Archive for the 'Security' Category

Stopping SSH Brute Force Attacks

Published
by
Tyler
on August 21, 2006
in Internet, Linux, Noteworthy, Personal and Security
. Comments Tags: , , , , , , , , , , , .

A few weeks ago at work, I noticed a bunch of failed login attempts to one of our Linux servers. After doing some investigation, I found that no intrusion had actually been made, which is excellent. Lines similar to this were filling my /var/log/messages log file:

Aug 20 23:31:26 elixer sshd[22526]: Failed password for invalid user alias from 66.166.22.186 port 26217 ssh2

Notice they’re trying to login with the username “alias”, which doesn’t exist on that system. In fact, all the usernames attempted don’t exist, which makes me feel a little safer. Still, I don’t like seeing my boxes actively attacked. So, to stay on top of these breakin attempts, I installed Breakinguard.

Breakinguard basically watches your log file for any failed login attempts. You can set a pre-defined number of attempts that can be executed before breakinguard will block the IP.

The Package itself does a ‘tail -f’ of your syslog, and when it identifies a matching line within your logs, it logs this ‘attempt’. If more than the pre-defined number of attempts from the same IP address are received it triggers the iptables (or any other block method defined) block and also emails you notification.

I’ve never been able to get the configure script to work for me, simply because the perl module installation always fails. So, to get around that I simply installed these perl modules manually and commented out these lines in the configure script:

$PERL -MCPAN -e "install File::Tail"
$PERL -MCPAN -e "install IO::Socket"

Those two lines execute perl and try to install the File::Tail module and the IO::Socket module. After manually installing the perl modules below and commenting out the lines above in the configure script, the configure script should run and do it’s thing without error.

File::Tail
IO::Socket


After the configuration script has run, you should have a couple new files, /etc/breakinguard.conf and /etc/rc.d/breakinguard. Now, the /etc/breakinguard.conf file stores the breakinguard configuration. This is where you tell breakinguard which log file to monitor and how many incorrect login attempts are defined as a breakin.

I’m not going to bother going through all the options in breakinguard.conf, simply because they’re all explained pretty well within the conf file.

The other “new file”, /etc/rc.d/breakinguard is the script used to launch breakinguard. Run “/etc/rc.d/breakinguard start” to start breakinguard.

Once breakinguard is running, it will monitor whichever log file you specified in /etc/breakinguard.conf (/var/log/messages in my case). When it sees a failed login attempt, it will be noted. Now, when an IP fails a certain number of logins, iptables will be called to block all traffic from the IP.

Below is an example email that’s generated by Breakinguard when it blocks an IP:

BreakinGuard has blocked an IP based on suspicious activity
Please review this server.

Detail:
Hostname: elixer.hostname
IP Blocked: 202.82.16.180
Last log entry that caused the block:
Aug 22 06:17:05 elixer sshd[25591]: Failed password for invalid user alias from 202.82.16.180 port 45340 ssh2

Popularity: 7% [?]

AOL Data: First Searcher Identified

Published
by
Tyler
on August 9, 2006
in Internet, Personal, Search and Security
. Comments Tags: , , , , , , , , .

Techcrunch has information on the first person positively identified from the AOL data. AOL searcher number 4417749 has been identified as Thelma Arnold, a 62 year old widow living in Lilburn, Georgia.

As you might expect, the searches made by her are pretty innocent. Her search queries range from “numb fingers” to “60 single men” to “dog that urinates on everything.” The New York Times has a pretty in-depth article about Thelma and other, yet unidentified searchers.

Ms. Arnold, who agreed to discuss her searches with a reporter, said she was shocked to hear that AOL had saved and published three months’ worth of them. “My goodness, it’s my whole personal life,” she said. “I had no idea somebody was looking over my shoulder.”

In the privacy of her four-bedroom home, Ms. Arnold searched for the answers to scores of life’s questions, big and small. How could she buy “school supplies for Iraq children”? What is the “safest place to live”? What is “the best season to visit Italy”?

Wonder when we can expect the first lawsuits to be filed? Personally, I expected some yesterday. AOL had a shitty reputation before, I’d be surprised if this doesn’t end up sinking them at some point.

Popularity: 5% [?]

Web Interface for AOL Data

Published
by
Tyler
on August 8, 2006
in Internet, Personal, Search and Security
. Comment Tags: , , , , , , , , .

A commenter over at Techcrunch put together a simple little web interface to the AOL search data.

Michael Arrington from Techcrunch spoke with Andrew Weinstein over the phone lastnight about this. Andrew is the AOL employee who first issued the apology that can be seen over at Techcrunch. Anyway, Michael thinks Andrew is truly pissed off about what happened, as he definitely should be.

What I’d like to know, is how the decision came about to release this data in the first place. This had to be a decision made from pretty high up the ladder. Another thing, AOL shouldn’t even allow access to this data in it’s raw format. Or, very, very few people should be able to access the raw data, except for a few servers. I mean, nobody at AOL should have any reason to use such detailed data. Instead, there should be a reporting type system that runs reports based on the raw search data, that way nobody can actually see the data itself, only the summarized reports.

I don’t think Jason’s idea of turning off logging is practical. It’s really quite simple, don’t allow access to the raw log data.

Philipp Lenssen has some pretty good commentary over at Google Blogoscoped. He’s taken some time to see what individuals are searching for, pretty amusing:

At 10:08 PM, 28963 looks for “porn sites”. 28963 quickly amends the search query to read “freee porn sites”. (Two days later, 28963 shows a sudden interest in genital warts.)

He’s got a lot more of them, so head over to Google Blogoscoped for more amusement. Garett Rogers at the Googling Google blog at ZDnet has some commentary too.

This is the type of news that will reach every single AOL user. People will be boycotting the company because of their blatent disregard for the privacy of users. As my fellow Canadians would understand — this could be the TSN turning point.

Markus Frind has put together nice post detailing how one AOL user likes searching for ways to commit murder. Some of his commenter’s are upset, but Markus asks some good questions:

Users in the comments are pissed off at the idea that people can be arrested for planning a crime like murder, calling it minority report like. I ask you why is it that americans have no problems arresting people that are planning or researching how to conduct terrorist attacks? Yet if a person plans on killing his wife that is ok, until he actually does it? How many people do you have to plan on killing before its ok for a company like AOL to hand your records over to the government? I am not taking sides, I’m just pointing out the obvious double standard. This story will open a can of worms, and will decide just how private your data online really is.

Popularity: 5% [?]

AOL Releases Private Data

Published
by
Tyler
on August 7, 2006
in Internet, Personal, Search and Security
. Comments Tags: , , , , , , , , .

So, AOL released a bunch of search data. Doesn’t sound so bad right? Well, it is, because AOL included identities, so basically you can see who has been searching for what. The data spans over a 3 month period. It even gives information as to which links were clicked on the search results page. No usernames are included, but user ID’s are, which can be linked back to usernames with little trouble. From Techcrunch:

The utter stupidity of this is staggering. AOL has released very private data about its users without their permission. While the AOL username has been changed to a random ID number, the abilitiy to analyze all searches by a single user will often lead people to easily determine who the user is, and what they are up to. The data includes personal names, addresses, social security numbers and everything else someone might type into a search box.

The original download has since been taken offline. However, there’s plenty of mirrors. The data in its compressed form weighs in around 439M, uncompressed it reaches just over 2 gigs.

UNEASYsilence has taken time to look through some of the data. Some of what they saw actually frightened them.

There are some truly scary things in this database.

There are hundreds of searches from people looking to kill themselves and even more scary are searches from users that seem to be looking to commit murder.

People are fucked up. Really though, some good could come of this. With all this super detailed search data, certain groups of people could be targeted. For example, those searching for “boylove” or “child love” constantly could be assumed to be some sort of pedophile. I could see groups like The War Against Nambla using this information to find new sickos to target.

UPDATE: AOL is now saying this was a screw up. Initially the data was reported to be released to the public for research purposes. Jason Calacanis, an AOL employee, is suggesting that AOL “NOT KEEP LOGS of our search data.”

Popularity: 3% [?]

WordPress 2.0.4 Released

Published
by
Tyler
on July 29, 2006
in Internet, Personal, Security and WordPress
. Comments Tags: , , , , , , , .

WordPress 2.0.4 has been released.

WordPress 2.0.4, the latest stable release in our Duke series, is available for immediate download. This release contains several important security fixes, so it’s highly recommended for all users. We’ve also rolled in a number of bug fixes (over 50!), so it’s a pretty solid release across the board.

I can’t find any documentation stating the user registration vulnerability has been fixed, but Kelson is reporting it has been taken care of in WordPress 2.0.4. I believe this WordPress release was pushed out quickly due to some information revealed by Dr. Dave earlier in the week.

I’m still not 100% sure that the problems pointed out by Dr. Dave have been fixed. Can anyone confirm that it has been? For those interested, here’s a list of bugs that have been closed as of the 2.0.4 release [via Dougal Campbell].

UPDATE: WordPress 2.0.4 does indeed fix the user registration vulnerability. Dr. Dave has done some testing of his own and seems pretty sure this vuln is fixed. It’s still probably a good idea to disable user registration just to be safe:

As for the “users can register” option: enabling it back should be OK.
I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).

Popularity: 4% [?]

WordPress Security Issue

Published
by
Tyler
on July 28, 2006
in Internet, Open Source, Personal, Security and WordPress
. Comment Tags: , , , , , , , , .

Dr. Dave, the dude behind Spam Karma, has issued a warning to all WordPress users. A message popped up on my Spam Karma 2 dashboard warning of a potential security vulnerability in WordPress. Here’s part of the warning:

If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).

Additionally, delete or disable ANY guest account already created by people you are not sure about.

Leaving it open and letting people sign-up for guest accounts on your Wordpress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.

Now, the WordPress development team was apparently notified a “while back”. They supposedly haven’t done anything yet to rectify this problem. Dr. Dave has received a lot of questions due to his initial post. In turn, he’s made another post in which he addresses some of those questions.

Hopefully we’ll see WordPress 2.0.4 out within a few days.

UPDATE: WordPress 2.0.4 Beta is out. It should be safe to open user registrations under WordPress 2.0.4. I’d expect to see the final 2.0.4 release next week.
[via Ryan Boren]

Popularity: 4% [?]

cheap xbox 360 games - buy from zavvi
cheap xbox 360 games - zavvi

mobile phones - Web Design - Debt - Credit Card Consolidation - Car Insurance - Internet Marketing
Mobile Phone - Bike Insurance - Landlords Insurance - Search Engine Marketing - Mobile Phone