SSH hacked?

Bart Silverstrim bsilver at chrononomicon.com
Tue Jan 13 13:12:08 UTC 2009 

musicman wrote:
> On Tue, Jan 13, 2009 at 10:03 AM, Charlie Brune <Ubuntu at bruneworld.com> wrote:
>> 3.  I only allow a few hard-to-guess users to log in via ssh.  I do this
>> by adding a line like this
>>     to /etc/sshd_config
>>
>>     AllowUsers xg17, ffd42y, jfjfkk11
>>
>>     Once a user, such as "xg17" logs in, they use the "su" command to
>> become the user they
>>     really want to be.
>>
> 
> Doesn't that then mean you have no idea which of the three accounts is
> problematic or from which IP someone has broken in from should
> something nefarious happen?
> 
> is it possible to/already happening that su commands are logged?
> 
> very interesting discussion btw

Wouldn't it also mean you're creating additional accounts that can be 
exploited on the system, while limiting which of the accounts can be 
logged into by SSH alone?

It's easy for this discussion to get down to the micro-level for "this 
is how you secure it" until it reaches an insane level of complexity for 
a home user probably protecting his personal bank records at most...? 
Not good, but unless he's a head of state or celebrity, I don't know 
who'd be targeting him to jump through so many hoops when there are 
hundreds or thousands of easier targets already, as long as the basics 
have been followed.

I.e., he's behind a NAT router with only necessary ports open.

he doesn't have root allowed to log in via SSH

he doesn't have an easy to guess password.

He runs an application like denyhosts configured for downloading 
additional blocked-IP's. Give three tries and you're blacklisted. (If 
your password can be guessed in an  automated attack in three guesses, I 
think you need a new password scheme.)

If you're comfortable doing it, move SSH to another port for listening 
by the outside net on the NAT router (as another poster suggested).

Periodically run chkrootkit and rkhunter.

Of course keep up with updates.

These alone should be all that's really necessary...more than necessary, 
really...for the average home user.

If you want REALLY secure, you need to do things like...

set up a second network card on another subnet with a small system 
dedicated just to Syslog (if your system is compromised, you CANNOT 
trust logs).

No wireless in your network range. It can be cracked by anyone with 
tenacity.

Rotate your passwords on a monthly basis.

Audit everything with an MD5-checksum program, saving results and 
comparing on a read-only media.

Encrypt all of your data into pseudo-volumes mounted as needed, so 
attackers can only gain access to information mounted at the time.

encrypt backups (you do make backups already, right?). Preferably to a 
storage device kept in another area of the home or to another building 
if you have one on your property, like a temperate garage, so if there's 
a home disaster the backup will survive.

Run scripts to audit ARP requests and note any unusual MAC addresses 
that show up on your network.

Do not run any form of DHCP, hard code everything and check that they're 
the only devices on the network.

I'm sure there are others but you get the idea...

Oh, and if you suspect the system's been compromised, there is really no 
"fix". You can't trust it. Any backups made after the point of 
compromise are also worthless. The system could have trojans on it and 
compromised binaries. The work that would go into restoring everything, 
and again you can't 100% trust you didn't overlook something, would be 
saved by wiping and reinstalling and then putting back your 
non-executable personal files. If you think it was compromised and are 
now asking for advice on securing SSH it's like hardening your home 
against intruders while the dude under the stairs dressed in black with 
a gun is biding his time with a Nintendo DS and giggling listening to 
you putting in the new locks and bars on the windows.

And of course all of this is pointless if you have other users and can't 
trust them to be careful with their passwords and accounts. Try running 
a password cracker on the system periodically to audit their password 
difficulty...run a dictionary attack or something like that. If you can 
crack it quickly, an attacker can too.

More information about the ubuntu-users mailing list