- Lug-nuts - bigbrie.com

by Linus Sphinx

Lot to be said for consistency. #======= #!/usr/local/bin/tclsh # # iptables firewall script generator v0.1 by sphinx # January 1st, 2001 # set EXTERNALIF "none" set INTERNALIF "none" function grok_address { IP=`ifconfig $1 2>/dev/null| grep inet | cut -d : -f 2 | cut -d \ -f 1` MASK=`ifconfig $1 2>/dev/null| grep Mask | cut -d : -f 4` NET=`route -n | grep eth0 | grep $MASK | grep -w "U" | cut -d\ -f1` echo "$IP/$MASK" } function grok_net { MASK=`ifconfig $1 2>/dev/null| grep Mask | cut -d : -f 4` NET=`route -n | grep $1 | grep $MASK | grep -w "U" | cut -d\ -f1` echo "$NET/$MASK" } echo -n "Checking External Interface..." if [ "`grok_interface $EXTERNALIF`" != "1" ]; then echo "$EXTERNALIF unavailable. Aborting." export PATH=$ORIGPATH exit else echo "found $EXTERNALIF" echo "External Interface Data:" echo "Address: `grok_address $EXTERNALIF`" echo "Network: `grok_net $EXTERNALIF`" fi echo -n "Checking Internal Interface..." if [ "$INTERNALIF" = "none" ]; then STANDALONE="1" echo "None specified" echo "Going to Standalone Mode" else if [ "`grok_interface $INTERNALIF`" != "1" ]; then echo "$INTERNALIF unavailable." echo "Going to Standalone Mode" STANDALONE="1" else echo "found $INTERNALIF" echo "Internal Interface Data:" echo "Address: `grok_address $INTERNALIF`" echo "Network: `grok_net $INTERNALIF`" STANDALONE="0" fi fi if [ "$STANDALONE" = "0" ]; then echo -n "Checking internal interface for RFC1918" declare -i DOTQUAD1 declare -i DOTQUAD2 DOTQUAD1=`grok_net $INTERNALIF | cut -f1 -d.` DOTQUAD2=`grok_net $INTERNALIF | cut -f2 -d.` if [ "$DOTQUAD1" = "10" ]; then MASQUERADE="1" echo "...Class A found" echo "Going to Masq Mode" elif [ "$DOTQUAD1" = "192" -a "$DOTQUAD2" = "168" ]; then MASQUERADE="1" echo "...Class C found" echo "Going to Masq Mode" elif [ "$DOTQUAD1" = "172" -a $DOTQUAD2 -gt 15 -a $DOTQUAD2 -lt 32 ]; then MASQUERADE="1" echo "...Class B found" echo "Going to Masq Mode" else echo "...None found" echo "Going to Routable Mode" MASQUERADE="0" fi fi function flush_rulesets { # No parameters echo -n "Flushing rulesets.." # filter table iptables -F echo -n "." # nat table iptables -t nat -F echo -n "." #mangle table iptables -t mangle -F echo -n "." echo "Done!" } function masq_setup { # Parameters: internalnet, externalnet, internal interface, external interface echo -n "Masquerading.." # Forward internal to external and external to internal net traffic # from and to outside iptables -A FORWARD -d 0/0 -s $1 -o $4 -j ACCEPT echo -n "." iptables -A FORWARD -d $1 -s 0/0 -i $4 -j ACCEPT echo -n "." # Masquerade internal to external traffic going out on the external interface # using the nat table. iptables -t nat -A POSTROUTING -d 0/0 -s $1 -o $4 -j MASQUERADE echo -n "." # Set INPUT rules in this situation # in from internal interface iptables -A INPUT -d $1 -s $1 -i $3 -j ACCEPT echo -n "." # in from outside iptables -A INPUT -d $2 -s 0/0 -i $4 -j ACCEPT echo -n "." # Set OUTPUT rules in this situation # Internal traffic out iptables -A OUTPUT -d $1 -s $1 -j ACCEPT echo -n "." # Out from anywhere on internal network iptables -A OUTPUT -d 0/0 -s $1 -j ACCEPT echo -n "." # Out from anywhere on external network iptables -A OUTPUT -d 0/0 -s $2 -j ACCEPT # set Default rule on FORWARD chain to DROP iptables -P FORWARD DROP echo -n "." echo "Done!" } function routable_setup { # Parameters: internalnet, externalnet echo -n "Forwarding.." # Forward internal-internal traffic iptables -A FORWARD -s $1 -d $1 -j ACCEPT echo -n "." # Forward external interface direct iptables -A FORWARD -s $2 -d $0/0 -j ACCEPT echo -n "." # Forward internal network going outside iptables -A FORWARD -s $1 -d $1 -j ACCEPT echo -n "." # Forward external network going inside iptables -A FORWARD -s $2 -d $1 -j ACCEPT echo -n "." echo "Done!" } function loopback { # Parameters: No parameters echo -n "Loopback..." iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT echo "Done!" } function tos_setup { # Parameters: No parameters echo -n "TOS flags.." iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport www iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport telnet iptables -t mangle -m tos --tos 16 -A PREROUTING -p tcp --dport ftp echo -n "..." # Set ftp-data for maximum throughput iptables -t mangle -m tos --tos 8 -A PREROUTING -p tcp --dport ftp-data echo -n "." echo "Done!" } function outbound_setup { # Parameters: internalnet echo -n "Outbound connections.." iptables -A INPUT -s $1 -d 0/0 -j ACCEPT iptables -A OUTPUT -s $1 -d 0/0 -j ACCEPT echo -n ".." echo "Done!" } function standard_rules { # Parameters: target, standalone, internalif # ---------------------------------------------------------- Trusted Networks - # Add in any rules to specifically allow connections from hosts/nets that # would otherwise be blocked. # echo -n "Trusted Networks.." # iptables -A INPUT -p <protocol> -<d/s>port <ports> -s [trusted host/net] -d $1 -j ACCEPT # echo -n "." # echo "Done!" # ----------------------------------------------------------- Banned Networks - # Add in any rules to specifically block connections from hosts/nets that # have been known to cause you problems. These packets are logged. ## echo -n "Banned Networks.." not adjusted to iptables yet # This one is generic # iptables -A INPUT -l -s [banned host/net] -d $1 <ports> -j DROP # echo -n "." # This one blocks ICMP attacks # iptables -A INPUT -l -b -i $LOCALIF -p icmp -s [host/net] -d $1 -j DROP # echo -n "." # echo "Done!" # ------------------------------------------------------ @home-specific rules - # This @home stuff is pretty specific to me (terminus). I get massive port # scans from my neighbors and from pokey admins at @home, so I just got harsh # and blocked all their stuff, with a few exceptions, listed below. # # If someone out there finds out the ip ranges of JUST tci@home, let me know # so i don't end up blocking ALL cablemodems like it's doing now. echo -n "Cable Modem Nets.." # so we can check mail, use the proxy server, hit @home's webpage. # you will want to set these to your local servers, and uncomment them # iptables -A INPUT -p tcp -dport 1023:65535 -s ha1.rdc1.wa.home.com -d $1 -j ACCEPT # iptables -A INPUT -p tcp -dport 1023:65535 -s mail.tcma1.wa.home.com -d $1 -j ACCEPT # iptables -A INPUT -p tcp -dport 1023:65535 -s www.tcma1.wa.home.com -d $1 -j ACCEPT # iptables -A INPUT -p tcp -dport 1023:65535 -s proxy.tcma1.wa.home.com -d $1 -j ACCEPT # echo -n "...." # so we can resolve the above hostnames, allow dns queries back to us # iptables -A INPUT -p tcp -dport 1023:65535 -s ns1.home.net -d $1 -j ACCEPT # iptables -A INPUT -p tcp -dport 1023:65535 -s ns2.home.net -d $1 -j ACCEPT # iptables -A INPUT -p udp -dport 1023:65535 -s ns1.home.net -d $1 -j ACCEPT # iptables -A INPUT -p udp -dport 1023:65535 -s ns2.home.net -d $1 -j ACCEPT # echo -n ".." # linux iptables building script page (I think) # iptables -A INPUT -p tcp -dport 1023:65535 -s 24.128.61.117 -d $1 -j ACCEPT # echo -n "." # Non-@home users may want to leave this uncommented, just to block all # the wannabe crackers. Add any @home hosts you want to allow BEFORE this line. # Blast all other @home connections into infinity and log them. # iptables -A INPUT -s 24.0.0.0/8 -d $1 -j LOG # iptables -A INPUT -s 24.0.0.0/8 -d $1 -j DROP # echo -n "." # Nuke any connections from @home's portscanners (ops-scan.home.com) # Note: These are a moving target - apply locally as required. iptables -A INPUT -s 24.0.84.130 -d $1 -j LOG iptables -A INPUT -s 24.0.84.130 -d $1 -j DROP echo -n "." echo "Done!" # ---------------------------- Specific port blocks on the external interface - # This section blocks off ports/services to the outside that have # vulnerabilities. This will not affect the ability to use these services # within your network. Connections to these ports are logged to syslog. echo -n "Port Blocks.." # NetBEUI/Samba iptables -A INPUT -p tcp --dport 137:139 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 137:139 -s 0/0 -d $1 -j DROP echo -n "." # Line Printer Daemon (courtesy of Blair Steenerson <blair(a)steenerson.com>) iptables -A INPUT -p tcp --dport 515 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 515 -s 0/0 -d $1 -j DROP echo -n "." # Microsoft SQL iptables -A INPUT -p tcp --dport 1433 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 1433 -s 0/0 -d $1 -j DROP echo -n "." # Postgres SQL iptables -A INPUT -p tcp --dport 5432 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 5432 -s 0/0 -d $1 -j DROP echo -n "." # Network File System iptables -A INPUT -p tcp --dport 2049 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 2049 -s 0/0 -d $1 -j DROP echo -n "." # MySQL iptables -A INPUT -p tcp --dport 3306 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 3306 -s 0/0 -d $1 -j DROP echo -n "." # X Displays iptables -A INPUT -p tcp --dport 5999:6010 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 5999:6010 -s 0/0 -d $1 -j DROP echo -n "." # X Font Server :0-:2- iptables -A INPUT -p tcp --dport 7100:7101 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 7100:7101 -s 0/0 -d $1 -j DROP echo -n "." # Back Orifice (logged) iptables -A INPUT -p tcp --dport 31337 -s 0/0 -d $1 -j LOG iptables -A INPUT -p tcp --dport 31337 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 31337 -s 0/0 -d $1 -j LOG iptables -A INPUT -p udp --dport 31337 -s 0/0 -d $1 -j DROP echo -n "." # NetBus (logged) iptables -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $1 -j LOG iptables -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $1 -j DROP iptables -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $1 -j LOG iptables -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $1 -j DROP echo -n "." echo "Done!" # --------------------------------------------------- High Unprivileged ports - # These are opened up to allow sockets created by connections allowed by # iptables echo -n "High Ports.." iptables -A INPUT -p tcp --dport 1023:65535 -s 0/0 -d $1 -j ACCEPT iptables -A INPUT -p udp --dport 1023:65535 -s 0/0 -d $1 -j ACCEPT echo -n "." echo "Done!" # ------------------------------------------------------------ Basic Services - echo -n "Services.." # ftp-data (20) and ftp (21) #iptables -A INPUT -p tcp --dport 20 -s 0/0 -d $1 -j ACCEPT #iptables -A INPUT -p tcp --dport 21 -s 0/0 -d $1 -j ACCEPT #echo -n ".." # ssh (22) iptables -A INPUT -p tcp --dport 22 -s 0/0 -d $1 -j ACCEPT echo -n "." # telnet (23) # iptables -A INPUT -p tcp --dport 23 -s 0/0 -d $1 -j ACCEPT # echo -n "." # smtp (25) # iptables -A INPUT -p tcp --dport 25 -s 0/0 -d $1 -j ACCEPT # echo -n "." # DNS (53) #iptables -A INPUT -p tcp --dport 53 -s 0/0 -d $1 -j ACCEPT #iptables -A INPUT -p udp --dport 53-s 0/0 -d $1 -j ACCEPT #echo -n ".." if [ "$2" != "1" ]; then # DHCP on LAN side (to make @Home DHCP work) (67/68) # iptables -A INPUT -i $3 -p udp --dport 67 -s 0/0 -d 255.255.255.255/24 -j ACCEPT # iptables -A OUTPUT -i $3 -p udp --dport 68 -s 0/0 -d 255.255.255.255/24 -j ACCEPT echo -n ".." fi # http (80) #iptables -A INPUT -p tcp --dport 80 -s 0/0 -d $1 -j ACCEPT #echo -n "." # POP-3 (110) # iptables -A INPUT -p tcp --dport 110 -s 0/0 -d $1 -j ACCEPT # echo -n "." # identd (113) #iptables -A INPUT -p tcp --dport 113 -s 0/0 -d $1 -j ACCEPT #echo -n "." # nntp (119) # iptables -A INPUT -p tcp --dport 119 -s 0/0 -d $1 -j ACCEPT # echo -n "." # https (443) # iptables -A INPUT -p tcp --dport 443 -s 0/0 -d $1 -j ACCEPT # echo -n "." # ICQ Services (it's a server service) (4000) # iptables -A INPUT -p tcp --dport 4000 -s 0/0 -d $1 -j ACCEPT # echo -n "." echo "Done!" # ---------------------------------------------------------------------- ICMP - echo -n "ICMP Rules.." # Use this to DROP ICMP attacks from specific addresses # iptables -A INPUT -i $EXTERNALIF -p icmp -s <address> -d 0/0 -j DROP # echo -n "." # Allow incoming ICMP iptables -A INPUT -p icmp -s 0/0 -d $1 -j ACCEPT echo -n ".." # Allow outgoing ICMP iptables -A OUTPUT -p icmp -s $1 -d 0/0 -j ACCEPT echo -n "...." echo "Done!" } function reset_policy { # Parameters: no parameters iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT } function set_policy { # Parameters: no parameters iptables -P INPUT DROP iptables -P OUTPUT DROP } function set_timeouts { # Parameters: no parameters # not adjusted for iptables yet echo -n "Setting iptables timeout for tcp tcpfin udp.. " #iptables -M -S 3600 150 1000 echo "Done!" } reset_policy flush_rulesets if [ "$STANDALONE" = "1" ]; then TARGET=`grok_net $EXTERNALIF` else if [ "$MASQUERADE" = "1" ]; then TARGET=`grok_address $EXTERNALIF` INTERNALNET=`grok_net $INTERNALIF` EXTERNALNET=`grok_net $EXTERNALIF` set_timeouts masq_setup $INTERNALNET $TARGET $INTERNALIF $EXTERNALIF else TARGET=`grok_net $INTERNALIF` INTERNALNET=`grok_net $INTERNALIF` EXTERNALNET=`grok_net $EXTERNALIF` outbound_setup $INTERNALNET routable_setup $INTERNALNET $EXTERNALNET fi fi tos_setup loopback standard_rules $TARGET $STANDALONE $INTERNALIF #configure_vpn $INTERNALNET $EXTERNALNET set_policy export PATH=$ORIGPATH exit

2 years, 2 months

2
1
0 0

list still working

by Brian E. Lavender

I applied security updates to the server and I just want to make sure it still works. -- Brian Lavender http://www.brie.com/brian/ "There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies." Professor C. A. R. Hoare The 1980 Turing award lecture

2 years, 3 months

3
7
0 0

Epilog

by Gary

It looks like I've managed to recover almost everything. Gparted's disk/partition recovery option worked really well. I don't know if or how it found any superblocks, but it built a loopback /tmp that was just golden. It took 4 days to run but hey, it was the weekend. The KVM/qemu files had to be edited quite a but due to the passage of versions/time. And aqemu won't run, but I think this is a Fedora 36 bug. I'm glad almost everything was in VM's. I used xxd and gawk to do some carving, but its nice that I won't have to grok all that stuff. Although since I split my RAID1, I'm going to keep the old info around and may play with it some just for fun. Thanks for all the support, moral and otherwise. I'm going to spend some time now and come up with a more sane and secure set up. Something I should probably due more than once every decade. -Gary

2 years, 4 months

2
1
0 0

Multifactor Authentication

by saclug＠garymcglinn.com

I'm looking into locking down ssh some more. It seems that google provides a PAM module to enable a one time password as part of two factor authentication. But changing sshd.comfig to have: AuthenticationMethods publickey,password Would require both a password and a key. Since I'm in no hurry to get Google involved, I thought I might give it a try. Anyone have any thoughts or played around with this? -Gary

2 years, 4 months

1
0
0 0

Uh Oh!

by Linus Sphinx

They could be tracking my dog. https://www.pcmag.com/news/scariest-things-we-saw-at-black-hat-2022

2 years, 4 months

1
0
0 0

[lug-nuts@bigbrie.com: Re: Re: [gary@garymcglinn.com: Re: Re: Snort]]

by saclug＠garymcglinn.com

There may be. But I doubt if many apply to me. However, on a whim, I installed Fedora 36 on the new drive and it works great. It's possible that there was some other issue that was causing me difficulty in upgrading. One prime candidate is operator error. Be that as it may, I am now working on getting things working under Fedora 36. I did some reading on UEFI and I have lots of philosopical disagreements, primarily the same one I always have: It solves a problem that shouldn't or doesn't exist and it is unnecessarily complex. Is this really the wave of the future? I notice my Fedora 36 install didn't use it. Apparently the NSA thinks it is a good idea. They go all google eyed and mushy over secure boot. On their page they have a "call for action" and a disclaimer that they aren't making a recommendation within 3 adjacent paragraphs. UEFI looks like a WinTel boondoggle to me. Putting a simulator of Snoopy flying his dog house in a spreadsheet just has to be a good idea. Apparently the NSA is now the old NSA calld SIGNT and the new NSA called CSS. I don't know how this all relates to DHS. -Gary On Thu, Aug 11, 2022 at 02:46:23PM -0700, Brian E. Lavender wrote: > On Mon, Aug 08, 2022 at 09:39:34AM -0700, saclug(a)garymcglinn.com wrote: > > My experience with the upgrade treadmill is that it is a waste of time. > > By its own admission (if a concept can have that) the new versions will > > have issues and you need to upgrade. If the issues with an older > > version don't affect you, then it is perfectly fine to use it. Why > > upgrade and risk the fact that the new issues will affect your use case. > > The developers for Fedora 13 were no smarter or dumber than the > > developers who are writing Fedora 36. Or pick your distro of choice. > > There are probably a boat load of known vulnerabilities in F13. It's > probably a script kitty winter wonderland, depending upon what you have > installed/running! If you you want software that is secure proof, you > have to run something like "Ironsides", written using SPARK/Ada. > > https://ironsides.martincarlisle.com/ > > Beyon that, the best is to keep patching on a stable distro that doesn't > have API changes, or minimal changes. > > Brian > > -- > Brian Lavender > http://www.brie.com/brian/ > > "There are two ways of constructing a software design. One way is to > make it so simple that there are obviously no deficiencies. And the other > way is to make it so complicated that there are no obvious deficiencies." > > Professor C. A. R. Hoare > The 1980 Turing award lecture > _______________________________________________ > Lug-nuts mailing list -- lug-nuts(a)bigbrie.com > To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com ----- End forwarded message -----

2 years, 4 months

1
0
0 0

Progress

by saclug＠garymcglinn.com

Thanks for all the helpful information and comments. My 'new'/replacement system arrived. It's a refurbed Dell with Windows 10 installed. My original plan was just to install a VM in Windows, until I did the actual set up. It comes with a keystroke logger. Wow. And they really want to improve your user experience by collenting a lot of information and sending you a lot of stuff and giving you rewards. I know you can "turn it off", but I never believe these claims. That's why I have Google send me my timeline once a month. At least that way I have some idea of what they are tracking. Gparted worked pretty well. I like to use good old standard partitions, so of course Windows uses 4 primaries. I deleted the recovery partition and resized the main Windows partition and had a decent amount of space. I burnt a Fedora XFCE disk and off to the races. The install went fine. But I had remembered that during some installs in the past there were more options/questions about bootloaded config. It just installed grub2. I did a custom standard partition and started with it's "default" suggestion, which has no swap space. After making adjustments and adding swap and /var and configing users, the install went without a hitch. Now I have a system that boots into Fedora 36 just fine, which is all I need. I can begin to figure out how to lock the system down and what to bring in/set up to regain my old setup. Doing the switch to boot from the disk was interesting. It seems like Dell's BIOS is a little bit out of control. It's redundant and unnecssarily complex. There are two hotkeys F2 and F12 and you have to use them both. According to Dell's own web site, each BIOS is 'customized' to specific hardware. What turning off boot security and turning on legacy boot actually do apparently varies a lot. I had to do that to boot into the live OS and actually do the install. Apparently Dell believes that difficulting in performing a task is a type of security. I decided to explore dual boot. I have heard for years that Windows and Linux don't play well. But, an easy test was just to exit out of grub, which then dumps you into Windows bootloader. This worked fine, but the boot option to start windows simply doesn't work. In looking into adding Windows boot to grub, it should be very easy. Just run os-prober and then update-grub and magically you're done. These are instructions for a Debian based system. I have to do some translation for Fedora and update-grub becomes mkconfig-grub. But it doesn't work. It is interesting though that the Linux world is mostly Debian for the 'home' user and more Fedora for the more enterprise folks. No one is going to dual boot their enterprise server, so there is no info. I did find some interesting grub menuitems to try. But I might just abandon the dual boot, because if it breaks when I'm in Windowsland, a distinct possibility, I won't have any tools. Well I'd have the live CD. But in addition to Windows and Linux not playing well together at boot time, it seems the UEFI and Legacy don't play well together either. I was surpised to find that Fedora 36 is a Legacy boot and Windows is a UEFI. Just for your entertainment. More reading for me. And just one bug so far in Fedora or maybe it's Firefox:Firefox won't play any videos. It just tells me the video is unavalable. I don't use this system for that, but it is curious. -Gary

2 years, 4 months

3
5
0 0

Another day another attack vector

by Linus Sphinx

https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-…

2 years, 5 months

4
4
0 0

[gary@garymcglinn.com: Re: Re: Snort]

by saclug＠garymcglinn.com

I sent this early, but as the wrong person :). Yes, the hardware is old and nothing more recent than that would install and run. I use VM's that had more recent versions, but I was stuck at Fedora 13 for the host hardware. I have a new system on order from Dell. When I revive the hacked system, it will still probably be running Fedora 13, but I'll use it for something else. -Gary On Fri, Aug 05, 2022 at 12:53:42PM -0700, Brian E. Lavender wrote: > Gary, > > You were running Fedora 13? > > Brian > > On Fri, Aug 05, 2022 at 09:55:57AM -0700, Gary wrote: > > In thinking a little more, even if they are attacking the certificate > > directly, it is using the user they are logging in as .ssh certificate. > > If that user doesn't exist, it seems that the attack should never work. > > > > I guess I still don't understand how they got in. But, my system was > > rebooted. There must be more going on. They couldn't log in as root > > directly since I, like most of the world, have that disabled and the > > logs don't show that. > > > > -Gary > > > > On Fri, Aug 05, 2022 at 09:42:20AM -0700, Gary wrote: > > > Interesting. Looks like keys are a risk. But, I still don't > > > understand, and I don't think the article was clear about, how a brute force > > > SSH password attack is possible over my very limited network. AT&T's > > > cheapest plan isn't a very big pipe and I use good passwords. The > > > attacker would have to have a great deal of luck. > > > > > > Since I use ssh for personal access, I'm considering looking into a > > > firewall rule that simply walls out any IP that tries to log in with a > > > user that isn't my account. Another thing that makes me wonder about > > > this vector is the successful login wasn't from an account on my system. > > > > > > It seems to me that the keys/certifcates are being attacked directly. > > > I've read other articles indicating that there are attackers in the wild doing this. > > > > > > So, it seems to me that eliminating key/certificate logins from outward > > > facing systems may buy a lot of extra security. There were keys in my > > > .ssh directory, but whether I installed them or the attacker did, is not > > > clear. I wouldn't need them, but it is possible I could have created > > > them at some point over the last 15 years I've been using this system :) > > > > > > -Gary > > > > > > On Fri, Aug 05, 2022 at 03:54:33AM -0600, Linus Sphinx wrote: > > > > Join the club. > > > > https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forc… > > > > > > > > On Tue, Aug 2, 2022 at 12:43 PM Gary <saclug(a)garymcglinn.com> wrote: > > > > > > > > > Hi Brian, > > > > > > > > > > Open letter. > > > > > > > > > > I remember years ago you did a presentation on snort. > > > > > > > > > > Do you still like it? > > > > > > > > > > -Gary > > > > > > > > > > _______________________________________________ > > > > > Lug-nuts mailing list -- lug-nuts(a)bigbrie.com > > > > > To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com > > > > > > > > _______________________________________________ > > > Lug-nuts mailing list -- lug-nuts(a)bigbrie.com > > > To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com > > _______________________________________________ > > Lug-nuts mailing list -- lug-nuts(a)bigbrie.com > > To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com > > -- > Brian Lavender > http://www.brie.com/brian/ > > "There are two ways of constructing a software design. One way is to > make it so simple that there are obviously no deficiencies. And the other > way is to make it so complicated that there are no obvious deficiencies." > > Professor C. A. R. Hoare > The 1980 Turing award lecture > _______________________________________________ > Lug-nuts mailing list -- lug-nuts(a)bigbrie.com > To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com ----- End forwarded message -----

2 years, 5 months

1
0
0 0

Re: Snort

by Gary

Interesting. Looks like keys are a risk. But, I still don't understand, and I don't think the article was clear about, how a brute force SSH password attack is possible over my very limited network. AT&T's cheapest plan isn't a very big pipe and I use good passwords. The attacker would have to have a great deal of luck. Since I use ssh for personal access, I'm considering looking into a firewall rule that simply walls out any IP that tries to log in with a user that isn't my account. Another thing that makes me wonder about this vector is the successful login wasn't from an account on my system. It seems to me that the keys/certifcates are being attacked directly. I've read other articles indicating that there are attackers in the wild doing this. So, it seems to me that eliminating key/certificate logins from outward facing systems may buy a lot of extra security. There were keys in my .ssh directory, but whether I installed them or the attacker did, is not clear. I wouldn't need them, but it is possible I could have created them at some point over the last 15 years I've been using this system :) -Gary On Fri, Aug 05, 2022 at 03:54:33AM -0600, Linus Sphinx wrote: > Join the club. > https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forc… > > On Tue, Aug 2, 2022 at 12:43 PM Gary <saclug(a)garymcglinn.com> wrote: > > > Hi Brian, > > > > Open letter. > > > > I remember years ago you did a presentation on snort. > > > > Do you still like it? > > > > -Gary > > > > _______________________________________________ > > Lug-nuts mailing list -- lug-nuts(a)bigbrie.com > > To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com > >

2 years, 5 months

4
8
0 0

2025

2024

2023

2022

Lug-nuts