firewall-wizards digest, Vol 1 #1623 - 8 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: Transitive Trust: 40 million credit cards hack'd (Kevin Sheldrake)
2. Re: Transitive Trust: 40 million credit cards hack'd (Paul D. Robertson)
3. Re: LangaList security item (Jim Seymour)
4. RE: SSH brute force attack (Paul Melson)
5. Proxy - content filter related (noc ops)
6. Re: SSH brute force attack (Mark Tinberg)
7. RE: Equifax Canada (Brian Loe)
8. RE: SSH brute force attack (Mathew Want)

--__--__--

Message: 1
Date: Mon, 27 Jun 2005 11:12:42 +0100
From: "Kevin Sheldrake" <kev@electriccat.co.uk>
To: "Behm, Jeffrey L." <BehmJL@bvsg.com>,
"Paul Melson" <pmelson@gmail.com>, "Marcus J. Ranum" <mjr@ranum.com>,
"David Lang" <david.lang@digitalinsight.com>
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
Cc: "Firewal Wizards" <firewall-wizards@honor.icsalabs.com>
Organization: Electric Cat

Without wanting to drag this analogy too far...

If you only care about your own systems, then outrunning the other guys =20
might work. If you also care about systems that store and process your =20
information, then you might have more of a problem on your hands.

Imagine that it is no longer just your own life that you are worried =20
about, but that of your new born babies (your personal information). Som=
e =20
of these babies get passed to adoring aunties and uncles and, in extreme =
=20
cases, grandparents, where they are happily looked after. When the =20
machine-gun-wielding army of bears appears on the horizon, you'll still =20
outrun the other guys, but some of your babies might get eaten. To =20
counter this, you need to outrun the bears, outrun the other guys, but =20
also keep tabs on, and protect, all the custodians of your babies.

Changing the state of the industry, so that all people have the =20
opportunity to purchase and wear bear-resistant armour should lower your =
=20
exposure to bear-related catastrophies.

:)

Kev

> And you (and others) assume there's only two runners.
>
> I still think I'll make an attempt to out run the bear and
> be as tough a target as I can afford, and hope the bear is
> smart enough to pursue the easy targets.
>
> The point is, don't make yourself the _easy_ target, when there are
> things you can do that the other (easier targets) aren't doing.
> When there are enough bears and few targets, everyone will get
> attacked, but don't lightly toss aside the benefit of making
> yourself as hard a target as you can afford. Right now, there
> are still plenty of honey-soaked targets for the bears to enjoy.
>
> I'm not necessarily saying this is a completely fail-safe way to
> secure your environment, but from what I have seen of other
> environments, at least the honey isn't dripping off you and
> leaving a trail for the bear to easily follow. Let it drip off
> the other guy(s).
>
> Jeff
>
> -----Original Message-----
> From: Paul Melson
>
> The problem with that strategy being, you assume that there's only one
> bear.
>
> PaulM
>
> -----Original Message-----
> True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
> point,
> it can be effective. You don't gotta outrun the bear, just the guy nex=
t
> to
> you.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>

--=20
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Cheltenham) Ltd

--__--__--

Message: 2
Date: Wed, 29 Jun 2005 19:36:54 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: ArkanoiD <ark@eltex.net>
Cc: Bill Royds <broyds@rogers.com>,
'George Capehart' <capegeo@opengroup.org>,
'Firewal Wizards' <firewall-wizards@honor.icsalabs.com>
Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd

On Thu, 23 Jun 2005, ArkanoiD wrote:

> Isn't it already in FreeBSD 5? I am going to build next version of my firewall
> on FreeBSD actively using its new security features, are they ready for production?

Bits of TrustedBSD are, but it's not done yet- eventually part of the goal
seems to be to create jail-like features with a MAC model, but it's not
there yet.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

--__--__--

Message: 3
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] LangaList security item
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Thu, 30 Jun 2005 08:26:42 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)

"Brian Loe" <knobdy@stjoelive.com> wrote:
>
> >From the LangaList - pretty sad it has to be said. Posting since it might
> have some relevance to previous posts about DSL wireless routers supplied by
> ISPs.

I'm reminded of when I first went looking for DSL service. I was on
the phone with tech. support, asking about the DSL device I would
get--whether it was a router, with packet-filtering capability, or a
bridge. Answer: Bridge. Me (horrified): "But that means your
customers' PeeCees are exposed directly to the Internet, their
back-sides hangin' out in the breeze, with no protection at all!" Tech:
"Yeah, but they don't know the difference, and wouldn't know what to do
about it even if they did." Nice attitude. Needless to say, *that*
ISP did not get my business.

I soon found out that ISP's attitude was common. "Oh boy, *this* is
gonna be a disaster," I thought. Little did I know how right I was.

> It's obviously not in AOL's interest to advertise their LACK of
> security, all the while advertising their improved security.

I had to dig, and dig hard, to get down to (up to?) a level of tech.
support that could answer my router/bridge question. It's not that the
sales droid and 1st-line tech. support people wouldn't answer my
questions, they *couldn't* answer them. They didn't understand what I
was talking about.

[snip]
>
> Oh, jeez---- if anything, AOL members need more protection than others!
[snip]

Which may explain why AOL is doing what they're doing--whatever that
is.

So, you take a common consumer/residential broadband connection, which
has no protection at all, add a wireless AP, configured, by default, in
open mode, add an electronic petri dish or two, and what do you have?

Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.

--__--__--

Message: 4
From: "Paul Melson" <pmelson@gmail.com>
To: "'Toderick, Lee W'" <TODERICKL@MAIL.ECU.EDU>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] SSH brute force attack
Date: Thu, 30 Jun 2005 11:57:39 -0400

I can't identify the specific tool being used in your case, but SSH brute
force scans have been showing up on my radar for a little over a year now.
The users and passwords used seem to differ by attempt now and are getting
more exhaustive. The earlier connection is probably a version grab used to
determine whether or not there are other ways of exploiting your sshd either
by compromising it directly or by using its authentication scheme to
enumerate valid users.

I would say that on average I see 3-4 of these a day, most from APNIC
blocks. I've instituted password complexity requirements on the
'recreational' systems, and simply don't allow SSH connections from the
Internet on anything else. I've also never allowed root logins and all
service uids like nobody or web get /nologin shells. Thus far, it's been
enough to be lucky.

PaulM

-----Original Message-----
Subject: [fw-wiz] SSH brute force attack

Greetings!

Our computers running SSH daemons have logged attacks. The attacks begin
with a scan logged "Did not receive identification string from x.x.x.x",
followed approximately 15 minutes later with "Illegal user " or " Failed
password for root".

Does anyone have information or documentation about this scan/attack?

--__--__--

Message: 5
Date: Thu, 30 Jun 2005 10:20:44 -0700
From: noc ops <aptgetd@gmail.com>
Reply-To: aptgetd@gmail.com
Organization: /dev/null
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] Proxy - content filter related

Hi,

I'm not sure if my previous e-mail made it the list as I didn't see it.
Anyway, here it is again and my apologies for any duplication.

Is it possible to look at the *outgoing* client-proxy request headers
(w/o going through a local proxy server) in order to identify/block
proxy related traffic?

a. users (user-agent) to non-SSL HTTP proxies
b. users (user-agent) to SLL HTTP proxy (encrypted)

Since the traffic is being redirected (transparently) via school's
content filter appliance (open-source product), does it make sense to
enable proxy so that the appliance provides SSL & non-SSL tunneling
CONNECT extension method, so that we can identify (via CONNECT) and
filter traffic (via keyword). Is it a worthwhile effort?

I can't see any other way to address proxy related traffic (google web
accelerator as an example) which is currently bypasses our content
filter based on egress traffic. Unless I perform deep packet inspection,
look for incoming response, which might slow things down since filtering
is being done in the software.

I'm not sure what I can get out of SSL proxy packets since it creates
a secure connection (encrypted session) between client and server but
any thoughts will be greatly appreciated.

The purpose of this is to inspect/block naughty sites which students
access using third party proxies to bypass school's content filter(s).
I'm trying to help a public school with this issue and any help will be
awesome!

Any pointers to any in-depth papers or books which talks about proxies
in depth will be excellent.

Appreciate your time/help.

regards,
/vicky

--__--__--

Message: 6
Date: Thu, 30 Jun 2005 15:11:58 -0500 (CDT)
From: Mark Tinberg <mtinberg@securepipe.com>
To: "Toderick, Lee W" <TODERICKL@MAIL.ECU.EDU>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] SSH brute force attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 24 Jun 2005, Toderick, Lee W wrote:

> Our computers running SSH daemons have logged attacks. The attacks begin
> with a scan logged "Did not receive identification string from x.x.x.x",
> followed approximately 15 minutes later with "Illegal user " or " Failed
> password for root".

That's pretty much normal, people are scanning for easy to access ssh
services all the time. The way to deal with this is to not allow
worldwide access to your ssh daemon. OpenSSH has not had a perfect
security track record, for security software it has a lot of extraneous
functionality, so you have to protect it just like you'd protect any other
service.

If you absolutely have to expose it to the world (you run a shellbox for
example) then at least take the precaution of disabling direct root
access, having a very strict password policy (which is enforced) and
turning off features you don't need (like port forwarding, SOCKS proxy, X
forwarding, SFTP, etc.).

- --
Mark Tinberg <MTinberg@securepipe.com>
Network Administrator, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFCxFIPFu7F5OUjbGcRAm7OAKCMozOffXapgTEcOH/IA6V6wl0bUQCfVX9d
M6lu6T0VgJurvuQjwXrscG4=
=NAPq
-----END PGP SIGNATURE-----

--__--__--

Message: 7
From: "Brian Loe" <knobdy@stjoelive.com>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Equifax Canada
Date: Thu, 30 Jun 2005 15:44:16 -0500

Well, based on all the responses to my comment, I'm glad to see we're all on
the same page. Since I have to say it - it seems - I was being sarcastic. I
don't think I agreed with the original idea that I responded to much.

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of J. Oquendo
> Sent: Wednesday, June 22, 2005 12:55 PM
> To: firewall-wizards@honor.icsalabs.com
> Cc: Brian Loe
> Subject: RE: [fw-wiz] Equifax Canada
>
>
> On Wed, 22 Jun 2005, Brian Loe wrote:
>
> > Pretty soon the fed might realize it's losing money
> printing all that
> > fancy cash and one day say, "hey, that national ID card has
> a magnetic
> > strip on it!"
>
> Neat. Then all we would need is a new mailing list on
> (un)SecurityFocus that will target binary reading, and
> magnetics to spoof these cards. Come on now, the whole
> concept of it is a horrible idea. "Get your National ID card
> right now!" For what? To keep track of when I take number
> twos, what color boxers I buy. Information gathered from all
> sorts of these cards (even those annoying supermarket swipe
> cards) is getting way out of hand.
>

--__--__--

Message: 8
From: "Mathew Want" <mathew.want@ac3.com.au>
To: "'Toderick, Lee W'" <TODERICKL@MAIL.ECU.EDU>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] SSH brute force attack
Date: Fri, 1 Jul 2005 10:28:58 +1000

Lee,

I have been seeing many SSH scans similar to this for the last 9 months. I
am reporting on average 2 a week to AusCERT. The scans I'm seeing appear to
be variants of this:

http://www.frsirt.com/exploits/08202004.brutessh2.c.php

I posted a few months ago asking if anyone had seen this and I got the
impression then that I was not alone in this. The scans I see tend to hit
the root password pretty hard, but just try 1 or 2 attempts at the passwords
for the scattered usernames.

Apart from black-holing the addresses in a "No SSH for you" policy on the
firewall (horse already bolted), about the only thing you can do in ensure
that you can't SSH in as root (something I highly advise anyway) and go to
strong authentication. I have used SKEY quite successfully for this and its
free :-).

An idea I have been kicking around with a few people is using logwatch (or
similar) to add hosts.deny lines, IPTables rules or SNORT signatures after X
failed attempts (horse kicking gate) to drop the attempts from the
offending address. I know that self defending boxes are prone to having an
inbuilt DoS "feature" due to spoofing, but seeing as the authentication does
not happen until after the key exchange for the tunnel, wouldn't this negate
the spoofed DoS "feature? Still doesn't stop evil person from DoSing the
rest of their company from your system because of a NAT'ed address on their
firewall, but this is dependant on if that is a risk to you or not (horses
for courses). I have not tried it as yet but hope to soon....

I would like to hear any suggestions or thoughts anyone may have on this....
--
Regards,
Mathew Want
ac3
Network and Security Engineer
Email: mathew.want@ac3.com.au
URL: http://www.ac3.com.au

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Toderick,
Lee W
Sent: Saturday, 25 June 2005 3:17 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] SSH brute force attack

Greetings!

Our computers running SSH daemons have logged attacks. The attacks begin
with a scan logged "Did not receive identification string from x.x.x.x",
followed approximately 15 minutes later with "Illegal user " or " Failed
password for root".

Does anyone have information or documentation about this scan/attack?
Following is a list of Illegal users:
# cat secure.4 | grep "193.24.213.216" | cut -d " " -f6-12 | grep "Illegal"
| cut -d " " -f 3
sun0s
reboot
reboot
flood
irc
key
david
htpd
httpd
jared42
cchen
admin
admin
admin
admin
test
test
test
test
test
test
test
admin
akcesbenefit
b3
njproghouse
schaiderhair
perseus
guardit
phpbb
bejgli
forums
temp
eric
staff
bb
maggie
rock
sandra
kim
recruit
alina
dana
bloodclansb
jeff

Thanks,
Lee Toderick

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest