Tightening security for SSH Server…

Hi all.

When I was setting up my server while back I have noticed 100’s of entries in my:

/var/log/auth.log

about failed log in attempts from various IP’s with various logins. I wondered what it was until I saw this:

Cracking SSH Logins Video

Conclusions? There is at least one (wishful thinking…) bot out there which will scan the entire range of IP’s for opened port 22 and will use some brute-force tool trying to crack it. Now that’s not a very positive conclusion for all the SSH users…

What can be done about this? There are 3 thing You can do.

A) Forbid the root’s log in – that’s a default option in PCLinuxOS.
B) Install fail2ban via synaptic
C) Change the SSH port from 22 to something above the 10100

I use all of them.

Forbidding the root’s log in is a must. Root is the only 100% sure login on every Linux based system. Attacker don’t have to guess it. It’s there for sure. Now all he has to do is to guess the password. Blocking root’s log in will make him to guess Your user login and password. This is more difficult for them and that’s the whole point.

PCLinuxOS uses interesting settings in its config files. If You look at the file:

/etc/ssh/denyusers

You will see that it contains a word root.

This setting is blocking all the attempts of root log in to Your SSH server and yet allows You to use su command for Your convenience. Why? Even if attacker knows root password he will not be able to log in. However user who is logged into the system via SSH can raise its privileges using su command. This is secured and comfortable in the same time. Sometimes root’s privileges are necessary so PCLinuxOS does allows You to gain root and yet You have to log in as user and know the root’s password to gain full control over the machine.

Another method – Fail2ban – (You will find it in our repositories) will add a firewall rule to block all the attempts of connecting to the SSH port for a machine that unsuccessfully tried to log in X amount of times in Y time period. Example – xxx.yyy.zzz.uuu machine tried to log in with logins jack, ann, mark 3 times in 20 minutes period so it got banned for an hour.

You can set X and Y in the fail2ban config file:

/etc/fail2ban/jail.conf

and if You have local e-mail server configured – fail2ban will send You a message with notifications about new events.

Fail2ban will protect not only SSH but also FTP, SFTP, and other protocols that are using authentication. Very cool tool.

Another thing that You can do is to change the port of the SSH server. Here is how its done.

Changing Port For SSH Server Video

Why changing the port and why above 10100? Default port for SSH is 22. All the script kiddies aka skiddies will use that port in their bots. Even if script kiddie is smart and will scan Your IP with port scanner like nmap – by default he will scan first 10000 ports only. Setting up SSH above that will cause the port scanner to find ZIP, ZERO, NADA, BIG BOBKAS. Even if skiddy is smarter then that and he will scan all the 65k ports the open port will be shown as unknown service. He would have to add few more switches to the nmap to find out that its a SSH server. Skiddies are mostly lazy and they are going after the easy prey. Making it just that little bit more difficult can be a blessing for Your security.

So far those three steps are what I have learned about securing SSH server. Maybe in the future if I will learn something new I will add it in a new post.

Remember that even the weakest protection is better then no protection at all.

Regards.

Andy

Hey! I have port XXX opened! What is using it?

Hi all.

I was messing around on my server sometime ago and I have nmap-ed myself and noticed port XXX opened. I knew I have something running on the server from the lan side and I couldn’t remember what it was!

So I googled a bit and came up with this command:

netstat -tlnp | grep XXX

It must be run as root. If You run it as user the process is root owned – You wont be given the access to the information about the process.

Lets say the open port is 22… I know its SSH but lets say I “forgot”.

Example.

As You can see user failed, but root got detailed information process and its id number.

Sometimes You need to skip some of the switches in the command like t for example coz process is not using TCP but UDP.

Thats all – simple as that…

Andy

Blocking port 113 in shorewall – PCLinuxOS default firewall.

Hi all.

I was using GRC.com Shields Up – Internet Vulnerability Profiling tool to verify are all of my ports in stealth mode and I have failed with port 113. When setting up my firewall I chose all the ports to be closed and they were indeed however Shields Up was showing this port as closed and yet responding to the “knocking”. I blocked PING / ICMP requests and still – same story.

I found a solution.

Open console and log in as root using su command. Then using Your favorite file editor (vi, mcedit, joe etc…) edit the file /etc/shorewall/rules and add this line:

DROP net fw tcp 113

so it looks like this:

#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
INCLUDE rules.drakx
DROP net fw tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Save the file and run this command:

service shorewall restart

and re-test Your firewall with Shields Up again. If You are lucky You should see something like this:

Stealth mode.

Btw. Thanks to Mr. Steve Gibson for such a powerful tool!

Andy

Mencoder… Shalalala – I am loving it ;)!

Hi all.

Mencoder? What is mencoder…

Command:

man mencoder

says it all…

Mencoder (MPlayer’s Movie Encoder) is a simple movie encoder, designed to encode MPlayer-playable movies (see above) to other MPlayer-playable formats (see below). It encodes to MPEG-4 (DivX/Xvid), one of the libavcodec codecs and PCM/MP3/VBRMP3 audio in 1, 2 or 3 passes. Furthermore it has stream copying abilities, a powerful filter system (crop, expand, flip, postprocess, rotate, scale, noise, RGB/YUV conversion) and more.

The truth is that mencoder tool is so POWERFUL that its man page is a size of a book… The truth is – I don’t really know mencoder – I am using only a fraction of its possibilities. I am going to share here what I have learned over the last two years. It’s not much – but the knowledge has served me well.

From any format to PSP mp4 format:

mencoder /path/to/input.file -oac lavc -ovc lavc -of lavf -lavcopts aglobal=1:vglobal=1:vcodec=mpeg4:vbitrate=384:acodec=libfaac -af lavcresample=24000 -vf scale=368:208,harddup -lavfopts format=psp -ofps 15 -o /path/to/file.mp4

Add music to the video file:

mencoder -ovc copy -audiofile /path/to/file.mp3 -oac copy /path/to/nosound.avi -o /path/to/filewithmusic.avi

Resize to the 320 x 240 resolution:

mencoder /path/to/input.avi -ovc lavc -lavcopts vcodec=mpeg4:mbd=2:trell -oac copy -vf scale=320:240 -o /path/to/output.avi

Join 2 files into 1:

mencoder -forceidx -ovc copy -oac copy -o /path/to/joined.avi /path/to/part_1.avi /path/to/part_2.avi

AVI to FLV (Flash Video):

mencoder -forceidx -of lavf -oac mp3lame -lameopts abr:br=56 -srate 22050 -ovc lavc -lavcopts vcodec=flv:vbitrate=250:mbd=2:mv0:trell:v4mv:cbp:last_pred=3 -vf scale=360:240 -o /path/to/output.flv /path/to/source.avi

Any video to AVI:

mencoder /path/to/input.file -o /path/to/file.avi -ovc lavc -oac pcm

Extract soundtrack from the video file:

mplayer -dumpaudio /path/to/video.file -dumpfile /where/to/save/file.mp3

Remove the current audio track (creates silent video):

mencoder -ovc copy -nosound /path/to/withsound.avi -o /path/to/withoutsound.avi

Speed up video x times:

mencoder -o /path/to/faster.avi -speed 4 -ofps 25 -vf framestep=2 -ovc lavc -lavcopts vcodec=mpeg4 /path/to/normal/pace.avi

Change the value of -speed to 2 if the output is to fast. Change the value of framestep= to drop more or less frames in the process.

Rotate video X degrees:

mencoder -vf rotate=1 -o /path/to/rotated/output.avi -oac copy -ovc lavc /path/to/input.avi

In this case the video is rotated 90 clockwise. Change the value of rotate= to achieve different values.

Hope someone finds it useful someday.

Andy

KDE4 Resizing Pidgin Conversation Window

Hi all.

Something quick and yet pretty cool. Resizing the Pidgin conversation window.

A) Right click on the top window bar, the one with Close, Minimize, Maximize buttons.
B) From the menu choose Advanced > Special Window Settings.
C) Now in there go to the Size on the Geometry tab.
D) Check the box next to the Size entry and choose Force from drop-down menu.
E) Now change the first entry from 475 to lets say 375 or 275 – whatever floats Your boat – and ok the window.

KDE4 HOWTO Resizing Pidgin Conversation Window Video.

This is one of the reasons why I love KDE4…

Videos were uploaded thanks to Cyryl. Thanks again Dude.

Andy

Misiasty The Hamster Video Compilations…

Hi all ;).

Today something from a different barrel as we say it in Poland :). No Linux. No software. Just fun.

Altho I could mention that I used mencoder / avidemux-qt to edit those videos under PCLinuxOS…

First video was made over a year ago when I was still big fan of google and youtube…

Misiasty The Hamster Video Compilation 1.avi

Second video was made yesterday. Its 00:49 so yes its Wednesday already. No sound or any mad intros. Just vid.

Misiasty The Hamster Video Compilation 2.avi

Videos were uploaded thanks to Cyryl. Thanks again Dude.

Enjoy.

Andy

Sending logs from the server to Your e-mail account using local mail server.

Hi all.

It was 5 am when I woke up and could not sleep anymore. I went to bed around 2 am… 3 hours of sleep and boom…

Sleep is for the weak!! This is SPARTA!!

Awesome…

So I decided to do something with this time… Instead of laying in the bed and trying to fall asleep again I have decided to work on a little project. I was thinking about it for a while. I have a sendmail – mail server – running for local network. I don’t like my own way of reading the system logs. I log into the server via ssh and I su myself to root and I am using mc to read the logs and they are always big and horrible… Loving the mc I have to say I am missing the scroll bar on the side… Pg UP / Pg DN are awesome but I would just love to click in the middle of the scroll bar and read this exact moment of the log. Or just drag it up or down…

Would it be easier to read those logs from the level of lets say… Thunderbird from the LAN client? It sure would be easier / nicer / cleaner and lets say it more efficient… Ok so… Let’s learn something new and go back to bed…

GOAL of this project is:

I want to send e-mail to myself containing info from the server log and then read the message using some nice GUI mail client like Thunderbird for example. All this was done before… beside sending the logs. I will not be explaining here how to configure the sendmail server. Not today anyway. I configured it in the past after a lot of reading and messing around. I can check my system mail from the LAN client via secure (SSL) pop3s socket. Now all I need to figure out is how to send the logs to myself. HMMMM…

Bit of searching online and I had first idea:

/bin/mail mylogin@myserver.net < /var/log/httpd/access_log

HA! Now ain’t that sweet? This will throw the entire content of the access_log to the e-mail message and then sent it to the chosen e-mail.

Yes it is sweet…

BUT there are always BUTS…

If I keep sending this file to myself over and over and over again the message is going to get big. After a while of adding data to the log file its gonna get really BIG and its gonna be hard to read and its gonna take long time to send it. Its gonna mess up my network traffic badly too. I was going to make things easier for myself – not harder. How about cleaning the log file after I send it to myself so the next time I am getting this email I will get it with the NEW info only? No repetitive content. If I wan’t to browse previous entries – I will browse older mail. If I wan’t extra backups – I will set thunderbird filters to forward all the log-mail to my other e-mail accounts. Sounds awesome.

Bit of searching online and I was nowhere… I must have used wrong search terms… Or the internet is full of junk. Pick one.

So it was time for plan B. Think! You do not want to let me sleep so be useful! And few minutes later I had another idea…

echo "" > /var/log/httpd/access_log

After running this command the access_log got only one line in it. Lovely.

So all I need is to combine those 2 commands and I am good.

/bin/mail mylogin@myserver.net /var/log/httpd/access_log

Magic of && :D! After successfully running one command – run another command.

W00t! I got the log file to be cleared after it was sent to me.

BUT there are always BUTS…

Log-mail came with empty subject line. Wouldn’t it be nice to have the file name in the subject line? It would!

Go my search engine. Bring me solutions!

Few minutes later the command was looking like this:

/bin/mail -s /var/log/httpd/access_log mylogin@myserver.net /var/log/httpd/access_log

Heck yeah! Now those e-mails are looking much better!

BUT there are always BUTS!

Wouldn’t it be nice to have a Date and Time on the beginning of these emails and a nice empty line after to make them look better? I know I could look at the time stamp of the e-mail itself… I know logs have date and time in them… but I want to make it look nicer…

/bin/mail -s /var/log/httpd/access_log mylogin@myserver.net /var/log/httpd/access_log && echo "" >> /var/log/httpd/access_log

This was my final product… and I was happy with it and almost ready to go back to bed. Almost…

BUT there are always BUTS…

Am I going to send those e-mails to myself? There are several log files in the /var/log/ folder. Dmesg / Auth and so on and so forth… Making things easier seems complicated sometimes ;).

Ok so I can create scripts! Ok I can. Lets do that…

touch /root/accesshttpmail.sh && chmod 700 /root/accesshttpmail.sh && echo "/bin/mail -s /var/log/httpd/access_log mylogin@myserver.net /var/log/httpd/access_log && echo "" >> /var/log/httpd/access_log" > /root/accesshttpmail.sh

And so I ran similar commands for all the files I wanted to have sent to me.

I ended up having several executable scripts in my /root/ folder. Root owned with access, write and execution permissions for root only. Awesome! Now I don’t have to remember all those commands! I can just run those scripts right?

BUT there are always BUTS!

Why would I do it manually when PCLinuxOS can do it for me? Automation with cron is a blessing!

So I run

crontab -e

and using vi I have edited the crontab entries so that my scripts are executed every 4 hours…

Example of crontab entry.

All came out fantastic. I am really happy that I have spent an hour trying to figure it out…

Triple W00t

And about going back to bed? There is no point. Its 9 am and I just made myself another mug of coffee… I spent lion part of the last 4 hours writing this…

It was worth it doh. Sleep is overrated. Sleep is for the weak! In the future if I suffer a brain damage and I forget everything I can always come back here and read it. LOL!

Enjoy!

Andy

EDIT: Brain is needed when following this howto. All the commands in this howto have to be run as root so be careful and do not mess up. I am not taking any responsibility for Your mistakes.

Copying files securely between local machine and shell account.

Hi all…

Lets say that I have created a VERY important file… Its a file called example txt and it’s placed in my home (~) folder…

touch ~/example.txt

I want to copy this file to my remotemachine.net to mylogin’s home folder… but I don’t want anyone to be able to sniff the files content… Remote machine has SSH server running. Scp is perfect for this task. Its using ssh and its encryption so if You have setup the private and public key You can send the files securely without giving a password…

How to use it?

Syntax:

scp /path/to/secret/file.ext who@host:/where/to/save/

Example:

scp ~/example.txt mylogin@remotemachine.net:~

Result:

example.txt 100% 0 0.0KB/s 00:00

Check procedure:

Log into the remote machine:

ssh -l mylogin remotemachine.net

List the file:

ls ~/example.txt

Tadaaaa:

/home/mylogin/example.txt

SCP in action

Hope this helps somebody someday.

Andy

Passwordless SSH authentication. Using authentication keys.

Hi all.

It would drive me bananas if I would have to remember password for each and every of my shell accounts… leaving the account with no password is unacceptable however from the security point of view. Solution? Use authentication keys – public and private.

How to get them? Its very easy.

Open terminal on Your local machine.

Use command:

ssh-keygen -t rsa

When asked for:

Enter file in which to save the key (/home/mylogin/.ssh/id_rsa):

Press [ENTER].

Enter passphrase (empty for no passphrase)

Press [ENTER].

Enter same passphrase again:

Press [ENTER].

Passwordless SSH - work in progress...

[mylogin@myhostname ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mylogin/.ssh/id_rsa):
Created directory '/home/mylogin/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mylogin/.ssh/id_rsa.
Your public key has been saved in /home/mylogin/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:7b mylogin@myhostname.local
The key's randomart image is:
+--[ RSA 2048]----+

RANDOM ART

BLAH

BLAH

+-----------------+
[mylogin@myhostname ~]$

SO what You did so far? You have generated a pair of authenticating keys. Private – which is for Your eyes only and public which can be shown to anyone.

Keys are placed in those two files:

Your identification has been saved in /home/mylogin/.ssh/id_rsa. <<< PRIVATE KEY

Your public key has been saved in /home/mylogin/.ssh/id_rsa.pub. <<< PUBLIC KEY

Run this command:

cat /home/mylogin/.ssh/id_rsa.pub

Lets say it spits out this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMplVCQ+Y33n4kTVAy0nQReGD1GXmM28/D4STzNwdEthSY9UGIBduS1dGIVLWZYnphZglNFHE0Z0eIqgo0o0GDdtxqqsV20Zq/KV2nN+E8axlin4mRNuc/HgczxXkOtqkS9/yENOq8XN7XPD57kC+v+017GGNh139WiHbw+Myn9/mamjhmjywcnReiIbrYZnlgWJjpCXJCEoQZczypUyzB6x7aUMlenGdZwtfXCEPP709VSP9lUzanosY6bq1XoF6ravL2fulAvuNQVyxL7nfqJsio0JCI400WEJYm1et8Eg2vVEtIgIEKS7DZou/DR++/QgXpQas6yxaaHQ6Q0wt mylogin@myhostname.local

Now copy this ^^^ ENTIRE line.

Now that You have generated authentication keys and copied the public one – You have to place the public key in a file on the remote machine. Not just any file. Its a specific file in a specific folder both with a specific permissions.

Passwordless SSH... Almost there but not quite yet...

Open new terminal. Ssh Yourself to the remotemachine.net

ssh -l mylogin remotemachine.net

Create directory in .ssh in Your home folder

mkdir ~/.ssh

Give it correct permissions:

chmod 700 ~/.ssh

Create file authorized_keys in the newly created directory

touch ~/.ssh/authorized_keys

Give it correct permissions:

chmod 600 ~/.ssh/authorized_keys

Paste the content previously copied from the cat /home/mylogin/.ssh/id_rsa.pub command combined with

echo "PASTE" > ~/.ssh/authorized_keys

Example:

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMplVCQ+Y33n4kTVAy0nQReGD1GXmM28/D4STzNwdEthSY9UGIBduS1dGIVLWZYnphZglNFHE0Z0eIqgo0o0GDdtxqqsV20Zq/KV2nN+E8axlin4mRNuc/HgczxXkOtqkS9/yENOq8XN7XPD57kC+v+017GGNh139WiHbw+Myn9/mamjhmjywcnReiIbrYZnlgWJjpCXJCEoQZczypUyzB6x7aUMlenGdZwtfXCEPP709VSP9lUzanosY6bq1XoF6ravL2fulAvuNQVyxL7nfqJsio0JCI400WEJYm1et8Eg2vVEtIgIEKS7DZou/DR++/QgXpQas6yxaaHQ6Q0wt mylogin@myhostname.local" > ~/.ssh/authorized_keys

Logout from the remote machine:

exit

Log back in.

ssh -l mylogin remotemachine.net

Tadaaaaaaaaaaaaaaaaa...

Remote ssh server shouldn’t ask for a password. If it does – You messed up and You are reading it all tagged as FAIL! πŸ˜‰

You can use 1 private key to connect to multiple servers. Just copy the public key to all of them like I explained above. Permissions are crucial. 700 for the .ssh folder and 600 for the authorized_keys file. 99% of errors are connected to the wrong permissions of the folder / file or due to the wrong file name.

Regards.

Andy