Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: edform on January 19, 2006, 02:36:28 PM

Title: Narrowing the gateway
Post by: edform on January 19, 2006, 02:36:28 PM

While inspecting the logs on a client machine yesterday I stumbled on a rather crude manual attack actually in progress. The slow repeat rate made it clear that this was a manual attempt to gain entry - the villain was trying to gain access via SSH which I have opened up through the router to allow me to rsync this server and the server in the same client's other building. The attck failed, and because the attack was manual, it was pretty clear that the source address was the attackers home PC so I forwarded the attack log lines to the Italian ISP involved - hopefully that will get some action.

What is obvious, however, is that a good password blitz and a few lucky guesses at usernames might have got the person into the system.

My question is - can I limit the allowed incoming IP addresses, and how do I go about it?

Ed Form

Title: Narrowing the gateway
Post by: hb55047 on January 20, 2006, 03:30:02 AM

if the remote server is using a static ip it should be fairly simple. in /etc/hosts.allow sme already created a rule for ssh (sshd). you can add the ip address of the remote server. Then in hosts.deny you can create a rule for sshd with an entry of ALL

Title: Narrowing the gateway
Post by: edform on January 20, 2006, 04:01:46 AM

Quote from: "hb55047"

if the remote server is using a static ip it should be fairly simple. in /etc/hosts.allow sme already created a rule for ssh (sshd). you can add the ip address of the remote server. Then in hosts.deny you can create a rule for sshd with an entry of ALL

Thanks for the comment; it allowed me to see what I have to do, although it didn't actually supply the solution.

As no doubt you know, /etc/hosts.allow is a template generated file in SME and the template that generates the file actually refers to one of the Server Manager database entries; the code is...

{
      $DB->hosts_allow_spec('sshd');
}

What I'm not sure about now is what will happen if I add a custom template with a list of allowed IP addresses - will it overwrite the entry produced by the server manager, or will it gracefully add extra entries. If it's the latter, I simply need to switch off all access in the server manager and then expand the template.

What do you think?

Ed Form

Title: Narrowing the gateway
Post by: JonB on January 20, 2006, 10:21:45 AM

Ed,

The correct way to do it is

You need to ensure e-smith-packetfilter-1.15.0-03 or above is installed

/sbin/e-smith/db configuration setprop sshd AllowHosts xxx.xxx.xxx.xxx

/sbin/e-smith/signal-event remoteaccess-update

You can add multiple IP's, just comma seperate the IP addresses.

Jon

Title: Narrowing the gateway
Post by: hb55047 on January 21, 2006, 01:02:42 AM

thanks jonb. I havent used tcp wrappers on sme, only with other distros.