Tagged with networking

May 14 2013
10 Comments

Changing your ssh server’s port from the default: Is it worth it?

Changing my ssh port from the default port (22) has been one of my standard processes for quite some time when I build new servers or virtual machines. However, I see arguments crop up regularly about it (like this reddit thread or this other one).

Before I go any further, let’s settle the “security through obscurity” argument. (This could probably turn into its own post but I’ll be brief for now.) Security should always be applied in layers. This provides multiple levels of protection from initial attacks, like information gathering attempts or casual threats against known vulnerabilities. In addition, these layers of security should be applied within the environment so that breaking into one server after getting a pivot point in the environment should be just as difficult (if not more difficult) than the original attack that created the pivot point. If “security through obscurity” tactics make up one layer of a multi-layered solution, I’d encourage you to obscure your environment as long as it doesn’t affect your availability.

The key takeaway is:

Security through obscurity is effective if it’s one layer in a multi-layer security solution

Let’s get back to the original purpose of the post.

The biggest benefit to changing the port is to avoid being seen by casual scans. The vast majority of people hunting for any open ssh servers will look for port 22. Some will try the usual variants, like 222 and 2222, but those are few and far between. I ran an experiment with a virtual machine exposed to the internet which had sshd listening on port 22. The server stayed online for one week and then I changed the ssh port to 222. The number of attacks dropped by 98%. Even though this is solely empirical evidence, it’s clear that moving off the standard ssh port reduces your server’s profile.

If it’s more difficult to scan for your ssh server, your chances of being attacked with an ssh server exploit are reduced. A determined attacker can still find the port if they know your server’s IP address via another means (perhaps via a website you host) and they can launch attacks once they find it. Paranoid server administrators might want to check into port knocking to reduce that probability even further.

Remembering the non-standard ssh port can be annoying, but if you have a standard set of workstations that you use for access your servers, just utilize your ~/.ssh/config file to specify certain ports for certain servers. For example:

Host *.mycompany.com
  Port 4321
 
Host nonstandard.mypersonalstuff.com
  Port 2345
 
Host *.mypersonalstuff.com
  Port 5432

If you run into SELinux problems with a non-standard ssh port, there are plenty of guides on this topic.. The setroubleshoot-server package helps out with this as well.

# semanage port -a -t ssh_port_t -p tcp 4321
# semanage port -l | grep ssh
ssh_port_t                     tcp      4321,22

Here is my list of ssh lockdown practices when I build a new server:

  • Update the ssh server package and ensure that automatic updates are configured
  • Enable SELinux and allow a non-standard ssh port
  • Add my ssh public key to the server
  • Disable password logins for ssh
  • Adjust my AllowUsers setting in sshd_config to only allow my user
  • Disable root logins
  • For servers with sensitive data, I install fail2ban
Tagged , , , , , , , , , , ,
Mar 16 2013
Leave a comment

New icanhaz features: reverse DNS and traceroutes

After adding some upgrades for icanhazip.com, I wanted to go a bit further. Adding reverse DNS (PTR) lookups and traceroutes seemed like a decent idea!

Want to beta test some new features on icanhazptr.com and icanhaztrace.com? Give them a try!

Getting your reverse DNS entry is easy:

$ curl -4 icanhazptr.com
ord.icanhazip.com
$ curl -6 icanhazptr.com
ord.icanhazip.com

Traceroutes are straightforward as well:

$ curl -4 icanhaztrace.com
traceroute to 166.78.118.193 (166.78.118.193), 30 hops max, 60 byte packets
 1  212.111.33.229  20.031 ms
 2  212.111.33.233  1.011 ms
 3  149.11.30.61  107.976 ms
...
$ curl -6 icanhaztrace.com
traceroute to 2001:4801:7818:6:abc5:ba2c:ff10:275f (2001:4801:7818:6:abc5:ba2c:ff10:275f), 30 hops max, 80 byte packets
 1  2a01:7e00:ffff:0:8a43:e1ff:fea3:fa7f  2.183 ms
 2  2001:4d78:fe01:2:1:3:b90:1  1.330 ms
 3  2001:978:2:45::d:1  8.388 ms
...

While this sits in beta, here are some things to keep in mind:

  • If a PTR record doesn’t exist for your IP address, your IP address will be returned
  • Failing traceroutes will cause your IP address to be returned
  • A PTR record will be chosen at random if multiple PTR records are returned
  • PTR lookups for traceroutes are currently disabled

Let me know if you find any bugs.

Tagged , , , , , ,
Sep 06 2012
9 Comments

One week with Android

After getting Android-envy at LinuxCon, I decided to push myself out of my comfort zone and ditch my iPhone 4 for a Samsung Galaxy S III. It surprised a lot of people I know since I’ve been a big iPhone fan since the original model was released in 2007. I’ve carried the original iPhone, the 3GS, and then the 4. There have been good times and bad times, but the devices have served me pretty well overall.

The Good Stuff
AndroidOne of my coworkers summed up Android devices pretty succinctly: “This will be the first phone that feels like your phone.” That’s what I like about it the most. I have so much more control over what my phone does and when it does it. It seems like there’s a checkbox or option list for almost every possible setting on the phone. Everything feels customizable (to a reasonable point). Even trivial things like configuring home screens and adjusting Wi-Fi settings seem to be more user-friendly.

The raw performance of the S3 handset is impressive. All of the menus are responsive and I rarely find myself waiting on the phone to do something. 4G LTE is extremely fast (but it does chow down on your battery) and it’s hard to tell when I’m on Wi-Fi and when I’m not. Photo adjustments are instantaneous and moving around in Chrome is snappy.

Another big benefit is that applications can harness the power of the Linux system under the hood (although some may require getting root access on your phone). Using rsync, ssh, FTP, and samba makes transferring data and managing the device much easier. It also allows you to set up automated backups to remote locations or to another SD card in your phone.

The Not-So-Good Stuff
If you’ve ever used a Mac along with Apple’s music devices, you know that the integration is tight and well planned. Moving over to Android has been really rough for me and the ways that I manage music. I gave DoubleTwist and AirSync a try but then I found that all of my music was being transcoded on the fly from AAC to another format. Syncing music took forever, quality was reduced, and the DoubleTwist music player on the phone was difficult to use. I downloaded SongBird and then tried to use Google Play Music but both felt inefficient and confusing.

Eventually, I found SSHDroid and started transferring music via ssh. That worked out well but then I couldn’t find any of the music I uploaded on my phone. A friend recommended SDRescan since it forces the device to scan itself for any new media files. My current work flow involves uploading the music via ssh, rescanning for media files, and then listening to the new files with Apollo (from CyanogenMod, more on that later).

Battery life on the S3 is well below what I expected but it sounds like it might be more the shortfall of the device rather than the software. The screen is large and it’s very bright even on the lowest settings. The battery settings panel on the phone regularly shows the screen as the largest consumer of energy on the phone. I did make some adjustments, like allowing Wi-Fi to switch off when the phone is asleep, which has helped with battery life. Disabling push email or IMAP IDLE has helped but it’s prevented me from getting some of the functionality I want.

Finally, the pre-installed Samsung software was absolutely terrible. There were background processes running that were eating the battery and the interface was hard to use. I’m not sure what their target audience is, but it made coming over from the iPhone pretty difficult.

CyanogenModTo Flash or Not To Flash
Voiding the warranty and flashing the phone had me pretty nervous, but then again, I had quite a few coworkers who were experienced in the process and they had rarely experienced problems. Luckily, there is a great wiki page that walks you through the process. It’s a bit technical but I found it reasonably straightforward to follow. One of the nightly builds caused some problems with the GPS functionality on the phone but that was corrected in a day or two with another nightly build.

Upgrading to new nightly ROMs is unbelievably simple. You can download them manually to your phone and then reboot into recovery mode to flash the phone or you can load up an application on the phone itself which will download the ROM images and install the new image after a quick reboot with one key press. Don’t forget to make backups just in case something goes wrong, though.


My Application List
Here are my favorite applications so far:

More Changes
I’m waiting on my new ThinkPad T430s to ship and I’m told that Android phones are a bit easier to use within Linux than they are on a Mac. Not having the integrated USB support on the Mac is pretty frustrating. I’ll probably amend this post or write another one once I’m running Linux on my laptop and using my Android with it regularly.

Tagged , , ,
Jul 31 2012
1 Comment

Building vpnc with openssl support via MacPorts on Mac OS X

If you install vpnc via MacPorts on OS X, you’ll find that you have no openssl support after it’s built:

$ sudo port install vpnc
--->  Computing dependencies for vpnc
--->  Cleaning vpnc
--->  Scanning binaries for linking errors: 100.0%
--->  No broken files found.
$ sudo vpnc
vpnc was built without openssl: Can't do hybrid or cert mode.

This will cause some problems if you’re trying to use VPN with a Cisco VPN concentrator which uses SSL VPN technology. The fix is an easy one. You’ll find a variant within the portfile itself:

$ sudo port edit --editor cat vpnc | tail -7
variant             hybrid_cert description "Enable the support for hybrid and cert modes in vpnc" {
    depends_lib-append port:openssl
    build.args-append  "OPENSSL_GPL_VIOLATION=-DOPENSSL_GPL_VIOLATION OPENSSLLIBS=-lcrypto"
}
livecheck.type  regex
livecheck.url   ${homepage}
livecheck.regex "${name}-(\\d+(?:\\.\\d+)*)${extract.suffix}"

Simply specify that you want the hybrid_cert variant on the command line when you install vpnc and you should be all set:

$ sudo port install vpnc +hybrid_cert
--->  Computing dependencies for vpnc
--->  Deactivating vpnc @0.5.3_0
--->  Cleaning vpnc
--->  Activating vpnc @0.5.3_0+hybrid_cert
--->  Cleaning vpnc
--->  Scanning binaries for linking errors: 100.0%
--->  No broken files found.
$ sudo vpnc
unknown host `<gateway>'
</gateway>
Tagged , , ,
Jun 28 2012
1 Comment

Red Hat Summit 2012: Wednesday

Wednesday was action-packed with dramatic keynotes and great sessions. The morning was kicked off by Paul Cormier and he talked about some new products coming from Red Hat. Much of the product releases were centered around cloud offerings (like Openshift) and his talk was mainly aimed at CIO’s and decision makers. There wasn’t a lot of technical detail within his talk but it was refreshing to hear a Linux vendor talk about their products as being revolutionary steps in pulling away from vendor lock-in and proprietary solutions.

Paul was followed by Irfan Khan who talked about the value of very low latency information exchange and processing. He drove home the point that the biggest value we can gain from information in the current age is related to our ability to gather and interpret the information in as close to real time as possible. I expected a speech from a SAP employee to be relatively dry but I was pleasantly surprised to find that he made a lot of good points. Irfan emphasized that big data providers need to find a way to fit into their customers’ landscape without causing too much disruption while also providing some real benefits.

My first session was Jeff Darcy’s discussion about Red Hat’s storage offering and what GlusterFS advancements were on the horizon. His talk was standing room only and he covered a lot of highly technical points about GlusterFS. I’m getting the feeling that GlusterFS is gaining more momentum and that we’ll be seeing more features around consistency and performance very soon.

As a fan of SELinux, I made sure that I was in Thomas Cameron’s “SELinux for Mere Mortals” class. Although I feel relatively confident that I can solve SELinux problems when I find them, Thomas covered a lot of easier solutions that I hadn’t previously considered. His explanation of the basics of SELinux are a must read for any system administrator working on a Red Hat system. I managed to find his slides from last year but he said the new slides should be up by Friday.

I attended another good class about managing network resources with Red Hat. Although the slides were a little wordy, the content was extremely good. The speaker talked about receiving a 40Gb/sec ethernet card from Mellanox and how he bumped the performance from 8Gb/sec to 37Gb/sec by adjusting CPU pinning (for NUMA) as well as some kernel configuration around TCP buffers. It was an eye-opening discussion and it was a good session for people who are trying to find bottlenecks in their hardware.

The afternoon was spend mingling with GlusterFS developers and users as well as the people working the Fedora booth. I managed to pick up some Fedora stickers but I’ve yet to get my picture taken with the life-size Beefy Miracle hot dog. That’s my goal for tomorrow.

The night wrapped up with the Red Hat Certified Professionals Party at McGreevy’s across from the Hynes Convention Center. I ran into a bunch of fellow RHCA’s and RHCE’s who read my blog and I was glad some of the posts were able to help them along their way to becoming certified. Congratulations to the folks who passed the early rounds of the new JBoss exams! Being the first ones through that process certainly can’t be easy.

For anyone who is working towards their RHCA, be sure to read my post about my experience with it. It’s a long haul, but the knowledge you’ll gain will be worth it.

Tagged , , , , , , , ,
Older posts