Administrative policies to using password-less ssh logins only is something that needs some adjusting from users.

Most of the mentioned programs parse logfiles and then act on them. Among them are fail2ban, denyhost and a similar script, OSsec, blockhosts and a shell-based approach by Rhialto.

The latter post also mentions going the PAM way, which hooks right into the authentication framework and can detect repeated authentication failures best - at the place where they get detected first. This is implemented by the anti-bruteforce PAM module in pkgsrc/security/pam-af.

I guess that's some food for thoughts, and a lot of programs to do the job. Let's see what comes up in Jan 2008 for this topic... :-)

Update: Elad Efrat wrote me to tell that server site log parsing may not be such a good idea as it has a potential to open up for some nasty attacks, see this thread on the fulldisclosuer list. You've been warned!

[Tags: ids, ipfilter, networking, Security, ssh]

• chroot .../src/obj/destdir
• cd .../src/obj/destdir/dev ; sh MAKEDEV all puffs
• cd .../src/share/examples/puffs/ssshfs ; make
• ./ssshfs i@remotemachine:/path/to/my/home /mnt

miyu% df | grep destdir
puffs:ssshfs  0 0 0   100%    /usr/src/obj/destdir/mnt
miyu% cd /usr/src/obj/destdir/mnt
miyu% ls
AdobeFnt.lst    OS                  bin     public_html
Desktop         OpenOffice.org1.1.0 in      tmp
...
miyu% ls -l .cshrc
-rw-r--r--  1 39068  2000  4706 Jun 16 01:01 .cshrc
miyu% head -2 .cshrc
# Default .cshrc fuer Solaris, Irix, ...
#
miyu% md5 .cshrc
MD5 (.cshrc) = 2ad1d2606a5678f312709a388376c2e5
miyu% ls -l test
ls: test: No such file or directory
miyu% date >test
miyu% ls -l test
-rw-r--r--  1 39068  2000  29 Nov 23 01:19 test
miyu% cat test
Thu Nov 23 01:19:36 MET 2006
miyu% vi test
miyu% cat test
Thu Nov 23 01:19:36 MET 2006
foobar
hubertf was here
miyu% rm test
miyu% cat test
cat: test: No such file or directory
miyu% 

Update: The cause of the hang was identified: I tried this against Solaris 9, which has a sshd that only supports the SFTP File Transport Protocol Version2, but to properly handle symlinks Version 3 is needed. A check for the protocol version was added, to indicate the case can't be handled.

[Tags: puffs, ssh]

• There was some progress on puffs, the userland filesystem stemming from last year's Google SoC, some time ago. More example userland filesystems are now available with sysctlfs and ssshfs, see src/share/examples/puffs.

  Rumours say that ssshfs works pretty well, which is a final reason to ditch the (abandoned first cut of the) netbsd-4 branch and make a -current kernel to play with this. BTW, for those wondering what ssshfs is, see ssshfs.c:

   * simple sshfs
   * (silly sshfs?  stupid sshfs?  snappy sshfs?  sucky sshfs?  seven sshfs???)
   * (sante sshfs?  severed (dreams) sshfs?  saucy sshfs?  sauerkraut sshfs?) 

• People complained that there's no ready-made VMware image with NetBSD available, and this has changed now. The #NetBSD blog points at a NAMP (NetBSD + Apache + MySQL + PostgreSQL + PHP) image that has quite a lot of software installed in 187MB size. See the arudius homepage for more information on NAMP.

• Elad, chief security hacker of NetBSD's infrastructure has proposed to add PaX Segvguard as yet another building stone in NetBSD's security architecture:

       PaX Segvguard monitors the number of segfaults in a program
       per-user, in an attempt to detect on-going exploitation attempts
       and possibly prevent them.  One common attack PaX Segvguard can
       help mitigate is when an attacker tries to brute-force a function
       return address, when wanting to perform a return-to-lib attack.  

  See Elad's proposal for more details! Note that a start of the implementation is already in NetBSD-current, but that this is still work-in-progress.

• BSDtalk did an interview with pkgsrc developer Johnny Lam (jlam@), it's available in mp3 and ogg.

• Last, if you don't know what to wish for Xmas, there's something for the average BSD geek: a daemon-themed bag (which is probably not really authorized by the Daemon owner, but well).

 Dec 11 09:21:50 xxx sshd[15335]: Failed password for root from 220.[...]
 Dec 11 09:21:53 xxx sshd[2720]: Failed password for root from 220.13[...]
 Dec 11 09:21:56 xxx sshd[7260]: Failed password for root from 220.13[...]
 Dec 11 09:22:28 xxx sshd[1762]: Illegal user enterprise from 220.135[...]
 Dec 11 09:22:31 xxx sshd[20415]: Illegal user release from 220.135.88.151
 Dec 11 09:22:34 xxx sshd[2405]: Illegal user release from 220.135.88.151
 Dec 11 09:22:37 xxx sshd[27329]: Illegal user release from 220.135.88.151
 Dec 11 09:22:40 xxx sshd[22310]: Illegal user release from 220.135.88.151 

And there's help, in the form of a blog article (found via the #NetBSD Community Blog) describing how to use pop-before-smtp and IPfilter to firewall those people into eternity. (As far as I understand, the pop-before-smtp thing is mostly used to emulate 'tail -f', so I dare saying the meat of that article could be rewritten to only use tools that come with NetBSD. Any takers? Send URL! :)

Update: Ian Spray has taken the challenge and made a version that only uses tools that come with NetBSD. See his blog entry!

Update #2: Geert also brought this variant to my attention, which convers IPFilter, PF and IPFW (For FreeBSD, obviously). He found it in the BSDWiki.

[Tags: ipfilter, networking, Security, ssh]