Internet, Security, Technology

Does everyone get paranoid in their old age, or is it just me?

January 30th, 2007 by Jeff | Dump Core

In addition to switching blog software, I’ve been quietly making a few other changes on my little Linux box lately. For one thing, I’m changing the authentication scheme for SSH from simple passwords to public key authentication. Only a few friends and family have direct access to my Linux box, so it only affects a few people. However, given recent events, I feel somewhat justified in ramping up my security.

On the off chance you might have read this into the above statement, no, my network hasn’t been hacked. No advance GPF strips or story notes have been swiped from my hard drives. (Somehow, I detect a definite sense of mixed feelings from some of you, including relief and disappointment….) But my oh my, have they been trying. Not that I think it’s a directed attack by any means, but I have had a number of break-in attempts over the past few months, and they seem to escalate frequently.

Like I’m sure many Linux admins do, I run logwatch daily. (Actually, it seems to come pretty standard with an install of Fedora Core, but if I ever switch distros I’ll make sure to install it if it’s not a default.) logwatch runs through most of your system logs and generates a single, combined report summarizing the health and status of your computer and plants an e-mail in your root mail inbox every morning. It covers just about everything, from crons, Web and FTP logs (especially errors), mail, system messages, automatic updates, and (especially for the topic of this article) security logs. It was because of logwatch that I discovered that Demeter’s hard drive was failing last year and had to be replaced (more SMART failures, surprisingly undocumented either here or in the GPF News, and completely unrelated to Apollo’s crash; last year was not a good hard drive year for me). It’s through logwatch that I watch various IIS-targeted worms periodically bounce harmlessly off of Apache (which I take a small dose of perverse pleasure in). And it’s through logwatch that I sit nervously and watch the almost daily hack attempts to break into my system.

Having any computer on the Internet is a dangerous thing these days. I certainly don’t want to alarm the less tech-savvy of you out there (the last thing I want is to discourage people from getting online), but any computer connected to the Internet is under a constant barrage of probes and pings. Most of these are harmless and often routine, but a growing number of them are malicious. Hackers are constantly scanning the Net for connected systems that may have vulnerabilities that can be exploited. Over the years I’ve grown more and more curious about Internet security, and I’m finding myself get more and more paranoid about how insecure much of the Internet really is.

Having a server on the Net is just asking for trouble. They are under a constant assault, being poked and prodded from all sides and on every port. Most regular users have a small amount of anonymity through the dynamic IPs of their ISP. Servers, on the other hand, are meant to be found, waiting for requests (as their very name states) to serve. By their very nature they advertise themselves with domain names saying, “Here I am! I’m here to help you.” Being so public, they make themselves more visible to attack. While some black hat hackers target specific hosts looking for various bits of sensitive personal or corporate information, most of these hacks are actually pretty casual: simple probes looking for any random vulnerable system that can be broken into. Perhaps they may find something useful to exploit, like financial information or blackmail material. But my theory is that they are mostly looking for new weapons to add to their arsenal, additional zombies to add to their growing botnet collection.

Virtually every day, my logwatch report comes up with at least several hundred break-in attempts via SSH. On especially nasty days, the attacks can range in the thousands. Gaining access via SSH is more advantageous than other means, as it gives you direct command-line access to the system which is also encrypted end-to-end, preventing eavesdropping by anyone in the middle. Needless to say, unencrypted telnet is completely disabled on my system.

The good news for me, at least, is that I’ve taken quite a few precautions to prevent these break-ins. The first and probably most important step is to prevent root from logging in via SSH. In order to gain root access, an attacker must first compromise another login, requiring them to break two passwords instead of just one. This adds an extra step for me when it comes to my admin duties, but that’s an extra step I’m definitely willing to make. I’ve also limited which logins can access SSH to a specific group, into which are placed only users that I want to explicitly grant such access. This greatly reduces the number of available logins that can be compromised. (Most of these attacks try various combinations of common user names, so odds are they have no clue what user names may exist on the machine.) The next big step, though, is to require public-key authentication. This means that those with console access not only need a password but a digital private key, and only the combination of the two will allow someone in. This is the form of authentication SourceForge uses for access to their build and test environments, and it’s probably the most secure method freely available (usually implemented via OpenSSH).

Setting up GnuPG keys, securely wiping old hard drives, and now locking down my Linux box with strong-grade encryption… I’m quite the paranoid little thing, now aren’t I? Does everyone get this paranoid in their old age, or is it just me? If you know the answer, you know where my public key is….

Edit April 2, 2007: I tried to make a follow-up comment to this, but that obviously didn’t work. So I’ll just edit this post to include a link to this analysis malicious SSH login attempts article I just found. It made my flesh crawl a little. In addition, check out the following Linux.Com articles on beefing up SSH security. Thankfully, I’ve already discovered that I’m doing most of these tricks already, which made me feel just a tiny bit more secure.

Dump your own core:

You can skip to the end and dump core. Pinging is currently not allowed.

Be nice. Keep it clean. Stay on topic. No spam. Or else.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

You must be logged in to dump core.