Plugins that are wanted - Part 4

pr_bond · 7. Februar 2015

Zitat von tekkb

I thought fail2ban was abandoned due to feature Volker added for to many login failures. Also, if you have your lan via OpenVPN why you do you need fail2ban??? Why open up router to your http or https of OMV?

Hum I think Volker's feature (PAM configuration - "Improve 'openmediavault' PAM configuration. Block users for 180sec after 3 failed login attempts." )
don't works fully. I can see in my auth.log :

Code

Feb  1 07:35:26 prbond sshd[21904]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:35:28 prbond sshd[21904]: Failed password for root from 103.41.124.58 port 59700 ssh2
Feb  1 07:35:30 prbond sshd[21904]: Failed password for root from 103.41.124.58 port 59700 ssh2
Feb  1 07:35:33 prbond sshd[21904]: Failed password for root from 103.41.124.58 port 59700 ssh2
Feb  1 07:35:33 prbond sshd[21904]: Received disconnect from 103.41.124.58: 11:  [preauth]
Feb  1 07:35:33 prbond sshd[21904]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:35:41 prbond sshd[22036]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:35:43 prbond sshd[22036]: Failed password for root from 103.41.124.58 port 38129 ssh2
Feb  1 07:35:46 prbond sshd[22036]: Failed password for root from 103.41.124.58 port 38129 ssh2
Feb  1 07:35:48 prbond sshd[22036]: Failed password for root from 103.41.124.58 port 38129 ssh2
Feb  1 07:35:49 prbond sshd[22036]: Received disconnect from 103.41.124.58: 11:  [preauth]
Feb  1 07:35:49 prbond sshd[22036]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:35:56 prbond sshd[22039]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:35:58 prbond sshd[22039]: Failed password for root from 103.41.124.58 port 46178 ssh2
Feb  1 07:36:01 prbond sshd[22039]: Failed password for root from 103.41.124.58 port 46178 ssh2
Feb  1 07:36:03 prbond sshd[22039]: Failed password for root from 103.41.124.58 port 46178 ssh2
Feb  1 07:36:03 prbond sshd[22039]: Received disconnect from 103.41.124.58: 11:  [preauth]
Feb  1 07:36:03 prbond sshd[22039]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:36:11 prbond sshd[22043]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:36:13 prbond sshd[22043]: Failed password for root from 103.41.124.58 port 53011 ssh2
Feb  1 07:36:16 prbond sshd[22043]: Failed password for root from 103.41.124.58 port 53011 ssh2
Feb  1 07:36:18 prbond sshd[22043]: Failed password for root from 103.41.124.58 port 53011 ssh2
Feb  1 07:36:19 prbond sshd[22043]: Received disconnect from 103.41.124.58: 11:  [preauth]
Feb  1 07:36:19 prbond sshd[22043]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:36:26 prbond sshd[22052]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:36:28 prbond sshd[22052]: Failed password for root from 103.41.124.58 port 33982 ssh2
Feb  1 07:36:30 prbond sshd[22052]: Failed password for root from 103.41.124.58 port 33982 ssh2
Feb  1 07:36:33 prbond sshd[22052]: Failed password for root from 103.41.124.58 port 33982 ssh2
Feb  1 07:36:33 prbond sshd[22052]: Received disconnect from 103.41.124.58: 11:  [preauth]
Feb  1 07:36:33 prbond sshd[22052]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:36:41 prbond sshd[22056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:36:43 prbond sshd[22056]: Failed password for root from 103.41.124.58 port 41228 ssh2
Feb  1 07:36:46 prbond sshd[22056]: Failed password for root from 103.41.124.58 port 41228 ssh2
Feb  1 07:36:48 prbond sshd[22056]: Failed password for root from 103.41.124.58 port 41228 ssh2
Feb  1 07:36:49 prbond sshd[22056]: Received disconnect from 103.41.124.58: 11:  [preauth]
Feb  1 07:36:49 prbond sshd[22056]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.58  user=root
Feb  1 07:38:02 prbond sshd[22079]: Received disconnect from 115.239.228.15: 11:  [preauth]
Feb  1 07:39:01 prbond CRON[22096]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  1 07:39:01 prbond CRON[22096]: pam_unix(cron:session): session closed for user root
Feb  1 07:45:01 prbond CRON[22183]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  1 07:45:03 prbond CRON[22183]: pam_unix(cron:session): session closed for user root
Feb  1 07:57:37 prbond sshd[22611]: Received disconnect from 115.239.228.12: 11:  [preauth]
Feb  1 08:00:01 prbond CRON[22642]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  1 08:00:03 prbond CRON[22642]: pam_unix(cron:session): session closed for user root
Feb  1 08:05:23 prbond sshd[22790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3  user=root
Feb  1 08:05:25 prbond sshd[22790]: Failed password for root from 183.136.216.3 port 40469 ssh2
Feb  1 08:05:27 prbond sshd[22790]: Failed password for root from 183.136.216.3 port 40469 ssh2
Feb  1 08:05:29 prbond sshd[22790]: Failed password for root from 183.136.216.3 port 40469 ssh2
Feb  1 08:05:30 prbond sshd[22790]: Received disconnect from 183.136.216.3: 11:  [preauth]
Feb  1 08:05:30 prbond sshd[22790]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.3  user=root

Alles anzeigen

I don't use OpenVpn and my port 22 for ssh is open, i need fail2ban !!!!
I would use official OMV plugin fail2ban instead fail2ban with "apt-get install"

That's why i would help for dev OMV plugin fail2ban !

subzero79 · 7. Februar 2015

You don't need to scream (using!). Why don't you secure your access with a rsa key.

tekkb · 8. Februar 2015

Yeah, for SSH I would use a key if I opened it to the net but I don't. But if he wants https open to net I see why he wants fail2ban.

pr_bond · 9. Februar 2015

Zitat

subzero79

Sorry for "!", i don't scream.

Zitat

subzero79

and

Zitat

tekkb

Rsa key for ssh is a good idea but does not prevent ssh remote ssh login.

I need fail2ban.

I work a bit on https://github.com/OpenMediaVa…s/openmediavault-fail2ban.
I would like to know how share my contribution ? a pull request ?

tekkb · 9. Februar 2015

This may not apply to you but I recommend it for most people:

Don't open port 22 to internet.
Use OpenVPN AS to make a VPN connection to your LAN.
Once the VPN is connected you can make SSH connection through the VPN.
Then you don't need fail2ban.

subzero79 · 9. Februar 2015

Zitat von pr_bond

but does not prevent ssh remote ssh login.

It only allows login to the person in possession of the private key. Anyway how can you open port 22 to WAN?, use another one, you have like 64 thousand to use. Otherwise you're likely being targeted by bots all the time.

BTW pam tally was used only for the web interface not ssh

HK-47 · 9. Februar 2015

Zitat von subzero79

It only allows login to the person in possession of the private key. Anyway how can you open port 22 to WAN?, use another one, you have like 64 thousand to use. Otherwise you're likely being targeted by bots all the time.

BTW pam tally was used only for the web interface not ssh

Changing the port just makes you think that you're more secure but it is just security through obscurity. This could be worth reading: https://www.adayinthelifeof.nl…port-than-22-is-bad-idea/

tekkb · 9. Februar 2015

It is funny. That ip address trying to connect to his machine is from China too. China is hacking the shit out of everybody.

subzero79 · 9. Februar 2015

That assumes someone is already in control of your machine launching ssh daemons different than 22. This measure is just for avoiding floods of login attempts, and you don't have to change it directly is just a NAT FWD in the router. The pka is a good defense, other than that the port knocking is a very good simple idea, and easy to implement with iptables

HK-47 · 9. Februar 2015

Zitat von subzero79

That assumes someone is already in control of your machine launching ssh daemons different than 22. This measure is just for avoiding floods of login attempts, and you don't have to change it directly is just a NAT FWD in the router. The pka is a good defense, other than that the port knocking is a very good simple idea, and easy to implement with iptables

It still doesn't help changing the port. They just have to find the port and it's not hard. Try running this command: nmap -sV <ip> or this nmap -p- -sV <ip>.

ryecoaaron · 9. Februar 2015

It must help a little. I used to run on port 22 (still port 22 on server but router forwards from a different port) and I got thousands of attempts per month at the school I do work for. Now, it is on different port and I have had none in five years.

subzero79 · 9. Februar 2015

Another measure is disable root login, just use a standard user with a limited shell and PKA, but once there use su to become root.

That cuts the login attempts from root, which is probably the most used in this cases

ryecoaaron · 9. Februar 2015

My system has root login over ssh disabled

subzero79 · 9. Februar 2015

More fancy, but paid

Externer Inhalt vimeo.com

Inhalte von externen Seiten werden ohne Ihre Zustimmung nicht automatisch geladen und angezeigt.

Durch die Aktivierung der externen Inhalte erklären Sie sich damit einverstanden, dass personenbezogene Daten an Drittplattformen übermittelt werden. Mehr Informationen dazu haben wir in unserer Datenschutzerklärung zur Verfügung gestellt.

Sergio · 9. Februar 2015

Also I don't think that OpenVPN is an absolute improvement. I mean both use two stage authentication with RSA key handshaking. OpenVPN main port may be slightly more secure, as for isn't as common as SSH, but the risk is greater. Someone that grants your VPN access directly gains access to your entire network.
And also there is the OpenVPN web interface open for anyone to discover and play with.

Opening ports it's always the same whatever you do. Except if you start MAC filtering (IPs can be easily substituted)

davidh2k · 11. Februar 2015

Zitat von pr_bond

Rsa key for ssh is a good idea but does not prevent ssh remote ssh login.

It does, if you tell it to. See:

Code

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

And bam, no more login via SSH without PKA. The Private part of the SSH Key never leaves your PC!!! You never ever generate a SSH Key pair on the target server you want to access!

Zitat von Sergio

I mean both use two stage authentication with RSA key handshaking.

The Passphrase for the Private Key never leaves the authenticating PC. So unless the PC that authenticates is vulnerable big time SSH with PKA is a very decent security mechanism. You may also add a Port know like mentioned in hk-47's linked article.

Greetings
David

Sergio · 11. Februar 2015

Zitat von davidh2k

The Passphrase for the Private Key never leaves the authenticating PC. So unless the PC that authenticates is vulnerable big time SSH with PKA is a very decent security mechanism. You may also add a Port know like mentioned in hk-47's linked article.

That's interesting.
So there are only two ways of doing this:
The server receives the key and validates himself, paired with some channel checksum validation so the server can authenticate the source of the key and that there's no man-in-the-middle.
Or the client validates himself and sends OK to the server that acknowledges. If there's and intrusion in progress, you may expect the ssh client not being reliable. So I find second option more vulnerable.
In any case, the private key is not travelling. Only the public key and the certificate is stored on the server.
Anyway RSA certificates are only for handshaking, to establish the security of the channel where the credentials may travel after.

davidh2k · 11. Februar 2015

Zitat

The server on receiving the public key
authentication request, will first generate a random 256 bit string as a
challenge for the client, and encrypt it with the client public key,
which is inside the authorized_keys file.

The client on receiving the challenge, will decrypt it with the private key(id_rsa).
The client will not send the challenge string as it is. But will
combine that string with the session key(which was previously negotiated
and is being used for symmetric encryption.) And
will generate a md5 hash value. This hash value is send to the server.
The server on receiving the hash, will regenerate it(because the server
also has both the random string as well as the session key), and if it
matches the hash send by the client, the client authentication succeeds.

Alles anzeigen

Source: http://www.slashroot.in/secure-shell-how-does-ssh-work

Greetings
David

iddqd · 12. Februar 2015

Sonarr would be nice as an alternative to SickBeard. Way nicer interface and it gets updated more quickly.

subzero79 · 12. Februar 2015

Zitat von iddqd

Sonarr would be nice as an alternative to SickBeard. Way nicer interface and it gets updated more quickly.

is already available. Like from 3 months ago, i use it

Jetzt mitmachen!