Security, what does one need in reality?
Since we are soon to get an 'always on' broadband connection with a fixed IP address (it's not ADSL, it's wireless but that doesn't affect things really) I'm looking into what new things I will be able to do and the security thereof. I have already resurrected an old machine and have installed ipCop on it, that's fine and will block most external access. However I do want to allow *some* access, in particular I want:- ssh access to the ipcop box, this will allow some administration and will also allow access (via another ssh connection) to my Linux server machine on the GREEN side. Access to an IMAP server on the Linux server on the GREEN side by port mapping through the ipCop box. (I know a separate ORANGE subnet is really the way to go but that means yet another machine I have to administer etc. which I want to avoid) In the real world how vulnerable will these two be? Will I get incessant hacking at the open SSH port on the ipCop box trying to guess the password or will it just be the occasional port scan? Assuming the password is secure enough (i.e. unguessable enough and not published on the internet somewhere) will I be basically OK? I may be able to limit the SSH access in particular to only certain client IP addresses but I want the IMAP to be accessible from anywhere. The IMAP server will probably only have two or three accounts on it and I will have control over passwords (though not where they're kept maybe). Does anyone here have any experience of how vulnerable in reality such systems are? I'm not after Fort Knox, I just want things to be reasonably safe. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice, that which can be explained by incompetence."
On Tue, 21 Sep 2004 11:40:21 +0100, Chris Green <chris@areti.co.uk> wrote:
In the real world how vulnerable will these two be? Will I get incessant hacking at the open SSH port on the ipCop box trying to guess the password or will it just be the occasional port scan? Assuming the password is secure enough (i.e. unguessable enough and not published on the internet somewhere) will I be basically OK?
Just looking back in auth.log, I can see "61.166.6.60" in China tried to guess my root password 3 times at 23:43 last night and again at 06:58 this morning. Last week there were 8 attempts from Germany, Korea and China.
I may be able to limit the SSH access in particular to only certain client IP addresses but I want the IMAP to be accessible from anywhere. The IMAP server will probably only have two or three accounts on it and I will have control over passwords (though not where they're kept maybe).
I think you'll only frustrate yourself if you cannot SSH from anywhere.
Does anyone here have any experience of how vulnerable in reality such systems are? I'm not after Fort Knox, I just want things to be reasonably safe.
Especially since you want to access IMAP from anywhere, at least do it over a secure connection (ssh or ssl) so that you don't broadcast your password and email messages in the clear. Good luck! Tim.
On Tuesday 21 Sep 2004 12:47, Tim Green wrote:
On Tue, 21 Sep 2004 11:40:21 +0100, Chris Green <chris@areti.co.uk> wrote:
In the real world how vulnerable will these two be? Will I get incessant hacking at the open SSH port on the ipCop box trying to guess the password or will it just be the occasional port scan? Assuming the password is secure enough (i.e. unguessable enough and not published on the internet somewhere) will I be basically OK?
Just looking back in auth.log, I can see "61.166.6.60" in China tried to guess my root password 3 times at 23:43 last night and again at 06:58 this morning. Last week there were 8 attempts from Germany, Korea and China.
Same here from same IP address. Wierd. I don't allow direct SSH access to root though. You have to log in as a user, then 'su'. I also get quite a few attempts every day from around the globe. Just make sure that your root password is unguessable (mixture of upper-case, lower-case, and numbers with no dictionary words) and you should be fine.
I may be able to limit the SSH access in particular to only certain client IP addresses but I want the IMAP to be accessible from anywhere. The IMAP server will probably only have two or three accounts on it and I will have control over passwords (though not where they're kept maybe).
I think you'll only frustrate yourself if you cannot SSH from anywhere.
I agree. I used to do that with the hosts.allow file, then I went away for a week and forgot to change the file and couldn't get in for a whole week - most frustrating.
Does anyone here have any experience of how vulnerable in reality such systems are? I'm not after Fort Knox, I just want things to be reasonably safe.
Especially since you want to access IMAP from anywhere, at least do it over a secure connection (ssh or ssl) so that you don't broadcast your password and email messages in the clear.
I have IMAP over SSH too. It seems to be the most secure set-up. Matt
On Tue, Sep 21, 2004 at 01:05:42PM +0100, Matt Parker wrote: [snip] Helpful replies, thanks.
Especially since you want to access IMAP from anywhere, at least do it over a secure connection (ssh or ssl) so that you don't broadcast your password and email messages in the clear.
I have IMAP over SSH too. It seems to be the most secure set-up.
The only issue I see with IMAP over SSH is that there is a certain amount of 'customisation' required at the client end isn't there? I.e. it would be rather difficult/inconvenient to use from someone else's computer or an internet cafe. Or am I missing something? Presumably IMAP/SSL is a bit more 'out of the box' and many freely available IMAP clients can do IMAP/SSL without too much hassle. It may be that I will provide 'world' accessibility to the IMAP server via an intermediary webmail service, e.g. Horde can use IMAP and I can host the Horde software on my 'out there' web site. On the other hand on personally owned computers IMAP can be configured for direct access to the server. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice, that which can be explained by incompetence."
On Tuesday 21 Sep 2004 12:58, Chris Green wrote:
On Tue, Sep 21, 2004 at 01:05:42PM +0100, Matt Parker wrote: [snip] Helpful replies, thanks.
Especially since you want to access IMAP from anywhere, at least do it over a secure connection (ssh or ssl) so that you don't broadcast your password and email messages in the clear.
I have IMAP over SSH too. It seems to be the most secure set-up.
The only issue I see with IMAP over SSH is that there is a certain amount of 'customisation' required at the client end isn't there? I.e. it would be rather difficult/inconvenient to use from someone else's computer or an internet cafe. Or am I missing something?
I have my normal client on my laptop for accessing IMAP over SSH. For public terminal access I have a webmail site hosted on my server to access it. Matt
On Tue, Sep 21, 2004 at 01:19:29PM +0100, Matt Parker wrote:
The only issue I see with IMAP over SSH is that there is a certain amount of 'customisation' required at the client end isn't there? I.e. it would be rather difficult/inconvenient to use from someone else's computer or an internet cafe. Or am I missing something?
I have my normal client on my laptop for accessing IMAP over SSH. For public terminal access I have a webmail site hosted on my server to access it.
Much as I was thinking of doing, thanks again. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice, that which can be explained by incompetence."
On Tue, Sep 21, 2004 at 12:47:51PM +0100, Tim Green wrote:
On Tue, 21 Sep 2004 11:40:21 +0100, Chris Green <chris@areti.co.uk> wrote:
In the real world how vulnerable will these two be? Will I get incessant hacking at the open SSH port on the ipCop box trying to guess the password or will it just be the occasional port scan? Assuming the password is secure enough (i.e. unguessable enough and not published on the internet somewhere) will I be basically OK?
Just looking back in auth.log, I can see "61.166.6.60" in China tried to guess my root password 3 times at 23:43 last night and again at 06:58 this morning. Last week there were 8 attempts from Germany, Korea and China.
Thanks, that's just the sort of thing I wanted to know. So a good secure password should do most of what I need.
I may be able to limit the SSH access in particular to only certain client IP addresses but I want the IMAP to be accessible from anywhere. The IMAP server will probably only have two or three accounts on it and I will have control over passwords (though not where they're kept maybe).
I think you'll only frustrate yourself if you cannot SSH from anywhere.
In reality I woud be able to SSH from anywhere, but it would be via the ssh command line login I have where my web pages are hosted. I can set up my ipCop system to only allow ssh from there. (I actually have a couple of other ssh login accounts whose IP addresses I will allow as well, in case the hosting system is down for any reason).
Does anyone here have any experience of how vulnerable in reality such systems are? I'm not after Fort Knox, I just want things to be reasonably safe.
Especially since you want to access IMAP from anywhere, at least do it over a secure connection (ssh or ssl) so that you don't broadcast your password and email messages in the clear.
Aha, yes, a good reminder. I had been thinking of doing it via ssh and I'd forgotten this very good reason for doing it that way. Thanks! -- Chris Green (chris@areti.co.uk) "Never ascribe to malice, that which can be explained by incompetence."
Chris Green <chris@areti.co.uk> writes:
Tim Green wrote:
Chris Green <chris@areti.co.uk> wrote:
In the real world how vulnerable will these two be? Will I get incessant hacking at the open SSH port on the ipCop box trying to guess the password or will it just be the occasional port scan? Assuming the password is secure enough (i.e. unguessable enough and not published on the internet somewhere) will I be basically OK?
Just looking back in auth.log, I can see "61.166.6.60" in China tried to guess my root password 3 times at 23:43 last night and again at 06:58 this morning. Last week there were 8 attempts from Germany, Korea and China.
Thanks, that's just the sort of thing I wanted to know. So a good secure password should do most of what I need.
If you can use public key authentication instead of a password that'd probably improve matters further. -- http://www.greenend.org.uk/rjk/
On Tuesday 21 September 2004 2:32 pm, Richard Kettlewell wrote:
If you can use public key authentication instead of a password that'd probably improve matters further.
Tis sound advice indeed, however if you really must have a password based login then I strongly suggest that you set PermitRootLogin to no I can't think of any good reason why you would need to log in directly as root, by eliminating default usernames like root you suddenly make it a lot more difficult for someone to perform a dictionary attack on your system. The best bit about this is that from the client end ssh behaves exactly the same way as if you have misstyped the root password, it doesn't say root login denied. I get a sort of sadistic satisfaction watching failed login attempts to root (yeh, and even if you knew my password you ain't getting in that way pal) Another worthwhile modification may be to set Protocol to 2 rather than the too often seen default of 2 and 1 ssh protocol 1 has been broken in the past and AFAIK most clients support the stronger protocol 2 Also you can consider the possibility of running ssh on an obscure port rather than the default of 22, not sure how much value this has any more as there are port scanners that can easily detect that port foo is actually ssh pretending to be something else. But it does probably stop script kiddy subnet hammering appearing in your logs.
On Tuesday 21 Sep 2004 22:32, Wayne Stallwood wrote:
On Tuesday 21 September 2004 2:32 pm, Richard Kettlewell wrote:
If you can use public key authentication instead of a password that'd probably improve matters further.
Tis sound advice indeed, however if you really must have a password based login then I strongly suggest that you set PermitRootLogin to no
I can't think of any good reason why you would need to log in directly as root, by eliminating default usernames like root you suddenly make it a lot more difficult for someone to perform a dictionary attack on your system.
The best bit about this is that from the client end ssh behaves exactly the same way as if you have misstyped the root password, it doesn't say root login denied. I get a sort of sadistic satisfaction watching failed login attempts to root (yeh, and even if you knew my password you ain't getting in that way pal)
:-) Yep. Matt
On Tue, 21 Sep 2004 12:47:51 +0100, Tim Green <timothy.j.green@gmail.com> was rumoured to have said:
On Tue, 21 Sep 2004 11:40:21 +0100, Chris Green <chris@areti.co.uk> wrote:
In the real world how vulnerable will these two be? Will I get incessant hacking at the open SSH port on the ipCop box trying to guess the password or will it just be the occasional port scan? Assuming the password is secure enough (i.e. unguessable enough and not published on the internet somewhere) will I be basically OK?
Just looking back in auth.log, I can see "61.166.6.60" in China tried to guess my root password 3 times at 23:43 last night and again at 06:58 this morning. Last week there were 8 attempts from Germany, Korea and China.
I've been seeing a lot of these lately, mostly from Asian countries. The attacking hosts are probably victims themselves, as nearly all of the ones I connected back to ran a variant of openssh 3.4p1, which has been known to be vulnerable for more than a year (CA-2003-24)!. The attackers seem to be trying to compromise other ssh servers. I usually see them try to log in as test, admin, guest and root before they give up.
I may be able to limit the SSH access in particular to only certain client IP addresses but I want the IMAP to be accessible from anywhere. The IMAP server will probably only have two or three accounts on it and I will have control over passwords (though not where they're kept maybe).
I think you'll only frustrate yourself if you cannot SSH from anywhere.
Does anyone here have any experience of how vulnerable in reality such systems are? I'm not after Fort Knox, I just want things to be reasonably safe.
Especially since you want to access IMAP from anywhere, at least do it over a secure connection (ssh or ssl) so that you don't broadcast your password and email messages in the clear.
Agreed. I use uw-imapd-ssl, which also allows me to access my mh folders and not just $MAIL. An essential feature if your email account is completely unusable without a trained spam filter and a whole lot of other procmail recipes, like mine is :(
Good luck! Tim.
rgds, /-sb.
participants (6)
-
Chris Green -
Matt Parker -
Richard Kettlewell -
Stelios Bounanos -
Tim Green -
Wayne Stallwood