
rate of outbound SSH connections is no longer good enough. Reacting
to it and cleaning up after it is wasting too much time, and when
I have customers that have it happen to them repeatedly at some
point I have to say enough is enough and not turn their service
back on at all.
Do you think there's any pro-active measures that would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
2) Don't use passwords at all, only keys.
3) Disable root login.
4) Restrict the list of usernames that are valid, in combination
with (1) and (3).
5) Install DenyHosts or Fail2Ban.
6) Move sshd to another port.
More?
I can't do anything about (1), since the password the VPS comes with
is strong and it's presumably made weaker later on.
A lot of people have trouble setting up SSH keys and I would guess
that very few customers have them before they get a VPS, so setting
it up out of the box to require keys would be rather limiting. So
that's (2) out.
(3) is already the case for Ubuntu of course, but not any of the
other distributions offered. I haven't kept track of how many
compromises have been of root and not some other user but disabling
root access by SSH and requiring some other username seems a
reasonable starting point, would at least limit the damage.
(4) sounds too confusing unless I stated in the setup email that SSH
has been locked down to only the one non-root user they had when set
up.
Doing (5) in the base images would be controversial but I think
actually very effective. Would it be an outrage for you to find
DenyHosts or Fail2Ban installed for you?
Moving the SSH port is probably the most effective of all, but I
think it would be really confusing and not accepted by people, to
find that their SSH was provisioned e.g on port 2022 to begin with.
Any thoughts?
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"It is I, Simon Quinlank. The chief conductor on the bus that is called
hobby." -- Simon Quinlank
18 Mar
18 Mar
12:35 a.m.
Andy said:
[lots of interest]
Much has been said so I'll be brief...
I found DenyHosts really easy to install and set up. The only problem
has been mistyping my password and being banned myself - using the
other VPS to reset it works, cough.
An idiots guide to setting up keys would be useful, but I will still
want to use (strong) passwords sometimes.
I would moan about moving the SSH port.
Ian
11:13 a.m.
On Thu, 18 Mar 2010 00:35:15 +0000
Ian <ian(a)lovingboth.com> wrote:
Andy said:
I found the same with DenyHosts. I also managed to have my IP banned,
but at least I had a SSH session open to be able to reverse things. The
problem was caused by DenyHosts running through the auth log and
finding my abortive attempts at connection a couple of days earlier.
Putting my IP in /etc/hosts.allow sorted that.
One of the things I like about DenyHosts is the sync feature to build
up a list of naughty users/hosts.
[lots of interest]
Much has been said so I'll be brief...
I found DenyHosts really easy to install and set up. The only problem
has been mistyping my password and being banned myself - using the
other VPS to reset it works, cough.
An idiots guide to setting up keys would be useful, but I will still
want to use (strong) passwords sometimes.
I would like to see an idiots guide as well, although googling might
provide such.
I would moan about moving the SSH port.
The use of non-standard ports is fine as long as you can remember what
the new ports are on all the machines you access. Remembering the
standard port is much easier - but also easier for the the slime
I have been using Linux for several years, but not outside my own home
network, so I am no expert on "outside" security. I purchased a VPS to
allow me to experiment with a real system. The first thing I did was
to check the logs, and that pointed me to a problem with ssh hacking.
A bit of googling threw up DenyHosts, and after a few hiccups it is
now working.
As I am not expert in the many configuration files necessary for a
running system I installed Webmin to give some help in setting
things up. Webmin seems to have split reviews - the Debian
community hate it and will flame anyone asking for advice for it,
but other distros seem more laid back.
Because my VPS is used as a training platform I do not access it
very often, so something providing a bit of protection in the
background is welcome.
I would have thought that a VPS could be provided in a locked-down
form - perhaps with a firewall running allowing very few services.
Then the senior admins can change things to their own way of
working, and those lesser beings have a platform which has some
basic security built in.
Regards
David
11:36 a.m.
On Thu, 18 Mar 2010 00:35:15 +0000
I would have thought that a VPS could be provided in a locked-down
form - perhaps with a firewall running allowing very few services.
Then the senior admins can change things to their own way of
working, and those lesser beings have a platform which has some
basic security built in.
One of the draws for me is the fact that the VPS is a minimal system that
I don't have to strip stuff out of.
I provisioned a very, very small system, and becasue of that I don't want
uneccessary cruft running on the box before I even begin.
Multiple images: fine.
Default images bloated by stuff I just never want installed: no.
Sorry if this sounds a bit terse I'm running around (virtually) like a
blue-arsed fly.
n
1:34 p.m.
Hello,
On Thu, Mar 18, 2010 at 11:36:30AM -0000, Nigel Rantor wrote:
I provisioned a very, very small system, and becasue
of that I don't want
uneccessary cruft running on the box before I even begin.
Multiple images: fine.
Default images bloated by stuff I just never want installed: no.
Does this mean that you'd have been annoyed if your VPS had come
with Fail2Ban installed already?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"Whoever is responsible for this stunning design failure deserves continuous
cockpunches." -- jwz
2:10 p.m.
Hello,
On Thu, Mar 18, 2010 at 11:36:30AM -0000, Nigel Rantor wrote:
Borderline. Although as I think I said in an earlier post I think the idea
of these systems is good, personally I've not gotten around to it yet.
The thing is, whatever you decide to install to perform function X on a
VPS some other sysadmin may want a different package to accomplish that,
and will end up removing or simply not using the things you installed "for
free".
I liken it to getting a "fresh" laptop or computer from a manufacturer
only to find they've decided what firewall, IM and other clients you'd
"like" to have on the system.
I value factory-fresh. Other people value other things.
I'll stop before I start rambling...
n
I provisioned a very, very small system, and
becasue of that I don't
want
uneccessary cruft running on the box before I even begin.
Multiple images: fine.
Default images bloated by stuff I just never want installed: no.
Does this mean that you'd have been annoyed if your VPS had come
with Fail2Ban installed already? 
7 Apr
7 Apr
8:38 a.m.
At the risk of reopening an old discussion, I've just finished off writing a
quick guide <http://www.robertgauld.co.uk/omwb/2010apr~vps-setup-guide>.
If anyone is so inclined as to have a look then please let me know if you
think I've missed something. Andy feel free to take, adjust and use or link
to it as you see fit.
--
Robert Gauld
http://www.robertgauld.co.uk
8 Apr
8 Apr
3:12 a.m.
New subject: Robert's VPS Setup Guide (Was: Re: The perils of opening tcp/22 to the Internet)
Hi Robert,
Thanks for writing this. My only nitpick is:
"Firewall"
It is worth mentioning that IPv6 firewalling is also required, or
IPv6 should be disabled. BitFolk VPSes (should) have IPv6 working
from their first boot, and some daemons will listen on it, e.g.
sshd.
I will try to cover that at some point if you don't get there first.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"I'd be happy to buy all variations of sex to ensure I got what I wanted."
-- Gary Coates (talking about cabling)
8:47 a.m.
New subject: Robert's VPS Setup Guide (Was: Re: The perils of opening tcp/22 to the Internet)
On Thu, Apr 08, 2010 at 03:12:35AM +0000, Andy Smith wrote:
"Firewall"
Ah, another thing that comes to mind: it may also be worth noting
to allow ICMP ECHO at least from the monitoring hosts listed at:
http://bitfolk.com/customer_information.html#toc_3_Which_IP_addresses_will_…
I see you did mention how to allow ICMP ECHO, but some people don't
believe in that.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
7:18 a.m.
On Wed, 7 Apr 2010 09:38:41 +0100
Robert Gauld <robert(a)robertgauld.co.uk> wrote:
At the risk of reopening an old discussion, I've
just finished off
writing a quick guide
<http://www.robertgauld.co.uk/omwb/2010apr~vps-setup-guide>. If
anyone is so inclined as to have a look then please let me know if
you think I've missed something. Andy feel free to take, adjust and
use or link to it as you see fit.
It looks like it will be very useful to other people like me who muddle
through on sysadmin stuff.
Speaking personally I would replace 'apt-get update' with 'aptitude
update' (followed by 'aptitude safe-upgrade') and I don't like sudo and
prefer to 'su' each time
I'd like the firewalls section expanded a bit, to cover Andy's
comments re IPV6 and any other advisory bits and bobs.
I'd also like something included about using the spamd servers. My
first attempt to use the service ended up in causing Andy lots of grief
and I removed my settings and haven't attempted to use it since. I do
get a fair amount of spam via my startx account so it would be nice to
be able to prevent it getting downloade with 'real' mail
--
John Lewis
"Kingsclere Families" website uses the GeneWeb genealogy data server
7:25 a.m.
New subject: spamd servers (Was: Re: The perils of opening tcp/22 to the Internet)
Hi John,
On Thu, Apr 08, 2010 at 08:18:05AM +0100, john lewis wrote:
I'd also like something included about using the
spamd servers.
I'm going to sort out a customer wiki btw, to make this sort of
thing a bit easier..
My first attempt to use the service ended up in
causing Andy lots of grief
It wasn't that bad, it was just that your user of the wrong username
was causing lots of logged warnings. :)
and I removed my settings and haven't attempted to
use it since. I do
get a fair amount of spam via my startx account so it would be nice to
be able to prevent it getting downloade with 'real' mail
I have since altered the spamd settings so that all connections are
forced to one username anyway, so whether you work out how to do
that yourself or not no longer matters. Give it another go!
Cheers,
Andy
10:54 a.m.
Hi John,
On Thu, April 8, 2010 8:18 am, john lewis wrote:
I'd also like something included about using the
spamd servers. My
first attempt to use the service ended up in causing Andy lots of grief
and I removed my settings and haven't attempted to use it since. I do
get a fair amount of spam via my startx account so it would be nice to
be able to prevent it getting downloade with 'real' mail
I was planning on producing something of a 'HowTo' guide for using the
spamd servers, with a particular emphasis on integration with Postfix as I
see from the archives that the question has arisen a number of times.
Perhaps someone might be able to add the Exim approach if it is not
already covered elsewhere.
I had intended to also cover post-delivery filtering using Procmail i.e.
moving tagged spam to a usere's dedicated Spam folder, deleting outright
anything that is so clearly spam it is not worth thinking about, etc.
I may try and push a draft out this weekend to see what the panel thinks.
Robert would be welcome to add it to his guide if deemed appropriate and
he/someone doesn't beat me to it.
Mathew
11:09 a.m.
Hi,
I was planning on producing something of a
'HowTo' guide for using the
spamd servers, with a particular emphasis on integration with Postfix as I
see from the archives that the question has arisen a number of times.
Perhaps someone might be able to add the Exim approach if it is not
already covered elsewhere.
I have it working with Exim and am happy to share the details with
anyone who wants them.
Regards,
@ndy
--
andyjpb(a)ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF
16 Apr
16 Apr
7:36 p.m.
On Sun, 14 Mar 2010 08:51:12 +0000
Andy Smith <andy(a)bitfolk.com> wrote:
Hello,
This very long email is about possible pro-active measures I could
take to prevent customers being compromised by SSH dictionary
attacks. The first part is just a recap of how we got here and what
happens. If you want to make it shorter by skipping that, then skip
to line 59 which begins with "Being compromised by an SSH dictionary
attack..."
Every so often I get an alert about the number of outbound SSH
connections being much higher than usual. e.g. 100,000 instead of 4.
I then investigate, and most of the time it's harmless -- someone
doing a pentest or some sort of remote monitoring.
But once every month or two, it's a customer's VPS which has been
compromised and turned into an SSH scanning bot. As it happens,
there's been two instances of this in the last month.
When BitFolk first started, this sort of thing happened about three
times before I decided I'd have to have monitoring of it so it
wouldn't go on for days on end.
When this happens and I catch it in the act, I have to turn off the
customer's network, because their VPS is actively attacking remote
sites, often at a rate of several hundred thousand SSH connections
per hour. Aside from the hosts they may compromise, there will be
abuse reports to deal with and possible damage to BitFolk's
reputation, not to mention very large bandwidth usage that the
customer is unlikely to want to pay for.
I can't just block tcp/22 outbound because at this point the VPS is
compromised and the priority (after stopping it) is understanding
how it happened. Leaving the network working allows attackers more
opportunity to clean up after themselves and/or do more damage.
So, if you're the unlucky customer then at this point your VPS has
no network, you've received an email (assuming your email is
accessible from outside your VPS) about what's happened and you're
going to have to log in to the console and/or rescue environment to
try to work out how it happened. The rescue environment has access to
your block devices and has unrestricted network access, but I'm not
going to be able to turn networking back on for your VPS itself.
If the customer can work out what happened, how it happened, and
convince me that root access was not obtained, then I can turn their
network back on. If they can't convince me that root access was not
obtained then there's generally no option but to re-image the VPS.
I'm really loathe to re-image a VPS that's been compromised where we
don't know how, though, because it will likely just happen again.
The customer has to work it out, and that's maybe something they're
not used to doing, and/or don't want to be doing, while their
service is down the whole time.
Unfortunately I can't do it for them or help in any great detail
because this is a time consuming task, and is the sysadmin's
responsibility i.e. the customer.
Being compromised by an SSH dictionary attack is far and away the
most common thing that I see, and reacting to it by monitoring the
rate of outbound SSH connections is no longer good enough. Reacting
to it and cleaning up after it is wasting too much time, and when
I have customers that have it happen to them repeatedly at some
point I have to say enough is enough and not turn their service
back on at all.
Do you think there's any pro-active measures that would be
acceptable to VPS customers? Typical ways to foil SSH dictionary
attacks:
1) Only use strong passwords.
2) Don't use passwords at all, only keys.
3) Disable root login.
4) Restrict the list of usernames that are valid, in combination
with (1) and (3).
5) Install DenyHosts or Fail2Ban.
6) Move sshd to another port.
More?
I can't do anything about (1), since the password the VPS comes with
is strong and it's presumably made weaker later on.
A lot of people have trouble setting up SSH keys and I would guess
that very few customers have them before they get a VPS, so setting
it up out of the box to require keys would be rather limiting. So
that's (2) out.
(3) is already the case for Ubuntu of course, but not any of the
other distributions offered. I haven't kept track of how many
compromises have been of root and not some other user but disabling
root access by SSH and requiring some other username seems a
reasonable starting point, would at least limit the damage.
(4) sounds too confusing unless I stated in the setup email that SSH
has been locked down to only the one non-root user they had when set
up.
Doing (5) in the base images would be controversial but I think
actually very effective. Would it be an outrage for you to find
DenyHosts or Fail2Ban installed for you?
Moving the SSH port is probably the most effective of all, but I
think it would be really confusing and not accepted by people, to
find that their SSH was provisioned e.g on port 2022 to begin with.
Any thoughts?
A horribly long thread, so don't know whether anything similar to this
has been mentioned yet.
I actually wrote an article not too long back for Linux Format,
regarding basic security for a server... As this is available online
now, it might be a useful resource.
http://www.linuxformat.co.uk/includes/download.php?PDF=LXF121.tut_adv.pdf
5117
days inactive
5150
days old
51 comments
31 participants
participants (31)
-
Alan Pope -
Alastair Sherringham -
Ander Punnar -
Andy Bennett -
Andy Smith -
bitfolk@pjlewis.org -
Casper Gasper -
Darren Davison -
David Anderson -
Dee Earley -
Dominic -
Duane at e164 dot org -
Ed -
Graham Bleach -
Hugo Mills -
Ian -
Ian Hobson -
James Gregory -
john lewis -
john lewis -
Joseph Heenan -
Kai Hendry -
Kalan -
Martin Meredith -
Mathew J. Newton -
Nigel Rantor -
Ole-Morten Duesund -
Paul Tansom -
Robert Gauld -
Rodrigo Campos -
Tomalak Geret'kal