Thursday, July 21, 2011

Re: [BLUG] How many of you run home servers?

On Thu, Jul 21, 2011 at 5:28 PM, Steven Black <yam655@gmail.com> wrote:
>
> Ultimately we're talking risk mitigation. There is no way to remove all
> risks and have a usable system.

Exactly right. My personal paranoia is directed toward the grey hats
surrounding me. So I optimize my habits to thwart them. Joe Mafia
trying to get to me from botnets-r-us worries me much less and is,
imo, much easier to deal with.
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

With botnets the pam_unix 2 second delay is meaningless. That's two seconds per IP and depending on the size of the botnet it could be longer than 2 seconds before the same IP attacks due to not wanting to DOS your system. Even banning IPs after wrong passwords is useless, as I was never seeing the same IP attempt to attack within 5 minutes or more.

They have near limitless IPs. They have near limitless computing power. They also get bored very, very quickly. The key is to appear uninteresting. Public key auth does that.

Cheers,
Steven Black

On Jul 21, 2011 3:23 PM, "Brian Wheeler" <bdwheele@indiana.edu> wrote:
> On Thu, 2011-07-21 at 18:23 +0000, Mark Krenz wrote:
>
>> Here is a summary to give you an idea of how large of numbers we are
>> talking about:
>>
>> simple 5 character password combinations (a-z)
>> 26^5 = 11881376 (0.01 seconds)
>>
>> full alphanumeric 5 character password (a-zA-Z0-9):
>> 62^5 = 916132832 (0.9 seconds)
>>
>> complex alphanumeric 5 character password (above + all symbols)
>> 94^5 = 7339040224 (7.3 seconds)
>>
>> 3 word passphrase drawing from 2000 word vocabulary
>> 2000^3 = 8000000000 (8 seconds)
>>
>> simple 8 character password combinations (a-z)
>> 26^8 = 208827064576 (208 seconds)
>>
>> 4 word passphrase drawing from 2000 word vocabulary
>> 2000^4 = 16000000000000 (4.4 hours)
>>
>> full alphanumeric 8 character password (a-zA-Z0-9):
>> 62^8 = 218340105584896 (2.5 days)
>>
>> complex alphanumeric 8 character password (above + all symbols)
>> 94^8 = 6095689385410816 (70 days)
>>
>> 5 word passphrase drawing from 2000 word vocabulary
>> 2000^5 = 32000000000000000 (1 year, 5 days)
>>
>> 5 word passphrase drawing from 5000 word vocabulary
>> 5000^5 = 3125000000000000000 (99 years)
>>
>> The time shown in parens is the maximum time that it would take for a
>> system capable of encrypting 1 billion passwords per second would take.
>> Apparently, home desktop systems with high end GPUs have been built that
>> can do this.
>>
>> Lesson learned from all this? Sentence based passphrases are much much
>> stronger. The downside is that they are easier to accidently say in your
>> sleep.
>>
>
> The time needed to generate the encrypted keys is only important if you
> already have the encrypted key and you want to reverse the password.
>
> For scanning SSH hosts that isn't important. What is important is the
> number of combinations for the password character set and the amount of
> time that each wrong answer takes. If the SSH server (and basically
> anything that uses pam_unix.so) waits 2 seconds after each wrong
> attempt, the amount of time needed to guess the correct password becomes
> huge.
>
> For the worst case example above [a-z]{5} it would take 275 days to try
> every combination. The [A-Za-z0-9]{5} one takes 58.1 years. The
> shortest reasonable set/size (all symbols, 6 characters) would take 1801
> years
>
> How many threads would an attacker have to use to make it worth it?
>
> The biggest problem is social engineering, not password complexity. Too
> many people share or write down their passwords. Or they use really
> obviously bad passwords (the account name, 1234, "password", etc). The
> bots hitting the ssh servers, at least from what I've seen, aren't doing
> a brute force attack: they're trying to pick up low hanging fruit where
> passwords of well known accounts were chosen stupidly.
>
> Brian
>
>
>
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Thu, Jul 21, 2011 at 5:28 PM, Steven Black <yam655@gmail.com> wrote:
> If you really want to protect a PC you need a boot-time password and to
> power it off whenever it will leave your sight. This is what I do with my
> laptop when at conventions.

Quick, someone hand me a screwdriver! ;-)

> Ultimately we're talking risk mitigation. There is no way to remove all
> risks and have a usable system.

Amen.

> Cheers,
> Steven Black

Cheers,
Simón

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

Hey! I said "short password" not a bad password. ;)

For me, "short" is 12 to 24 characters, no embedded words, no 1337 substitutions, upper and lower case, includes at least one number and punctuation. Yeah, it can be brute-forced, but it isn't low-hanging fruit. More than that a casual aquantance can't learn I like "yams" and know the key to my password. ("Hey, he turned 34, let's try 'yams77'... Bingo!")

Now "long" is 240 characters or more. I have had one of those before, but they just feel so slow to type I am loathe to go that big.

I usually aim for 70 to 90 characters. Comfortably fast to type, and still long enough to thwart all but the most determined.

Yeah, there's the whole sneak-in-and-copy-key thing. It is suitably low risk for the reasons Mark mentioned.

If you really want to protect a PC you need a boot-time password and to power it off whenever it will leave your sight. This is what I do with my laptop when at conventions.

Ultimately we're talking risk mitigation. There is no way to remove all risks and have a usable system.

Cheers,
Steven Black

On Jul 21, 2011 12:53 PM, "Thomas C. Knoeller" <tck@pretend.net> wrote:
> On Thu, Jul 21, 2011 at 12:28 AM, Steven Black <yam655@gmail.com> wrote:
>> [...] Using
>> a short passphrase and a key agent that forgets the passphrase
>> immediately with public key authentication is still better than being
>> botnet attacked for months on end.
>
> Heh. This touches on the other part of my paranoia with PKI; the
> short passphrase. Imagine that your passphrase encrypted key gets
> loose in the wild.[1] At that point, you can brute force the file
> without anyone knowing you are doing it. No matter how many thousands
> of bits the key itself is, if the passphrase is simple or small
> enough, there is a possibility of it being decrypted. Whereas, if you
> are doing the password checking during the login process, if a failure
> happens, it is logged and you have a chance of seeing the attack
> before to many guesses of the password can be made.
>
> I agree that the script kiddie login attempts are annoying. But they
> are not likely to succeed if you use password best practices. And if
> you are really worried about them, and cannot lock down the ssh port
> to known remote hosts, using a port knocker of some sort is an easy
> way to only open the port when needed.
>
> As someone else said, 2 factor auth (something you have plus something
> you know) is still the best thing to do, but if you don't do that, and
> need to open ssh to the public, local password is my preference over
> keys.
>
> -Tom
>
>
> [1] Using the stroll to the kitchen example again, if you forget to
> lock your screen, and someone gets to the machine before the 2 minute
> auto kick in of auto screen locker, they can easily open a terminal
> and run a curl command to upload the public key[2] from your machine.
>
> [2] If you are using security by obscurity, while in the daemon rc
> file to change the port number, you should also change the default
> location of the public key file.
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Thu, 2011-07-21 at 18:23 +0000, Mark Krenz wrote:

> Here is a summary to give you an idea of how large of numbers we are
> talking about:
>
> simple 5 character password combinations (a-z)
> 26^5 = 11881376 (0.01 seconds)
>
> full alphanumeric 5 character password (a-zA-Z0-9):
> 62^5 = 916132832 (0.9 seconds)
>
> complex alphanumeric 5 character password (above + all symbols)
> 94^5 = 7339040224 (7.3 seconds)
>
> 3 word passphrase drawing from 2000 word vocabulary
> 2000^3 = 8000000000 (8 seconds)
>
> simple 8 character password combinations (a-z)
> 26^8 = 208827064576 (208 seconds)
>
> 4 word passphrase drawing from 2000 word vocabulary
> 2000^4 = 16000000000000 (4.4 hours)
>
> full alphanumeric 8 character password (a-zA-Z0-9):
> 62^8 = 218340105584896 (2.5 days)
>
> complex alphanumeric 8 character password (above + all symbols)
> 94^8 = 6095689385410816 (70 days)
>
> 5 word passphrase drawing from 2000 word vocabulary
> 2000^5 = 32000000000000000 (1 year, 5 days)
>
> 5 word passphrase drawing from 5000 word vocabulary
> 5000^5 = 3125000000000000000 (99 years)
>
> The time shown in parens is the maximum time that it would take for a
> system capable of encrypting 1 billion passwords per second would take.
> Apparently, home desktop systems with high end GPUs have been built that
> can do this.
>
> Lesson learned from all this? Sentence based passphrases are much much
> stronger. The downside is that they are easier to accidently say in your
> sleep.
>

The time needed to generate the encrypted keys is only important if you
already have the encrypted key and you want to reverse the password.

For scanning SSH hosts that isn't important. What is important is the
number of combinations for the password character set and the amount of
time that each wrong answer takes. If the SSH server (and basically
anything that uses pam_unix.so) waits 2 seconds after each wrong
attempt, the amount of time needed to guess the correct password becomes
huge.

For the worst case example above [a-z]{5} it would take 275 days to try
every combination. The [A-Za-z0-9]{5} one takes 58.1 years. The
shortest reasonable set/size (all symbols, 6 characters) would take 1801
years

How many threads would an attacker have to use to make it worth it?

The biggest problem is social engineering, not password complexity. Too
many people share or write down their passwords. Or they use really
obviously bad passwords (the account name, 1234, "password", etc). The
bots hitting the ssh servers, at least from what I've seen, aren't doing
a brute force attack: they're trying to pick up low hanging fruit where
passwords of well known accounts were chosen stupidly.

Brian


_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

Mark Krenz wrote:
>
> Lesson learned from all this? Sentence based passphrases are much much
> stronger. The downside is that they are easier to accidently say in your
> sleep.

And to remember if overheard. :-)

--
Mark Warner
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Thu, Jul 21, 2011 at 04:52:43PM GMT, Thomas C. Knoeller [tck@pretend.net] said the following:
>
> Heh. This touches on the other part of my paranoia with PKI; the
> short passphrase. Imagine that your passphrase encrypted key gets
> loose in the wild.[1] At that point, you can brute force the file
> without anyone knowing you are doing it. No matter how many thousands
> of bits the key itself is, if the passphrase is simple or small
> enough, there is a possibility of it being decrypted. Whereas, if you
> are doing the password checking during the login process, if a failure
> happens, it is logged and you have a chance of seeing the attack
> before to many guesses of the password can be made.

It depends on what type of passphrase you are using. You might think
that a passphrase could be cracked easier, but it turns out that a
sentence is a lot harder to crack than an 8 character password.

I give an example like this on my SSH tutorial here:

http://support.suso.com/supki/SSH_Tutorial_for_Linux#Generating_a_key

An 8 character password that uses a set of characters made from upper
and lowercase, numbers and symbols has 94^8 or 6,095,689,385,410,816
combinations.

Now if you use a 5 word sentence for a passphrase, you are probably
pulling from a vocabulary of 5000 or so words. "For instance this
measly sentence" could be such a passphrase. The number of combinations
rises to 5000^5 or 3,125,000,000,000,000,000, which is 512 times more
combinations than an 8 character password. And you're probably more
likely to remember the passphrase.

If an attacker had to try to crack the passphrase they could either do
it based on combinations of letters, which on a 33 letter sentence would
be about 28^33 combinations. If the attacker had to try combinations of
words in a dictionary, they are probably going ot have to use a
dictionary larger than your vocabulary, so maybe 50,000 words. This
would be 50000^5 to try. Of course, they don't know how many words, so
they may start with 3 words, then 4, then 5, etc.

Here is a summary to give you an idea of how large of numbers we are
talking about:

simple 5 character password combinations (a-z)
26^5 = 11881376 (0.01 seconds)

full alphanumeric 5 character password (a-zA-Z0-9):
62^5 = 916132832 (0.9 seconds)

complex alphanumeric 5 character password (above + all symbols)
94^5 = 7339040224 (7.3 seconds)

3 word passphrase drawing from 2000 word vocabulary
2000^3 = 8000000000 (8 seconds)

simple 8 character password combinations (a-z)
26^8 = 208827064576 (208 seconds)

4 word passphrase drawing from 2000 word vocabulary
2000^4 = 16000000000000 (4.4 hours)

full alphanumeric 8 character password (a-zA-Z0-9):
62^8 = 218340105584896 (2.5 days)

complex alphanumeric 8 character password (above + all symbols)
94^8 = 6095689385410816 (70 days)

5 word passphrase drawing from 2000 word vocabulary
2000^5 = 32000000000000000 (1 year, 5 days)

5 word passphrase drawing from 5000 word vocabulary
5000^5 = 3125000000000000000 (99 years)

The time shown in parens is the maximum time that it would take for a
system capable of encrypting 1 billion passwords per second would take.
Apparently, home desktop systems with high end GPUs have been built that
can do this.

Lesson learned from all this? Sentence based passphrases are much much
stronger. The downside is that they are easier to accidently say in your
sleep.


> I agree that the script kiddie login attempts are annoying. But they
> are not likely to succeed if you use password best practices. And if
> you are really worried about them, and cannot lock down the ssh port
> to known remote hosts, using a port knocker of some sort is an easy
> way to only open the port when needed.
>
> As someone else said, 2 factor auth (something you have plus something
> you know) is still the best thing to do, but if you don't do that, and
> need to open ssh to the public, local password is my preference over
> keys.
>
> -Tom
>
>
> [1] Using the stroll to the kitchen example again, if you forget to
> lock your screen, and someone gets to the machine before the 2 minute
> auto kick in of auto screen locker, they can easily open a terminal
> and run a curl command to upload the public key[2] from your machine.
>
> [2] If you are using security by obscurity, while in the daemon rc
> file to change the port number, you should also change the default
> location of the public key file.
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

--
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/

Sent from Mutt using Linux
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Thu, Jul 21, 2011 at 12:28 AM, Steven Black <yam655@gmail.com> wrote:
> [...] Using
> a short passphrase and a key agent that forgets the passphrase
> immediately with public key authentication is still better than being
> botnet attacked for months on end.

Heh. This touches on the other part of my paranoia with PKI; the
short passphrase. Imagine that your passphrase encrypted key gets
loose in the wild.[1] At that point, you can brute force the file
without anyone knowing you are doing it. No matter how many thousands
of bits the key itself is, if the passphrase is simple or small
enough, there is a possibility of it being decrypted. Whereas, if you
are doing the password checking during the login process, if a failure
happens, it is logged and you have a chance of seeing the attack
before to many guesses of the password can be made.

I agree that the script kiddie login attempts are annoying. But they
are not likely to succeed if you use password best practices. And if
you are really worried about them, and cannot lock down the ssh port
to known remote hosts, using a port knocker of some sort is an easy
way to only open the port when needed.

As someone else said, 2 factor auth (something you have plus something
you know) is still the best thing to do, but if you don't do that, and
need to open ssh to the public, local password is my preference over
keys.

-Tom


[1] Using the stroll to the kitchen example again, if you forget to
lock your screen, and someone gets to the machine before the 2 minute
auto kick in of auto screen locker, they can easily open a terminal
and run a curl command to upload the public key[2] from your machine.

[2] If you are using security by obscurity, while in the daemon rc
file to change the port number, you should also change the default
location of the public key file.
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

Yes, I gave a talk on this 4 years ago. I did have an article for it on
the BLUG wiki and a graph showing the growth of the worm over a few
months, but I haven't had time to recover the wiki since it broke after
a PHP upgrade. Sorry about that.

Anyways, hashlimit has worked quite well. The problem that I was
running into was that the worm that was running around trying every
first name as a username was hitting my servers so hard that it opened
up enough connections to prevent normal users from logging in. So I
turned on hashlimit in the firewall and that stopped the problem. I
also decided at that point that I would move my servers that don't need
ssh access by customers to a custom port. I found one suitable by
searching a years worth of firewall logs and found one that hadn't ever
been hit by port scanners. There are actually several ports like this
so don't ask me which one I use. This is an exercise left to the reader.
;-)

So you can see, there are other issues besides just "if they get the
right username and password", they can practically DOS your system.
Back in 2005 I think I was getting somewhere around 60,000 login
attempts per day.

On Wed, Jul 20, 2011 at 08:51:55PM GMT, Williams, Jeffery Allen [jefjewil@indiana.edu] said the following:
> A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.
>
> I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.
>
> Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).
>
> Jeffery Williams
> Software Engineer
> ISAT Hall
> 867-5309
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

--
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/

Sent from Mutt using Linux
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Thu, Jul 21, 2011 at 02:32:04AM GMT, Thomas C. Knoeller [tck@pretend.net] said the following:
>
> Disagree here. I am more worried about coworkers then script kiddies.
> My coworkers know that I have ssh-agent running all the time, and
> they know the vanity domain of my home server. It would take a
> coworker less time to hack me then it takes for me to walk to the
> kitchen and back. Since I am not religious about locking the screen
> each time I walk away from the laptop, and because of the nature of
> the kids I (used to) work with, I would never use public key on a
> public facing interface.

Not knowing what you do and putting the kids issue aside. Let me
easy your worries a bit here with some logic. Yes, your coworkers
probably could gain access to your systems faster, but in most places
this would be crossing the line and grounds for immediate termination.
At least if I was in your shoes and someone did this, I would make sure
that they got fired, damn anyone who tries to say "You shouldn't have
left your screen unlocked".

This is not to say that you shouldn't lock your screen as you should
do that even at home, but what I'm trying to show here is that your
likelyhood of threats is more based on fear than ease of access.

A malicious hacker in Romania basically has nothing to fear because
they know that we won't be able to do anything about it (historically)
if they hack your system. But people that you know have a lot to fear,
losing their job, being arrested, etc. You have to remember that people
are still people with basic motivations to have their life be ok.

Also, if there was someone on my team that I couldn't trust, it would
be better to know about it sooner and have them just hack into my home
server before they do something worse or before you trust them with more
information and access.

I think the biggest time that you have to worry about coworkers is
when they are fired, but hopefully they are out of the building before
they can do anything and likely would try to remote in somehow and
probably wouldn't care about your home computer.

--
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/

Sent from Mutt using Linux
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Wednesday, July 20, 2011

Re: [BLUG] How many of you run home servers?

Thomas,

If you're not religious about locking your screen, you're asking to be
compromised in any event. There is nothing more potent than console
access when it comes to providing an easy route to break in to a
system.

For instance: If you're not religious about locking your screen, are
you religous about logging out of all root shells you may use before
you walk away? I find I need to slip away while mid-process once and a
while. If I wasn't religous about locking my screen someone could walk
up to my system, create a nefarious account, and clear the screen
before they walk away and I would be unlikely to notice.

If you're not religous about locking your screen, you need an
automatic screen saver that locks your screen, and you need that
screen saver configured to go off after no more than about 2 minutes
of inactivity. I have used such configurations in the past. These days
I do that *and* I'm religous about locking my screen.

If you normally use GNU Screen while you're su'ing on a remote
machine, you should at least configure the internal GNU Screen
screensaver with locking. It is simple to configure and it can prevent
someone from walking up and gaining access to a remote root shell.
Configured to "rain" or something it can be a handy visual reminder
"finish the task here and log out!"

Also a note, any reasonable key agent can be configured to forget the
passphrase after a particular period of time (even immediately). Using
a short passphrase and a key agent that forgets the passphrase
immediately with public key authentication is still better than being
botnet attacked for months on end. (With public key authentication
your site gets dropped from the attack list of the botnets -- they'll
know they can never succeed. Otherwise they keep consuming your
precious upstream bandwidth with requests.

Personally, if I have a server, I want to preserve my upstream
bandwidth. These days it tends to be crazily lopsided from the
downstream bandwidth. It also removes any possibility of an attack
showing up in logs which frees a lot of mental resources for me.
(While on personal machines typically only 3 folks will have SSH
access, I've administered systems where they guessed account names of
users that can log in -- rarely but it has happened to me. In no case
did they actually catch a password/passphrase, but knowing the
username is enough of a scare.)

Cheers,
Steven Black

On Wed, Jul 20, 2011 at 10:32 PM, Thomas C. Knoeller <tck@pretend.net> wrote:
> On Wed, Jul 20, 2011 at 12:22 PM, Steven Black <yam655@gmail.com> wrote:
>>
>> Make sure you use Public Key authentication and disable system
>> password authentication. A lot of the SSH attacks are done by botnets.
>> [...]
>
> Disagree here.  I am more worried about coworkers then script kiddies.
>  My coworkers know that I have ssh-agent running all the time, and
> they know the vanity domain of my home server.  It would take a
> coworker less time to hack me then it takes for me to walk to the
> kitchen and back.  Since I am not religious about locking the screen
> each time I walk away from the laptop, and because of the nature of
> the kids I (used to) work with, I would never use public key on a
> public facing interface.
>
> But I should mention that I also got really sick of the script kiddie
> login attempts, so I did my own homegrown solution.  Since I have a
> publicly accessible web server running on the gateway host, I created
> a small ssl'd cgi script that, when invoked, adds the connecting ip
> address to the /etc/hosts.allow file for the sshd service.  Since it
> is ssl'd, the web server password auth is not seen cleartext on the
> wire.  And since it is just opening up the ssh port, I don't worry
> about having a strong auth password.  It's worked pretty well for me
> for several years now.
>
> That said, I do enable PKI access when inside my firewall, so I have
> mostly a false sense of security.  With easily installable keyloggers
> and with wifi access to the gooey center of my home network, there are
> still easily accessible vectors for someone determined to get in...
>
> -Tom
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Wed, Jul 20, 2011 at 1:36 PM, Jeremy L. Gaddis <jlgaddis@gnu.org> wrote:
>
> I also recently discovered an app that provides free two-factor
> authentication and wrote about it:
>
> http://tinyurl.com/69uqplc

+1 for the Duo Security product. Caveat, I used to work with one of
the developers. But he really is one of the brightest people I have
ever known. Anything he does has a very high trustworthiness level,
imho.

-Tom
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Wed, Jul 20, 2011 at 12:22 PM, Steven Black <yam655@gmail.com> wrote:
>
> Make sure you use Public Key authentication and disable system
> password authentication. A lot of the SSH attacks are done by botnets.
> [...]

Disagree here. I am more worried about coworkers then script kiddies.
My coworkers know that I have ssh-agent running all the time, and
they know the vanity domain of my home server. It would take a
coworker less time to hack me then it takes for me to walk to the
kitchen and back. Since I am not religious about locking the screen
each time I walk away from the laptop, and because of the nature of
the kids I (used to) work with, I would never use public key on a
public facing interface.

But I should mention that I also got really sick of the script kiddie
login attempts, so I did my own homegrown solution. Since I have a
publicly accessible web server running on the gateway host, I created
a small ssl'd cgi script that, when invoked, adds the connecting ip
address to the /etc/hosts.allow file for the sshd service. Since it
is ssl'd, the web server password auth is not seen cleartext on the
wire. And since it is just opening up the ssh port, I don't worry
about having a strong auth password. It's worked pretty well for me
for several years now.

That said, I do enable PKI access when inside my firewall, so I have
mostly a false sense of security. With easily installable keyloggers
and with wifi access to the gooey center of my home network, there are
still easily accessible vectors for someone determined to get in...

-Tom
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

Speaking of "knocking at the door"... for the person who wants access to their server from random locations... there are "port knocking" solutions where your SSH port (whatever the port number) is normally locked, but if you try to hit port A, B, and C (where A, B, and C are arbitrary closed ports) in quick succession the port opens -- but only for a brief period of time (and maybe only for that IP).

I forget the product, but there's (I think) a product to do this in the standard Debian/Ubuntu repos.

Personally, I have an SSH client (and a public key) on my cell phone. I must note that my primary requirement for a cell phone was a decent SSH client.

Cheers,
Steven Black

On Jul 20, 2011 5:10 PM, "Jeremy L. Gaddis" <jlgaddis@gnu.org> wrote:
> David Ernst <david.ernst@davidernst.net> wrote:
>> I didn't realize that these brute force attempts were so common. Had
>> to go check and see if I was getting hit with such attempts. Indeed,
>> I am. About 1500 failed attempts in the last month. As Jeremy says,
>
> [...]
>
>> I supposed using a non-standard port would keep your log files
>> cleaner, but I don't know that it really makes you any more secure.
>
> More secure? Not necessarily but, for comparison, in the last 30 days I
> see exactly zero failed attempts against SSH on a box at home (with sshd
> running on a high port). Obviously it would only take one attempt if
> the attacker guessed the right username and password, but I certainly
> have a lot less people "knocking on the door".
>
> Somebody will chime in that running sshd on a high random port is
> "security by obscurity", but I don't agree with that.
>
> --
> Jeremy L. Gaddis
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

David Ernst <david.ernst@davidernst.net> wrote:
> I didn't realize that these brute force attempts were so common. Had
> to go check and see if I was getting hit with such attempts. Indeed,
> I am. About 1500 failed attempts in the last month. As Jeremy says,

[...]

> I supposed using a non-standard port would keep your log files
> cleaner, but I don't know that it really makes you any more secure.

More secure? Not necessarily but, for comparison, in the last 30 days I
see exactly zero failed attempts against SSH on a box at home (with sshd
running on a high port). Obviously it would only take one attempt if
the attacker guessed the right username and password, but I certainly
have a lot less people "knocking on the door".

Somebody will chime in that running sshd on a high random port is
"security by obscurity", but I don't agree with that.

--
Jeremy L. Gaddis

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On 20 July 2011 16:51, Williams, Jeffery Allen <jefjewil@indiana.edu> wrote:
> A while back (3 or more years) there was a discussion about ssh brute force attacks.  (I think Mark sent something related to SUSO getting hammered.)  Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables.  I have other lines that limit service connections to a few per second from any source (ntp for instance).  I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.

Do you have examples of each of those restrictions you added to your
iptables? I would definitely be interested in seeing them, and I
suspect others paying attention to this thread might as well.
Otherwise, a link to an appropriate tutorial might also be nice.

--
Jonathan
http://jnw.name/

> I also have notes in my firewall script about portsentry.  But I don't know if that's still a thing.
>
> Finally, my router is a piece of crap.  If too many connection attempts happen at once it just locks up until it's power cycled.  This further prevents brute force attacks (but is more than a little annoying).
>
> Jeffery Williams
> Software Engineer
> ISAT Hall
> jefjewil@indiana.edu
> Work (812) 856-1165
> Home (812) 219-5061
>
>
> -----Original Message-----
> From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Jim McKean
> Sent: Wednesday, July 20, 2011 3:32 PM
> To: blug@cs.indiana.edu
> Subject: Re: [BLUG] How many of you run home servers?
>
> This is a great thread!  I am learning a lot.  Thanks everyone.
>
> On 07/20/2011 12:22 PM, Steven Black wrote:
>> I wanted to note:
>>
>> Make sure you use Public Key authentication and disable system
>> password authentication. A lot of the SSH attacks are done by botnets.
>> This means blocking an IP after three unsuccessful login attempts does
>> absolutely nothing to actually help security.
>>
>> Most of my available services are done via SSH port-forwarding. I get
>> to them, but random folks can not. Then again, the services I run on
>> my non-work servers are not for general consumption. When you can lock
>> it up with SSH port-forwarding, this is by far the best approach.
>>
>> When you can use HTTPS (or another SSL-wrapped service) consider using
>> this instead of an unencrypted service. If it is an authenticated
>> service you're sending your password in clear-text if it isn't over
>> SSL -- and that is the case regardless of the protocol. Consider SSL
>> client certificates if your HTTP-based service has a limited audience.
>>
>> Cheers,
>> Steven Black
>>
>> On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
>>> There are countless ways to try to break into a server.  But in my
>>> experience, the only one I've ever seen actually used - and I've seen
>>> it a LOT of times - was people exploiting known security problems on
>>> installed software.  In other words, the server maintainers were
>>> guilty of what Jonathan confesses to below: not applying security
>>> updates.  I should also confess that I have made this mistake before
>>> and paid the same price.
>>>
>>> It's definitely overstatement to say "just keep your system software
>>> up to date and you'll never get hacked."  So, I won't say that.
>>> However, I think I can stand by this: "if you have a publicly
>>> accessible server that is running out-of-date software on a publicly
>>> accessible port, you WILL get hacked".  All of the best password
>>> selections and firewall policies and such will do you no good if
>>> you're running a version of apache with a security hole in it.  Or
>>> something like that.
>>>
>>> Next best advice: do not open any ports that you aren't intentionally
>>> offering services on.  Many many people will want to run SSH and HTTP
>>> and nothing else.  Some maybe just HTTP.  Use a port scanner like nmap
>>> to see which ports are available on your machine.  The theory is
>>> simple: it's fewer software programs that might be entry points to
>>> your system if security holes are discovered in them.
>>>
>>> But, once again, I'll just say: keep your software up to date.  Ubuntu
>>> makes this really easy.  Lots of other distros do too.  So, do it.
>>>
>>> David
>>>
>>>
>>>
>>> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>>> I run a server out of my house too, and have been doing so for about
>>>> 10 years.  Actually, these days it's run out of my parents' house,
>>>> ever since I was out of the country for a year and needed it to stay
>>>> up; before that I ran it out of my own apartments and dorm rooms (with
>>>> the exception of one year--see below).
>>>>
>>>> The server hosts a handful of sites for various people, mostly for
>>>> myself (firespeaker.org , jnw.name) and my father
>>>> (salonaexploration.com , northeasterngeoscience.org).
>>>>
>>>> I'm also curious about the questions Ben asks, though I suppose I can
>>>> add some of my own experience to the conversation.
>>>>
>>>> In about 2005, when my server was hosted for a little over a year out
>>>> of Brandeis University's LUG (also BLUG :)'s server room, it got
>>>> rooted.  This was partly my own fault for not running debian security
>>>> updates very often and allowing root ssh (which reminds me that I need
>>>> to check that again).  This is the only real problem I've had, besides
>>>> thunderstorms and wind taking the server down at my parents' house
>>> >from time to time.  While Comcast doesn't seem to be providing a
>>>> static IP address service, the IP address does not seem to have
>>>> changed at all in the last four years (since I started hosting it at
>>>> my parents' house).
>>>>
>>>> --
>>>> Jonathan
>>>>
>>>> On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>>>> I've been running a server on my home machine for some time now and
>>>>> was just curious how many others out there do the same?  And I'm also
>>>>> wondering about security of my home machine.  I'm running AjaxXplorer
>>>>> on this machine to serve up some photos/videos from my home computer,
>>>>> and, while it does us https, I wonder sometimes about how wise it in
>>>>> terms of a security risk.  I also use Dyndns so I don't have to worry
>>>>> about my changing IP and wonder if having a domain redirect from a
>>>>> dyndns hostname makes me more of a target?  I like to imagine that
>>>>> spyware and viruses on my windows machine are a much bigger threat
>>>>> than someone trying to hack into my little ubuntu server machine, but
>>>>> I thought I'd ask anyone out there if they have any opinions?
>>>>>
>>>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>>>> and any little home servers you may be running!
>>>>>
>>>>> Ben
>>>>> _______________________________________________
>>>>> BLUG mailing list
>>>>> BLUG@linuxfan.com
>>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>>
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG@linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>
>> _______________________________________________
>> BLUG mailing list
>> BLUG@linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

On Wed, Jul 20, 2011 at 03:03:20PM -0400, Jeremy L. Gaddis wrote:
>Jonathan North Washington <jonwashi@indiana.edu> wrote:
>> However, I still want to be able to open up putty from a public
>> machine somewhere and ssh to my server. Is there any way to allow
>> myself to do this short of memorising my public key or carrying it
>> around with me on flash drive or something?
>
>Just change your /etc/ssh/sshd_config to run the daemon on some high
>random port and be sure you have a strong password and you'll be fine.
>
>The automated brute force attacks are looking for the "low hanging
>fruit" -- servers w/ the SSH daemon running on 22/TCP with weak user
>passwords.

I didn't realize that these brute force attempts were so common. Had
to go check and see if I was getting hit with such attempts. Indeed,
I am. About 1500 failed attempts in the last month. As Jeremy says,
they seems to be looking for low-hanging fruit: most of the failed are
attempts are to log in as 'root', which is actually not possible on my
system. Many other popular usernames are being tried: "oracle",
"mysql", "www", etc. no one has attempted to log in as a username
that is actually has a password or a shell configured. I only have
one account that is open for ssh logins, and no one has even tried
that username. At 1500 attempts per month, it would be a really long
time before they got the password correct even if they knew the
username.

I supposed using a non-standard port would keep your log files
cleaner, but I don't know that it really makes you any more secure.
However, realizing that these brute force attempts are so common, I
would definitely make sure that root cannot ssh in, and use a
non-obvious username and a strong password for any accounts that can
ssh in. Then, it seems like you should be fine.

David
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

[BLUG] Blug administration question.

Crud. I forgot to edit my standard signature work which has phone numbers. Any way to back edit a post? It's been sent to the user list. I can handle that, but being kept forever on the internet at large is a little unsettling.

Jeffery Williams
Software Engineer
ISAT Hall
jefjewil@indiana.edu

-----Original Message-----
From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Williams, Jeffery Allen
Sent: Wednesday, July 20, 2011 4:52 PM
To: Bloomington LINUX Users Group
Subject: Re: [BLUG] How many of you run home servers?

A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.

I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.

Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).

Jeffery Williams
Software Engineer
ISAT Hall
jefjewil@indiana.edu

-----Original Message-----
From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Jim McKean
Sent: Wednesday, July 20, 2011 3:32 PM
To: blug@cs.indiana.edu
Subject: Re: [BLUG] How many of you run home servers?

This is a great thread! I am learning a lot. Thanks everyone.

On 07/20/2011 12:22 PM, Steven Black wrote:
> I wanted to note:
>
> Make sure you use Public Key authentication and disable system
> password authentication. A lot of the SSH attacks are done by botnets.
> This means blocking an IP after three unsuccessful login attempts does
> absolutely nothing to actually help security.
>
> Most of my available services are done via SSH port-forwarding. I get
> to them, but random folks can not. Then again, the services I run on
> my non-work servers are not for general consumption. When you can lock
> it up with SSH port-forwarding, this is by far the best approach.
>
> When you can use HTTPS (or another SSL-wrapped service) consider using
> this instead of an unencrypted service. If it is an authenticated
> service you're sending your password in clear-text if it isn't over
> SSL -- and that is the case regardless of the protocol. Consider SSL
> client certificates if your HTTP-based service has a limited audience.
>
> Cheers,
> Steven Black
>
> On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
>> There are countless ways to try to break into a server. But in my
>> experience, the only one I've ever seen actually used - and I've seen
>> it a LOT of times - was people exploiting known security problems on
>> installed software. In other words, the server maintainers were
>> guilty of what Jonathan confesses to below: not applying security
>> updates. I should also confess that I have made this mistake before
>> and paid the same price.
>>
>> It's definitely overstatement to say "just keep your system software
>> up to date and you'll never get hacked." So, I won't say that.
>> However, I think I can stand by this: "if you have a publicly
>> accessible server that is running out-of-date software on a publicly
>> accessible port, you WILL get hacked". All of the best password
>> selections and firewall policies and such will do you no good if
>> you're running a version of apache with a security hole in it. Or
>> something like that.
>>
>> Next best advice: do not open any ports that you aren't intentionally
>> offering services on. Many many people will want to run SSH and HTTP
>> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
>> to see which ports are available on your machine. The theory is
>> simple: it's fewer software programs that might be entry points to
>> your system if security holes are discovered in them.
>>
>> But, once again, I'll just say: keep your software up to date. Ubuntu
>> makes this really easy. Lots of other distros do too. So, do it.
>>
>> David
>>
>>
>>
>> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>> I run a server out of my house too, and have been doing so for about
>>> 10 years. Actually, these days it's run out of my parents' house,
>>> ever since I was out of the country for a year and needed it to stay
>>> up; before that I ran it out of my own apartments and dorm rooms (with
>>> the exception of one year--see below).
>>>
>>> The server hosts a handful of sites for various people, mostly for
>>> myself (firespeaker.org , jnw.name) and my father
>>> (salonaexploration.com , northeasterngeoscience.org).
>>>
>>> I'm also curious about the questions Ben asks, though I suppose I can
>>> add some of my own experience to the conversation.
>>>
>>> In about 2005, when my server was hosted for a little over a year out
>>> of Brandeis University's LUG (also BLUG :)'s server room, it got
>>> rooted. This was partly my own fault for not running debian security
>>> updates very often and allowing root ssh (which reminds me that I need
>>> to check that again). This is the only real problem I've had, besides
>>> thunderstorms and wind taking the server down at my parents' house
>> >from time to time. While Comcast doesn't seem to be providing a
>>> static IP address service, the IP address does not seem to have
>>> changed at all in the last four years (since I started hosting it at
>>> my parents' house).
>>>
>>> --
>>> Jonathan
>>>
>>> On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>>> I've been running a server on my home machine for some time now and
>>>> was just curious how many others out there do the same? And I'm also
>>>> wondering about security of my home machine. I'm running AjaxXplorer
>>>> on this machine to serve up some photos/videos from my home computer,
>>>> and, while it does us https, I wonder sometimes about how wise it in
>>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>>> about my changing IP and wonder if having a domain redirect from a
>>>> dyndns hostname makes me more of a target? I like to imagine that
>>>> spyware and viruses on my windows machine are a much bigger threat
>>>> than someone trying to hack into my little ubuntu server machine, but
>>>> I thought I'd ask anyone out there if they have any opinions?
>>>>
>>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>>> and any little home servers you may be running!
>>>>
>>>> Ben
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG@linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>> _______________________________________________
>> BLUG mailing list
>> BLUG@linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.

I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.

Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).

Jeffery Williams
Software Engineer
ISAT Hall
jefjewil@indiana.edu
Work (812) 856-1165
Home (812) 219-5061


-----Original Message-----
From: blug-bounces@cs.indiana.edu [mailto:blug-bounces@cs.indiana.edu] On Behalf Of Jim McKean
Sent: Wednesday, July 20, 2011 3:32 PM
To: blug@cs.indiana.edu
Subject: Re: [BLUG] How many of you run home servers?

This is a great thread! I am learning a lot. Thanks everyone.

On 07/20/2011 12:22 PM, Steven Black wrote:
> I wanted to note:
>
> Make sure you use Public Key authentication and disable system
> password authentication. A lot of the SSH attacks are done by botnets.
> This means blocking an IP after three unsuccessful login attempts does
> absolutely nothing to actually help security.
>
> Most of my available services are done via SSH port-forwarding. I get
> to them, but random folks can not. Then again, the services I run on
> my non-work servers are not for general consumption. When you can lock
> it up with SSH port-forwarding, this is by far the best approach.
>
> When you can use HTTPS (or another SSL-wrapped service) consider using
> this instead of an unencrypted service. If it is an authenticated
> service you're sending your password in clear-text if it isn't over
> SSL -- and that is the case regardless of the protocol. Consider SSL
> client certificates if your HTTP-based service has a limited audience.
>
> Cheers,
> Steven Black
>
> On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
>> There are countless ways to try to break into a server. But in my
>> experience, the only one I've ever seen actually used - and I've seen
>> it a LOT of times - was people exploiting known security problems on
>> installed software. In other words, the server maintainers were
>> guilty of what Jonathan confesses to below: not applying security
>> updates. I should also confess that I have made this mistake before
>> and paid the same price.
>>
>> It's definitely overstatement to say "just keep your system software
>> up to date and you'll never get hacked." So, I won't say that.
>> However, I think I can stand by this: "if you have a publicly
>> accessible server that is running out-of-date software on a publicly
>> accessible port, you WILL get hacked". All of the best password
>> selections and firewall policies and such will do you no good if
>> you're running a version of apache with a security hole in it. Or
>> something like that.
>>
>> Next best advice: do not open any ports that you aren't intentionally
>> offering services on. Many many people will want to run SSH and HTTP
>> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
>> to see which ports are available on your machine. The theory is
>> simple: it's fewer software programs that might be entry points to
>> your system if security holes are discovered in them.
>>
>> But, once again, I'll just say: keep your software up to date. Ubuntu
>> makes this really easy. Lots of other distros do too. So, do it.
>>
>> David
>>
>>
>>
>> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>> I run a server out of my house too, and have been doing so for about
>>> 10 years. Actually, these days it's run out of my parents' house,
>>> ever since I was out of the country for a year and needed it to stay
>>> up; before that I ran it out of my own apartments and dorm rooms (with
>>> the exception of one year--see below).
>>>
>>> The server hosts a handful of sites for various people, mostly for
>>> myself (firespeaker.org , jnw.name) and my father
>>> (salonaexploration.com , northeasterngeoscience.org).
>>>
>>> I'm also curious about the questions Ben asks, though I suppose I can
>>> add some of my own experience to the conversation.
>>>
>>> In about 2005, when my server was hosted for a little over a year out
>>> of Brandeis University's LUG (also BLUG :)'s server room, it got
>>> rooted. This was partly my own fault for not running debian security
>>> updates very often and allowing root ssh (which reminds me that I need
>>> to check that again). This is the only real problem I've had, besides
>>> thunderstorms and wind taking the server down at my parents' house
>> >from time to time. While Comcast doesn't seem to be providing a
>>> static IP address service, the IP address does not seem to have
>>> changed at all in the last four years (since I started hosting it at
>>> my parents' house).
>>>
>>> --
>>> Jonathan
>>>
>>> On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>>> I've been running a server on my home machine for some time now and
>>>> was just curious how many others out there do the same? And I'm also
>>>> wondering about security of my home machine. I'm running AjaxXplorer
>>>> on this machine to serve up some photos/videos from my home computer,
>>>> and, while it does us https, I wonder sometimes about how wise it in
>>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>>> about my changing IP and wonder if having a domain redirect from a
>>>> dyndns hostname makes me more of a target? I like to imagine that
>>>> spyware and viruses on my windows machine are a much bigger threat
>>>> than someone trying to hack into my little ubuntu server machine, but
>>>> I thought I'd ask anyone out there if they have any opinions?
>>>>
>>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>>> and any little home servers you may be running!
>>>>
>>>> Ben
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG@linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>> _______________________________________________
>> BLUG mailing list
>> BLUG@linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

This is a great thread! I am learning a lot. Thanks everyone.

On 07/20/2011 12:22 PM, Steven Black wrote:
> I wanted to note:
>
> Make sure you use Public Key authentication and disable system
> password authentication. A lot of the SSH attacks are done by botnets.
> This means blocking an IP after three unsuccessful login attempts does
> absolutely nothing to actually help security.
>
> Most of my available services are done via SSH port-forwarding. I get
> to them, but random folks can not. Then again, the services I run on
> my non-work servers are not for general consumption. When you can lock
> it up with SSH port-forwarding, this is by far the best approach.
>
> When you can use HTTPS (or another SSL-wrapped service) consider using
> this instead of an unencrypted service. If it is an authenticated
> service you're sending your password in clear-text if it isn't over
> SSL -- and that is the case regardless of the protocol. Consider SSL
> client certificates if your HTTP-based service has a limited audience.
>
> Cheers,
> Steven Black
>
> On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
>> There are countless ways to try to break into a server. But in my
>> experience, the only one I've ever seen actually used - and I've seen
>> it a LOT of times - was people exploiting known security problems on
>> installed software. In other words, the server maintainers were
>> guilty of what Jonathan confesses to below: not applying security
>> updates. I should also confess that I have made this mistake before
>> and paid the same price.
>>
>> It's definitely overstatement to say "just keep your system software
>> up to date and you'll never get hacked." So, I won't say that.
>> However, I think I can stand by this: "if you have a publicly
>> accessible server that is running out-of-date software on a publicly
>> accessible port, you WILL get hacked". All of the best password
>> selections and firewall policies and such will do you no good if
>> you're running a version of apache with a security hole in it. Or
>> something like that.
>>
>> Next best advice: do not open any ports that you aren't intentionally
>> offering services on. Many many people will want to run SSH and HTTP
>> and nothing else. Some maybe just HTTP. Use a port scanner like nmap
>> to see which ports are available on your machine. The theory is
>> simple: it's fewer software programs that might be entry points to
>> your system if security holes are discovered in them.
>>
>> But, once again, I'll just say: keep your software up to date. Ubuntu
>> makes this really easy. Lots of other distros do too. So, do it.
>>
>> David
>>
>>
>>
>> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>> I run a server out of my house too, and have been doing so for about
>>> 10 years. Actually, these days it's run out of my parents' house,
>>> ever since I was out of the country for a year and needed it to stay
>>> up; before that I ran it out of my own apartments and dorm rooms (with
>>> the exception of one year--see below).
>>>
>>> The server hosts a handful of sites for various people, mostly for
>>> myself (firespeaker.org , jnw.name) and my father
>>> (salonaexploration.com , northeasterngeoscience.org).
>>>
>>> I'm also curious about the questions Ben asks, though I suppose I can
>>> add some of my own experience to the conversation.
>>>
>>> In about 2005, when my server was hosted for a little over a year out
>>> of Brandeis University's LUG (also BLUG :)'s server room, it got
>>> rooted. This was partly my own fault for not running debian security
>>> updates very often and allowing root ssh (which reminds me that I need
>>> to check that again). This is the only real problem I've had, besides
>>> thunderstorms and wind taking the server down at my parents' house
>> >from time to time. While Comcast doesn't seem to be providing a
>>> static IP address service, the IP address does not seem to have
>>> changed at all in the last four years (since I started hosting it at
>>> my parents' house).
>>>
>>> --
>>> Jonathan
>>>
>>> On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>>> I've been running a server on my home machine for some time now and
>>>> was just curious how many others out there do the same? And I'm also
>>>> wondering about security of my home machine. I'm running AjaxXplorer
>>>> on this machine to serve up some photos/videos from my home computer,
>>>> and, while it does us https, I wonder sometimes about how wise it in
>>>> terms of a security risk. I also use Dyndns so I don't have to worry
>>>> about my changing IP and wonder if having a domain redirect from a
>>>> dyndns hostname makes me more of a target? I like to imagine that
>>>> spyware and viruses on my windows machine are a much bigger threat
>>>> than someone trying to hack into my little ubuntu server machine, but
>>>> I thought I'd ask anyone out there if they have any opinions?
>>>>
>>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>>> and any little home servers you may be running!
>>>>
>>>> Ben
>>>> _______________________________________________
>>>> BLUG mailing list
>>>> BLUG@linuxfan.com
>>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>>
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>> _______________________________________________
>> BLUG mailing list
>> BLUG@linuxfan.com
>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

Jonathan North Washington <jonwashi@indiana.edu> wrote:
> However, I still want to be able to open up putty from a public
> machine somewhere and ssh to my server. Is there any way to allow
> myself to do this short of memorising my public key or carrying it
> around with me on flash drive or something?

Just change your /etc/ssh/sshd_config to run the daemon on some high
random port and be sure you have a strong password and you'll be fine.

The automated brute force attacks are looking for the "low hanging
fruit" -- servers w/ the SSH daemon running on 22/TCP with weak user
passwords.

--
Jeremy L. Gaddis

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

With all this talk of public-key authentication, I'm rethinking
leaving my server open to password authentication over ssh.

However, I still want to be able to open up putty from a public
machine somewhere and ssh to my server. Is there any way to allow
myself to do this short of memorising my public key or carrying it
around with me on flash drive or something?

--
Jonathan

On 20 July 2011 13:36, Jeremy L. Gaddis <jlgaddis@gnu.org> wrote:
> Ben Shewmaker <ben@shewbox.org> wrote:
>> I've been running a server on my home machine for some time now and
>> was just curious how many others out there do the same?  And I'm also
>> wondering about security of my home machine.  I'm running AjaxXplorer
>> on this machine to serve up some photos/videos from my home computer,
>> and, while it does us https, I wonder sometimes about how wise it in
>> terms of a security risk.  I also use Dyndns so I don't have to worry
>> about my changing IP and wonder if having a domain redirect from a
>> dyndns hostname makes me more of a target?  I like to imagine that
>> spyware and viruses on my windows machine are a much bigger threat
>> than someone trying to hack into my little ubuntu server machine, but
>> I thought I'd ask anyone out there if they have any opinions?
>
> As others have mentioned, if you have SSH open you'll likely be hit
> constantly by attempts to brute force usernames and passwords. Using
> public key authentication will take care of that.
>
> I also recently discovered an app that provides free two-factor
> authentication and wrote about it:
>
> http://tinyurl.com/69uqplc
>
> I'm not using it on a home server, but I am using it on a web server
> that's exposed to the world. Works great (with my Android phone) and you
> can't beat the price.
>
> --
> Jeremy L. Gaddis
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

Ben Shewmaker <ben@shewbox.org> wrote:
> I've been running a server on my home machine for some time now and
> was just curious how many others out there do the same? And I'm also
> wondering about security of my home machine. I'm running AjaxXplorer
> on this machine to serve up some photos/videos from my home computer,
> and, while it does us https, I wonder sometimes about how wise it in
> terms of a security risk. I also use Dyndns so I don't have to worry
> about my changing IP and wonder if having a domain redirect from a
> dyndns hostname makes me more of a target? I like to imagine that
> spyware and viruses on my windows machine are a much bigger threat
> than someone trying to hack into my little ubuntu server machine, but
> I thought I'd ask anyone out there if they have any opinions?

As others have mentioned, if you have SSH open you'll likely be hit
constantly by attempts to brute force usernames and passwords. Using
public key authentication will take care of that.

I also recently discovered an app that provides free two-factor
authentication and wrote about it:

http://tinyurl.com/69uqplc

I'm not using it on a home server, but I am using it on a web server
that's exposed to the world. Works great (with my Android phone) and you
can't beat the price.

--
Jeremy L. Gaddis

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

I host a few services from home like a MOO (Mud-like service), but I keep ssh on a high-numbered port along with other basic security measures. At the very least it keeps the ssh grinders off my front door although it's no substitute for iptables, denyhosts, and security updates. I also keep my photo albums on my home web server, I don't have the patience to upload pictures to flickr and the like. I also have a cron that does a yum update on all internet-facing services at regular intervals we well.


On Jul 20, 2011, at 1:04 PM, Kirk Gleason wrote:

> I have a couple of home servers, but none of them are publicly accessible anymore. I used to host DNS for myself and some friend off of my Comcast connection a few years ago, as well as a small mail domain for myself; but I got bored with it, so now I just have file and proxy servers at home.
>
> When I did run public services, I only allowed through what I explicitly needed from the outside -- smtp, DNS, and ssh. Every other service that I needed access to I would access through an SSH tunnel. I also would test my firewall frequently, and I used to ask my IRC friend to test it for me as well.
>
> Maybe I'll need to build myself up a new server, and give my son that web page he has been asking for ...
>
> Kirk


_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Re: [BLUG] How many of you run home servers?

I have a couple of home servers, but none of them are publicly accessible anymore. I used to host DNS for myself and some friend off of my Comcast connection a few years ago, as well as a small mail domain for myself; but I got bored with it, so now I just have file and proxy servers at home.

When I did run public services, I only allowed through what I explicitly needed from the outside -- smtp, DNS, and ssh. Every other service that I needed access to I would access through an SSH tunnel. I also would test my firewall frequently, and I used to ask my IRC friend to test it for me as well.

Maybe I'll need to build myself up a new server, and give my son that web page he has been asking for ...

Kirk

On Wed, Jul 20, 2011 at 12:22 PM, Steven Black <yam655@gmail.com> wrote:
I wanted to note:

Make sure you use Public Key authentication and disable system
password authentication. A lot of the SSH attacks are done by botnets.
This means blocking an IP after three unsuccessful login attempts does
absolutely nothing to actually help security.

Most of my available services are done via SSH port-forwarding. I get
to them, but random folks can not. Then again, the services I run on
my non-work servers are not for general consumption. When you can lock
it up with SSH port-forwarding, this is by far the best approach.

When you can use HTTPS (or another SSL-wrapped service) consider using
this instead of an unencrypted service. If it is an authenticated
service you're sending your password in clear-text if it isn't over
SSL -- and that is the case regardless of the protocol. Consider SSL
client certificates if your HTTP-based service has a limited audience.

Cheers,
Steven Black

On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
> There are countless ways to try to break into a server.  But in my
> experience, the only one I've ever seen actually used - and I've seen
> it a LOT of times - was people exploiting known security problems on
> installed software.  In other words, the server maintainers were
> guilty of what Jonathan confesses to below: not applying security
> updates.  I should also confess that I have made this mistake before
> and paid the same price.
>
> It's definitely overstatement to say "just keep your system software
> up to date and you'll never get hacked."  So, I won't say that.
> However, I think I can stand by this: "if you have a publicly
> accessible server that is running out-of-date software on a publicly
> accessible port, you WILL get hacked".  All of the best password
> selections and firewall policies and such will do you no good if
> you're running a version of apache with a security hole in it.  Or
> something like that.
>
> Next best advice: do not open any ports that you aren't intentionally
> offering services on.  Many many people will want to run SSH and HTTP
> and nothing else.  Some maybe just HTTP.  Use a port scanner like nmap
> to see which ports are available on your machine.  The theory is
> simple: it's fewer software programs that might be entry points to
> your system if security holes are discovered in them.
>
> But, once again, I'll just say: keep your software up to date.  Ubuntu
> makes this really easy.  Lots of other distros do too.  So, do it.
>
> David
>
>
>
> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>I run a server out of my house too, and have been doing so for about
>>10 years.  Actually, these days it's run out of my parents' house,
>>ever since I was out of the country for a year and needed it to stay
>>up; before that I ran it out of my own apartments and dorm rooms (with
>>the exception of one year--see below).
>>
>>The server hosts a handful of sites for various people, mostly for
>>myself (firespeaker.org , jnw.name) and my father
>>(salonaexploration.com , northeasterngeoscience.org).
>>
>>I'm also curious about the questions Ben asks, though I suppose I can
>>add some of my own experience to the conversation.
>>
>>In about 2005, when my server was hosted for a little over a year out
>>of Brandeis University's LUG (also BLUG :)'s server room, it got
>>rooted.  This was partly my own fault for not running debian security
>>updates very often and allowing root ssh (which reminds me that I need
>>to check that again).  This is the only real problem I've had, besides
>>thunderstorms and wind taking the server down at my parents' house
>>from time to time.  While Comcast doesn't seem to be providing a
>>static IP address service, the IP address does not seem to have
>>changed at all in the last four years (since I started hosting it at
>>my parents' house).
>>
>>--
>>Jonathan
>>
>>On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>> I've been running a server on my home machine for some time now and
>>> was just curious how many others out there do the same?  And I'm also
>>> wondering about security of my home machine.  I'm running AjaxXplorer
>>> on this machine to serve up some photos/videos from my home computer,
>>> and, while it does us https, I wonder sometimes about how wise it in
>>> terms of a security risk.  I also use Dyndns so I don't have to worry
>>> about my changing IP and wonder if having a domain redirect from a
>>> dyndns hostname makes me more of a target?  I like to imagine that
>>> spyware and viruses on my windows machine are a much bigger threat
>>> than someone trying to hack into my little ubuntu server machine, but
>>> I thought I'd ask anyone out there if they have any opinions?
>>>
>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>> and any little home servers you may be running!
>>>
>>> Ben
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>
>>
>>_______________________________________________
>>BLUG mailing list
>>BLUG@linuxfan.com
>>http://mailman.cs.indiana.edu/mailman/listinfo/blug
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug



--
Kirk Gleason

Re: [BLUG] How many of you run home servers?

I wanted to note:

Make sure you use Public Key authentication and disable system
password authentication. A lot of the SSH attacks are done by botnets.
This means blocking an IP after three unsuccessful login attempts does
absolutely nothing to actually help security.

Most of my available services are done via SSH port-forwarding. I get
to them, but random folks can not. Then again, the services I run on
my non-work servers are not for general consumption. When you can lock
it up with SSH port-forwarding, this is by far the best approach.

When you can use HTTPS (or another SSL-wrapped service) consider using
this instead of an unencrypted service. If it is an authenticated
service you're sending your password in clear-text if it isn't over
SSL -- and that is the case regardless of the protocol. Consider SSL
client certificates if your HTTP-based service has a limited audience.

Cheers,
Steven Black

On Mon, Jul 18, 2011 at 3:52 PM, David Ernst <david.ernst@davidernst.net> wrote:
> There are countless ways to try to break into a server.  But in my
> experience, the only one I've ever seen actually used - and I've seen
> it a LOT of times - was people exploiting known security problems on
> installed software.  In other words, the server maintainers were
> guilty of what Jonathan confesses to below: not applying security
> updates.  I should also confess that I have made this mistake before
> and paid the same price.
>
> It's definitely overstatement to say "just keep your system software
> up to date and you'll never get hacked."  So, I won't say that.
> However, I think I can stand by this: "if you have a publicly
> accessible server that is running out-of-date software on a publicly
> accessible port, you WILL get hacked".  All of the best password
> selections and firewall policies and such will do you no good if
> you're running a version of apache with a security hole in it.  Or
> something like that.
>
> Next best advice: do not open any ports that you aren't intentionally
> offering services on.  Many many people will want to run SSH and HTTP
> and nothing else.  Some maybe just HTTP.  Use a port scanner like nmap
> to see which ports are available on your machine.  The theory is
> simple: it's fewer software programs that might be entry points to
> your system if security holes are discovered in them.
>
> But, once again, I'll just say: keep your software up to date.  Ubuntu
> makes this really easy.  Lots of other distros do too.  So, do it.
>
> David
>
>
>
> On Mon, Jul 18, 2011 at 03:37:48PM -0400, Jonathan North Washington wrote:
>>I run a server out of my house too, and have been doing so for about
>>10 years.  Actually, these days it's run out of my parents' house,
>>ever since I was out of the country for a year and needed it to stay
>>up; before that I ran it out of my own apartments and dorm rooms (with
>>the exception of one year--see below).
>>
>>The server hosts a handful of sites for various people, mostly for
>>myself (firespeaker.org , jnw.name) and my father
>>(salonaexploration.com , northeasterngeoscience.org).
>>
>>I'm also curious about the questions Ben asks, though I suppose I can
>>add some of my own experience to the conversation.
>>
>>In about 2005, when my server was hosted for a little over a year out
>>of Brandeis University's LUG (also BLUG :)'s server room, it got
>>rooted.  This was partly my own fault for not running debian security
>>updates very often and allowing root ssh (which reminds me that I need
>>to check that again).  This is the only real problem I've had, besides
>>thunderstorms and wind taking the server down at my parents' house
>>from time to time.  While Comcast doesn't seem to be providing a
>>static IP address service, the IP address does not seem to have
>>changed at all in the last four years (since I started hosting it at
>>my parents' house).
>>
>>--
>>Jonathan
>>
>>On 18 July 2011 15:20, Ben Shewmaker <ben@shewbox.org> wrote:
>>> I've been running a server on my home machine for some time now and
>>> was just curious how many others out there do the same?  And I'm also
>>> wondering about security of my home machine.  I'm running AjaxXplorer
>>> on this machine to serve up some photos/videos from my home computer,
>>> and, while it does us https, I wonder sometimes about how wise it in
>>> terms of a security risk.  I also use Dyndns so I don't have to worry
>>> about my changing IP and wonder if having a domain redirect from a
>>> dyndns hostname makes me more of a target?  I like to imagine that
>>> spyware and viruses on my windows machine are a much bigger threat
>>> than someone trying to hack into my little ubuntu server machine, but
>>> I thought I'd ask anyone out there if they have any opinions?
>>>
>>> Thanks, and I hope everyone's A/C is working well both for your sanity
>>> and any little home servers you may be running!
>>>
>>> Ben
>>> _______________________________________________
>>> BLUG mailing list
>>> BLUG@linuxfan.com
>>> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>>>
>>
>>_______________________________________________
>>BLUG mailing list
>>BLUG@linuxfan.com
>>http://mailman.cs.indiana.edu/mailman/listinfo/blug
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug