Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Recent SSH "Attack" - and a solution!
« previous next »
Pages: [1]   Go Down

Recent SSH "Attack" - and a solution!

  • 0 Replies
  • 1355 Views

Offline allun

  • ***
  • 46
  • +0/-0
    • http://www.protechnz.com
Recent SSH "Attack" - and a solution!
« on: August 13, 2004, 12:35:57 AM »
Well this recent proliferation of hits on SSH servers seems to be nothing more than a brute force attack, trying default user/pass combinations (e.g. test/test, guest/guest) so it's not as much of a worry to me as it originally was when i first noticed it. (See http://forums.contribs.org/index.php?topic=23567.0)

BUT I would still feel a lot better about running SSH or any other remote admin tool like VNC or whatever behind a port knocking implementation.

Port knocking (http://forums.contribs.org/index.php?topic=21909.0)

Is a way of having SSH or VNC or whatever service you want running on a closed port.  You need a small piece of client software that opens the port by "knocking" on a series of UDP ports, thus allowing you to log in to the server.  Of course, if someone is scanning for SSH servers in order to try various exploits against them, they won't knock correctly and the SSH port will show up as closed.

Now on to the bit where I ask nicely for help :-)  I don't have the means or knowledge to compile an implementation suited to SME, cos i don't know much about iptables and especially whether I would break any of the SME templating system and db stuff, much less build an RPM to make installing portknocking easy for others!  So, can anyone help? I have played around with sig2knockd (http://www.security.org.sg/code/portknock1.html) and managed to get it accepting knocks and seeming to work - i think the problem there is to do with the firewall rules, i.e. they aren't being modified correctly.
I have also looked at knock (http://www.zeroflux.org/knock/) but can't install it on my SME server at all!

There are also some perl implementations (www.portknocking.org) which might be better suited to SME...

I think this would be a useful contrib to develop, as it means we can run any services we want and be able to get to them from the internet without leaving our severs open to attack!

I can offer time and testing across a few servers, and documentation skills....i lack the iptables and SME specific skills (i.e. understanding the full implications of messing with the way SME does templating and remote access things)
Logged
...
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Recent SSH "Attack" - and a solution!