Hello from the Eighth Doctor
The subject line says it all: "SSH visits from users who were not given
permission--can they be blocked?"

Basically my box now running Slack 10.1 is being visited by people who were not
given my permission to do so, read hackers, and other annoyances. I frequently use
SSH from my Manhattan client to show them Linux, or to just keep busy, and I've
given a fellow I know online who's currently using the services of his school to visit
the box. He needs to learn Linux, and I trust him as much as he trusts me.

However since we reached that decision, I've seen scads of IP addresses attempting
to enter the box from the Internet. Sometimes they use FTP, but almost always
SSH. Once I saw something from a UUNET customer attempt a hack, I found out
later that there's a worm running who targets machines which have the SSH port
open.

That being said; once I've got the list of acceptable IP addresses from the I'net, any
suggestions on how to configure the current firewall mechanism to reject everyone
else? Also the router does contain a firewall, but I'm not sure as to how to have it
block those addresses, if it can...
--
Gregg drwho8 atsign att dot net
"This signature is waiting for Garbot."

On Fri, 11 Mar 2005 06:11:59 GMT, drwho8__NOTME__@att.net (The Eighth Doctor) wrote:

>That being said; once I've got the list of acceptable IP addresses from the I'net, any
>suggestions on how to configure the current firewall mechanism to reject everyone
>else? Also the router does contain a firewall, but I'm not sure as to how to have it
>block those addresses, if it can...

put them in a list and read into firewall:

# known ssh host data file
# ~~~~~~~~~~~~~~~~~~~~~~~~
# Format of data file for known hosts is one data record per line,
# each tab or space delimited data record contains three fields:
# addr port [# optional comment]
#
# Example: "192.0.2.123 ssh # Fred"
#
# Notes: data file must not contain blank or comment lines, nor a
# newline after the last record. If you use a non-standard ssh port,
# replace 'ssh' with your custom port number in the data file.

SSH_HOSTS_ALLOW_FILE="$INCLUDE_FILE_PATH/allow-ssh-src-addr"
SSH_LOGIN_RATE_LIMIT="4/hour"

function allow_restricted_fw_ingress ()
{
if test -r $SSH_HOSTS_ALLOW_FILE; then
while read addr port rest; do
iptables -A INPUT -p tcp $MSTATE NEW --src $addr \
--dport $port $MLIMIT $SSH_LOGIN_RATE_LIMIT -j ACCEPT
done < $SSH_HOSTS_ALLOW_FILE
fi
.. . .
Cheers,
Grant.

In article <k6e231h5jd0npvvr7voisaq6kiomg3q1f0@4ax.com>,
grant_nospam@dodo.com.au says...
>
>On Fri, 11 Mar 2005 06:11:59 GMT, drwho8__NOTME__@att.net (The Eighth
Doctor) wrote:
>
>>That being said; once I've got the list of acceptable IP addresses from the I'net,
any
>>suggestions on how to configure the current firewall mechanism to reject
everyone
>>else? Also the router does contain a firewall, but I'm not sure as to how to have it
>>block those addresses, if it can...
>
>put them in a list and read into firewall:
>
># known ssh host data file
># ~~~~~~~~~~~~~~~~~~~~~~~~
># Format of data file for known hosts is one data record per line,
># each tab or space delimited data record contains three fields:
># addr port [# optional comment]
>#
># Example: "192.0.2.123 ssh # Fred"
>#
># Notes: data file must not contain blank or comment lines, nor a
># newline after the last record. If you use a non-standard ssh port,
># replace 'ssh' with your custom port number in the data file.
>
>SSH_HOSTS_ALLOW_FILE="$INCLUDE_FILE_PATH/allow-ssh-src-addr"
>SSH_LOGIN_RATE_LIMIT="4/hour"
>
>function allow_restricted_fw_ingress ()
>{
> if test -r $SSH_HOSTS_ALLOW_FILE; then
> while read addr port rest; do
> iptables -A INPUT -p tcp $MSTATE NEW --src $addr \
> --dport $port $MLIMIT $SSH_LOGIN_RATE_LIMIT -j
ACCEPT
> done < $SSH_HOSTS_ALLOW_FILE
> fi
>. . .
>Cheers,
>Grant.
>
Hello from the Eighth Doctor
Nice, Grant it makes sense. However... One small detail. How do you create a
firewal using the basic tools that Pat provides for Slackware? That's one subject, I'm
not familiar with. I remember telling the installer to install the things from the n disk
that's associated with the technology, but I don't recall going over that step.
-----
Gregg drwho8 atsign att dot net

The Eighth Doctor wrote:
> How do you create a firewal using the basic tools that Pat provides for Slackware?

GOOGLE "iptables"

On Fri, 11 Mar 2005 06:54:58 GMT, drwho8__NOTME__@att.net (The Eighth Doctor) wrote:

>In article <k6e231h5jd0npvvr7voisaq6kiomg3q1f0@4ax.com>,
>grant_nospam@dodo.com.au says...
>>
>>On Fri, 11 Mar 2005 06:11:59 GMT, drwho8__NOTME__@att.net (The Eighth
>Doctor) wrote:
>>
>>>That being said; once I've got the list of acceptable IP addresses from the I'net,
>any
>>>suggestions on how to configure the current firewall mechanism to reject
>everyone
>>>else? Also the router does contain a firewall, but I'm not sure as to how to have it
>>>block those addresses, if it can...
>>
>>put them in a list and read into firewall:
.. . .

>Hello from the Eighth Doctor
>Nice, Grant it makes sense. However... One small detail. How do you create a
>firewal using the basic tools that Pat provides for Slackware? That's one subject, I'm
>not familiar with. I remember telling the installer to install the things from the n disk
>that's associated with the technology, but I don't recall going over that step.

vim /etc/rc.d/rc.firewall (not the answer you seek

Try firestarter? Roll your own: start at netfilter.org.

Accept that the 'background radiation' of the Internet is people/'bots
looking for easy targets like shiny new GNU/Linux installs with empty
root password. I chucked my example into the ring as I had to visit
all my network config files this morning as I took out 10-Base-T LAN
segment and put in a CAT5 run to another room. Too unreliable, the
old coax.

Cheers,
Grant.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

People! Please learn to trim your quotes. It is insane to include that
much crap that you're not directly reploying too. You left 1.3 times
_more_ quoted lines as you reply lines. See how I'm only replying to 3
of your lines, so I trim out the rest? Not doing so makes you look like
an ass.

In alt.os.linux.slackware, Grant Coady dared to utter,
> I took out 10-Base-T LAN
> segment and put in a CAT5 run to another room. Too unreliable, the
> old coax.

I think you mean 10Base2.

10Base2 = thinnet; thin, malable coax cable, runs at up to 10Mbps,
works at out to 185 meters without signal loss
10Base5 = thicknet; fat, ugly coax cable, POS, runs at 10Mbps,
works at out to 500 meters without signal loss
10BaseT = twisted pair; thin, malable 4 pair cat-5 cable, runs at
10, 100, or 1000Mbps and possible beyond with higher
category cable, works without signal degredation out to
100 meters

Note that the IEEE way of writing the various standards is split into
three parts (and doesn't quite follow a standard, ain't that a crock?).

Speed + type + length

Speed is the speed data can travel down the wire in Mbps. Note that
twisted pair is sometimes written 100BaseT or 1000BaseT for this
reason.

Type is either Base or Broad. Base indicates baseband, which means that
a network signal (really just a change in voltage along the cable) is
sent down a single channel. Broadband indicates that the signal is sent
down multiple channels at the same time. Note this has absolutely
nothing to do with your home internet connection.

Length is the approximate distance in 100 meter incriments that the
standard is reliable out to. In 10BaseT, the T means "twisted pair"
instead. Don't ask me why they did this, but they did it.

Everyone happy with your friendly neighborhood networking lesson today?

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCMZ1cvgVcFKpJf4gRAi+mAJ4r6K7E/C8tZ8Tb2U9KWPVUaLaTXACeOP31
lOj1Nz5jJ4m0YWIOqWaqNyU=
=HQwU
-----END PGP SIGNATURE-----

The Eighth Doctor wrote:

> once I've got the list of acceptable IP addresses from the I'net,
> any suggestions on how to configure the current firewall mechanism
> to reject everyone else?

TCP_Wrappers, on the system running Sshd will do what you want: list
those hostnames/addresses (or domain names, address blocks, etc.) you
want to permit in hosts.allow, and the rest will be denied by default.
You'll also have the benefit of logged rejections, so you'll know a)
who's been knocking at the door (for whatever that knowledge is worth),
and b) if anyone you meant to permit access to is being rejected.

I hope that helps ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

(sample hosts.allow entry)

# permit Ssh connections from the local network:
sshd :ALL@.concordia.ca \
:allow

# -- default
ALL :ALL@ALL :deny

+Alan Hicks+ wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> People! Please learn to trim your quotes. It is insane to include that
> much crap that you're not directly reploying too. You left 1.3 times
> _more_ quoted lines as you reply lines. See how I'm only replying to 3
> of your lines, so I trim out the rest? Not doing so makes you look like
> an ass.

Bitching makes people look like asses, too.

I remember you. I don't like you specifically for that reason.

Mr. I.M. Kitty wrote:
> I remember you. I don't like you specifically for that reason.

must be tough living your life like that, not liking people because you
remember them.

--
Joost Kremers joostkremers@yahoo.com
Selbst in die Unterwelt dringt durch Spalten Licht
EN:SiS(9)

The Eighth Doctor wrote:
> Hello from the Eighth Doctor
> The subject line says it all: "SSH visits from users who were not given
> permission--can they be blocked?"
>

Sounds fairly easy to follow...

> Basically my box now running Slack 10.1 is being visited by people who were not
> given my permission to do so, read hackers, and other annoyances. I frequently use
> SSH from my Manhattan client to show them Linux, or to just keep busy, and I've
> given a fellow I know online who's currently using the services of his school to visit
> the box. He needs to learn Linux, and I trust him as much as he trusts me.
>

That's always a good relationship to have with someone, especially from
afar... ^_^

> However since we reached that decision, I've seen scads of IP addresses attempting
> to enter the box from the Internet. Sometimes they use FTP, but almost always
> SSH. Once I saw something from a UUNET customer attempt a hack, I found out
> later that there's a worm running who targets machines which have the SSH port
> open.
>

This is a given. The moment you stick a box on the net, be it OSX,
Unix, BSD, Windows, Linux, BeOS, etc, it'll get probed and prodded like
a lab rat in a needle testing facility.

> That being said; once I've got the list of acceptable IP addresses from the I'net, any
> suggestions on how to configure the current firewall mechanism to reject everyone
> else? Also the router does contain a firewall, but I'm not sure as to how to have it
> block those addresses, if it can...

Public key authentication is also a good security measure for SSH.

I found this as a little starter:
http://cfm.gs.washington.edu/securit...client-pkauth/

Peruse it if you like or search for more detailed solutions.

Either way, have fun! =