Sep 28 09:50:09 s0 sshd[27967]: reverse mapping checking
getaddrinfo for adsl86-34-217-144.romtelecom.net
[86.34.217.144] failed - POSSIBLE BREAK-IN ATTEMPT!
Why does it label it as POSSIBLE BREAK-IN ATTEMPT!?
How is it more of a possible break-in attempt than a user attempting to connect more than a few times with a wrong password?
This has bugged me a bit recently when helping a few people who aren't really used to linux - its shouting at them that something is SERIOUSLY WRONG!!! and when they look through their log files, they've fixated on this (as far as I can) relatively minor misconfiguration of a remote user's network.
Showing posts with label ssh. Show all posts
Showing posts with label ssh. Show all posts
01 October, 2011
POSSIBLE BREAK-IN ATTEMPT (not really)
SSH gives out error messages like this:
16 July, 2011
browserid in-browser shell logins
I've previously wired up my shell server barwen.ch to allow browser-based logins using OpenID and shellinabox. I've written about that on this blog before. I saw a few articles about Mozilla's BrowserID. The code snippets there looked like they would integrate well with the code I had already. So my evening project (which ended up only taking about half an hour) was to prototype BrowserID-based shell login.
It works basically the same as for the OpenID login on barwen.ch:
To get set up: you need to sign up for a barwen.ch account which will cost you 50 cents on PayPal; you need to send me the email that you use for BrowserID (instead of / in addition to an SSH key).
To actually log in, go to the login page http://s0.barwen.ch/~benc/browserid.html and log in. A terminal will appear in your browser. You do shell stuff.
This code is pretty crappy so I don't really want to release it until I've had a thought about the security for at least an hour (though you can find fragments of it elsewhere on this blog). I especially think that there might be some attacks possible by using freaky email addresses vs my unsanitised string handling. (I'm looking at you, Bobby Tables).
It works basically the same as for the OpenID login on barwen.ch:
To get set up: you need to sign up for a barwen.ch account which will cost you 50 cents on PayPal; you need to send me the email that you use for BrowserID (instead of / in addition to an SSH key).
To actually log in, go to the login page http://s0.barwen.ch/~benc/browserid.html and log in. A terminal will appear in your browser. You do shell stuff.
This code is pretty crappy so I don't really want to release it until I've had a thought about the security for at least an hour (though you can find fragments of it elsewhere on this blog). I especially think that there might be some attacks possible by using freaky email addresses vs my unsanitised string handling. (I'm looking at you, Bobby Tables).
18 June, 2011
password policy for ssh key hosts
I have a host with a handful of users. When they authenticate, they have to use either ssh public key or openid - there is no on-machine password. But some of the services that are running pretty much need a password: for example, IMAP, SMTP AUTH, web portal.
I'd like to give these users the ability to acquire a password.
Two ways are immediately apparent:
Dear Reader, can you think of other ways? Do you have any opinions on the wiseness/unwiseness of these approaches?
I'd like to give these users the ability to acquire a password.
Two ways are immediately apparent:
- Implement a mechanism which presents the user with a new machine-generated password, for example to their registered email address.
- Allow the user to run
passwdin a shell, but not require them to enter their existing password first (instead, rely on the fact that they are logged in to be sufficient authentication).
Dear Reader, can you think of other ways? Do you have any opinions on the wiseness/unwiseness of these approaches?
26 April, 2011
ssh-like login with openid
I rigged together shellinabox and mod_auth_openid with some custom PAM glue so people can log into my hobby server
shellinabox is not ssh (although web-based ssh is a good approximation). Instead it seems to be AJAX-over-https (which is kinda wtf for terminal access, but hey it seems to work).
The way I've glued it together is: First you visit the login page. That is an openid protected CGI script. The script runs with your openid in
shellinabox gives you a login prompt, asking for username and password. My hacked version stuffs the username and authentication token from the previous step into the keyboard.
The token ends up at a custom PAM module which verifies that the token is valid (for that user, and within a small time window after issue) and lets you in.
Then you get your shell prompt.
This seems like an interesting addition to barwen.ch's collection of login methods.
If you want a play, you can sign up at s0.barwen.ch
Also, if you break this, let me know rather than deleting
s0.barwen.ch with an in-browser terminal window and openid.shellinabox is not ssh (although web-based ssh is a good approximation). Instead it seems to be AJAX-over-https (which is kinda wtf for terminal access, but hey it seems to work).
The way I've glued it together is: First you visit the login page. That is an openid protected CGI script. The script runs with your openid in
$REMOTE_USER, and does three things: it maps your openid to a local username; it generates (via sudo) an authentication token for you; and it HTTP-meta-redirects you to a hacked version of shellinabox.shellinabox gives you a login prompt, asking for username and password. My hacked version stuffs the username and authentication token from the previous step into the keyboard.
The token ends up at a custom PAM module which verifies that the token is valid (for that user, and within a small time window after issue) and lets you in.
Then you get your shell prompt.
This seems like an interesting addition to barwen.ch's collection of login methods.
If you want a play, you can sign up at s0.barwen.ch
Also, if you break this, let me know rather than deleting
/ ...
26 March, 2011
sshfp dns
I've set up DNSSEC, so I'm on the path to trusting DNS more. I can put SSH key fingerprints for my hosts into DNS, and SSH clients can check those.
Even with insecure DNS, this is probably better than what you do now, which is to just to choose 'yes' to the following prompt without actually checking: (seriously, do you ever bother?)
SSH can check
I need to add an SSHFP record to the DNS for
On host
So those are the records to add to
(btw, vim on my machine doesn't like SSHFP records and highlights everythign red - eww)
Now wait for DNS to settle, and when I connect for the first time, I get a different message (my emphasis).
Cool.
You might need to set the client option
You can try this yourself, even without a user account, because host key verification happens before user authentication:
Even with insecure DNS, this is probably better than what you do now, which is to just to choose 'yes' to the following prompt without actually checking: (seriously, do you ever bother?)
The authenticity of host 's0.barwen.ch (192.168.55.55)' can't be established. RSA key fingerprint is 9e:81:ab:cb:2a:ad:26:2f:10:ed:dd:5c:55:dd:ea:58. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
SSH can check
s0's DNS record to see if a fingerprint is stored there, and tell you if it matches. So lets set that up.I need to add an SSHFP record to the DNS for
s0.barwen.ch.On host
fubar (without needing to be root):$ ssh-keygen -r s0.barwen.ch s0.barwen.ch IN SSHFP 1 1 560f08c1687a60e62a65ef427e63698ae1797d6f s0.barwen.ch IN SSHFP 2 1 4ef38fd457d0afec50ca21eacb771f724e6d7236
So those are the records to add to
barwen.ch's DNS.(btw, vim on my machine doesn't like SSHFP records and highlights everythign red - eww)
Now wait for DNS to settle, and when I connect for the first time, I get a different message (my emphasis).
The authenticity of host 's0.barwen.ch (192.168.55.55)' can't be established. RSA key fingerprint is 9e:81:ab:cb:2a:ad:26:2f:10:ed:dd:5c:55:dd:ea:58. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
Cool.
You might need to set the client option
VerifyHostKeyDNS ask in your ~/.ssh/config - if you really trust DNS, you can set it to yes instead, and it won't even ask you when there's an SSHFP record present.You can try this yourself, even without a user account, because host key verification happens before user authentication:
ssh -o 'VerifyHostKeyDNS ask' s0.barwen.ch
05 March, 2011
ssh over CONNECT over port 80
I run an ssh server on port 443 (the https port) of one of my machines. That's good when I want to get ssh from a network which bans "everything but web-browsing" - once I have ssh I can tunnel pretty much what I want.
But the other day I ran across a network (at an airport) which allowed only port 80 - the regular http port. Even port 443 was banned (so not only could I not connect to my ssh server, but no facebook, gmail, etc...)
I already have stuff on port 80 - my webserver - so what could I do? I know ssh can be tunnelled through the http CONNECT method. Could I set that up so that my web server would serve web traffic as usual but allow me to CONNECT to the ssh server?
Turns out yes.
In the http server config - enable mod_proxy and mod_proxy_connect. Then this config in proxy.conf (or the main server config, I guess):
(If you're doing this yourself - be careful about what you allow - if you are too liberal you turn your server into an open spamming and hacking engine for the world to exploit. And it will be found. Automatically, and within days or maybe hours.)
On the client side, use netcat as a proxy command in SSH: (you can also put the proxy command in ~/.ssh/ssh_config)
Tada.
Note that the ssh server now sees you connecting from localhost, and the http server is the one who logs the real IP address. A caveat here is if you have IP-based security policies that make localhost special, then anyone connecting through this proxy is also special.
Lots of the config for this came from http://mariobrandt.de/archives/technik/ssh-tunnel-bypassing-transparent-proxy-using-apache-170/
So that gets me a CONNECT proxy.
But does it work at the airport? No.
Turns out the airport is also running everything through a transparent proxy: when I connect to s0.barwen.ch port 80, I'm actually connected to the airport's transparent proxy. So an http CONNECT command to localhost:22 both points to the wrong place and is administratively prohibits.
It turns out I can http CONNECT to s0.barwen.ch port 80, though, and there issue another CONNECT command to get to localhost:22:
So I can get to the server this way.
How can I get the ssh commandline to talk to the remote server, with the extra proxy step added?
Like this:
Now once that's done, I can run a SOCKS proxy over the same ssh connection, and route my normal web browsing through that - giving me access to https sites, and anything else that can use SOCKS.
But the other day I ran across a network (at an airport) which allowed only port 80 - the regular http port. Even port 443 was banned (so not only could I not connect to my ssh server, but no facebook, gmail, etc...)
I already have stuff on port 80 - my webserver - so what could I do? I know ssh can be tunnelled through the http CONNECT method. Could I set that up so that my web server would serve web traffic as usual but allow me to CONNECT to the ssh server?
Turns out yes.
In the http server config - enable mod_proxy and mod_proxy_connect. Then this config in proxy.conf (or the main server config, I guess):
<IfModule mod_proxy.c>
ProxyRequests On
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
</Proxy>
<Proxy localhost>
Allow from all
</Proxy>
AllowCONNECT 22
ProxyVia On
</IfModule>
(If you're doing this yourself - be careful about what you allow - if you are too liberal you turn your server into an open spamming and hacking engine for the world to exploit. And it will be found. Automatically, and within days or maybe hours.)
On the client side, use netcat as a proxy command in SSH: (you can also put the proxy command in ~/.ssh/ssh_config)
ssh -o 'ProxyCommand nc -X connect -x myhost.example.com:80 localhost 22' myhost.example.com
Tada.
Note that the ssh server now sees you connecting from localhost, and the http server is the one who logs the real IP address. A caveat here is if you have IP-based security policies that make localhost special, then anyone connecting through this proxy is also special.
Lots of the config for this came from http://mariobrandt.de/archives/technik/ssh-tunnel-bypassing-transparent-proxy-using-apache-170/
So that gets me a CONNECT proxy.
But does it work at the airport? No.
Turns out the airport is also running everything through a transparent proxy: when I connect to s0.barwen.ch port 80, I'm actually connected to the airport's transparent proxy. So an http CONNECT command to localhost:22 both points to the wrong place and is administratively prohibits.
It turns out I can http CONNECT to s0.barwen.ch port 80, though, and there issue another CONNECT command to get to localhost:22:
$ nc -4 -X connect -x s0.barwen.ch:80 s0.barwen.ch 80 CONNECT localhost:22 HTTP/1.0 200 Connection Established Proxy-agent: Apache/2.2.14 (Ubuntu) SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
So I can get to the server this way.
How can I get the ssh commandline to talk to the remote server, with the extra proxy step added?
Like this:
$ cat t.sh ( echo "CONNECT localhost:22" ; cat ) | nc -X connect -x s0.barwen.ch:80 s0.barwen.ch 80 | ( read ; read ; read; cat) $ ssh -o 'ProxyCommand ./t.sh' s0.barwen.ch
Now once that's done, I can run a SOCKS proxy over the same ssh connection, and route my normal web browsing through that - giving me access to https sites, and anything else that can use SOCKS.
Subscribe to:
Posts (Atom)