Topic: Security concerns

[ngodfrey]

Hi,

I run an SME Server (7.0) in server only mode in a private IP address network firewalled off from the internet with a commodity firewall box from a well known vendor.

The firewall has ports forwarded to Server allowing me to SSH in from outside, and also allowing access to our SSL-Explorer firewall.

Looking in my logs it appears that I have a large number of failed ssh logins under spurious user names.  As a temporary measure I've stopped the firewall from forwarding connections on that port.

More worrying is that my SSL VPN also has failed logins, but the user names here are based on my business name, my initials and name, and generally sensible guesses as to account names on the system.

My passwords are all strong and secure.

What are the sensible courses of action I should take?  What is the risk of someone cracking a secure password?  Is there anything built in to the distro to help me?  Can I monitor the logs automatically for failed logins and receive a warning email?  Or is that the wrong way to go?

Thanks for your thoughts...


Nigel.

[dcniki]

As long as you are using "good" password stratigy and it's being enforced on all your users, you should be ok. Passwords over 8 char. with a good combination of letters, numbers and caps is pretty tough to crack.

If your password is Pa55word1 I wouldn't expect it to last too long. But as long as your password isn't some other common phrase you should be ok.

My password is 10 char. that is a combination of letters, numbers and caps that comes from a complete phrase that means nothing to anyone except me.

Someone else is going to have to chime in on sending emails for certain events, although searching may provide some luck because the topic seems familar.

Good luck

P.S. My is being hit all day long by hacking attempts, it's pretty normal nowadays.

[gizzmo2k1]

One thing I have done, in the case of SSH, is to change the port number.  I have several servers that I monitor remotely (6.5RC1 mostly) with SSH and ran in to this exact thing.

[ngodfrey]

Thanks for your comments.  The SME7 strong password policy comes in to its own...!

I'm thinking that if I configure my hosts.allow and hosts.deny config files correctly I should be able to log in to SSH from only my local net and my home IP address, which would be a good start.

Any other ideas?  Thanks for your thoughts so far.


Nigel.

[p-jones]

Sounds like you are being hit by brute force SSH attacks- UGLY.

I have overcome this by creating a pptp tunnel first then logging in locally. This way Port 22 is not open to the world. Upside is that I am not confined to any particular IP, down side is that I cannot walk into any Internet Cafe and just connect. (because it is the wrong IP or that the PPTP connection is not set up already) Also requires whatever device is on the border to supports pptp pass thru.

Open VPN is good if the device doesnt support PPTP pass as the OpenVPN port can be forwarded. Once again, I dont expect to walk into a cafe anywhere and find an open vpn client sitting there waiting for  me !!

Changing the SSH port to something like 222 or 2222 is probably the best option but than can have its own set of issues if the client is behind a firewall.

I have also seen in the forums some smart iptable rules which will block all traffic from a specified ip for a specified time, say 24hrs,  after x number of failed logins with y seconds. (Search these forums for Snort-Guardian)

There are options,  they all have their pro's and con's. What works for one person may not for another.  The challenge is finding the one that works for YOU !. Of course, if you are confident your passwords a strong enough, you can just let them keep knocking on the door.

Rgds
Peter