Subject: Newbie with ssh-server running... Hacking attempts against me...

Higher security in terms of discretionary access control only translates to higher isolation of user contexts. Within a user context, any application is free to do whatever unprivileged action it requires to do its job.

This would limit the attack vector to all protocol action performed before login. Unless you're too stupid to implement CRC32 correctly, I'd say this is a non-issue.

The kernel is always the ultimate authority in the system. If it decides that root isn't the ueber-privileged user any more, it can enforce various limitations. One is that the kernel's logging facility is completely isolated, and all privileges that root could use to get access to kernel memory or compromising the kernel are removed. That is, root might still overwrite the privileges of any user, can change the system time, can debug other processes, can read disks in raw mode etc. but he can't load any drivers, do any kernel debugging, change the RTC time, write to the disk in raw mode, or bypass access checks on the kernel's files and objects.

Reply to
Sebastian G.
Loading thread data ...

I understand what you mean now. We just differ on our definitions.

Reply to

any good pointers on how to set it up i tried it once (few months back) but couldn't even get a directory listen altough basic authentication did work (without https)

Reply to

I'm surprised it was difficult. I just read the documentation, and was careful to use 'Directory' rather than 'Location' based settings, and it worked from the limited documentation built into HTTPD.

Reply to
Nico Kadel-Garcia

I didn't claim that this model or approach is perfect or even a good idea. But it's a non-theoretical productive OS where in a certain configuration there simply is no ultimately powerful principal, and root is merely a normal user with some privileges to manage non-system stuff.

Reply to
Sebastian G.

- You sounded like you can code in PERL. Write a script that changes your SSH port each day, or according to some date calculation you invent to a non-standard port and promulgate the port information inside your enterprise - this is easier than you think it is to do.

- Consider rolling your hosts behind a firewall that can use knockd or something similar implementing a "knock, knock" protocol. This way, no ports need to be open unless you send the properly formatted packets to the right TCP ports in the right sequence in the right amount of time, then the port "opens up". I use my own algorithm with ICMP packets that contain cryptographic data that verifies to a limited degree the origin of the sender.

- Be careful what information you share with the public in NG's and other places about your problem.

- If you're using OS/X desktops, consider installing Little Snitch on them for some added security.


-- _ __ _ __| |_ __ / _| |_ 01100100 01101101 / _` | ' \\| _| ' \\ 01100110 01101000 \\__,_|_|_|_|_| |_||_| dmfh(-2)

Reply to
Digital Mercenary For Honor


formatting link

sure. even this might help.

formatting link
you have to test it to make sure it works. also make sure the "-- limit" switch is actually available to you. on some systems, i remember i have had to recompile iptables to get it.

as has been posted, it's an automated/scripted attack. probably with goal to gain access to box and use it to send SPAM. the logic being that there is probably someone out there in WWW-land that is using one of those weak username/password combos.

if you want to keep this internet facing, will you also want to keep up to date with openssh security updates otherwise the attack vector expands to successful use of an openssh exploit/vulrenability.

Reply to

Yes, I read that's a really good idea...

I can code i many languages - though not really in Perl - I want to learn it however...

Great idea... This could be my first real perl-project, after having done some tutorials... It sounds like I can do that (I think it should be easy in perl)...

Wow... Great idea - exactly what I was looking for... Thanks a lot...

I know... I believe nobody should even be able to see my IP when posting through teranews...

Thanks... I'll consider that...

** Posted from
formatting link
Reply to
Santa Claus Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.