Nix Bits » Security

WordPress upgrade

scotth — Tue, 08 Sep 2009 14:27:01 +0000

Well Twitter was all abuzz about a WordPress worm and sure enough a worm had been circulating attacking old versions of wordpress. Well obviously I pretty much never post on this blog these days. And wordpress is notorious for security issues. This is partly due to the popularity of the product, partly due to problems with php itself, and probably partly due to some flaws in WordPress’s on code. But, to their credit, they update quickly and the word doess get out. And, to their credit, upgrading was really simple despite the many customizations I have done. So kudos to the wordpress team. What I didn’t want was for this thing to get hacked and have spam links spread all through it and have it ruin my google search ranking. So there it is.

On a more fun note, we’ve been spending the past year trying to learn to lindy hop. Maybe someday we’ll get as good as this:

Looks like someone had the same idea for ssh blocking

scotth — Mon, 06 Jun 2005 18:23:00 +0000

Denyhosts parses your log files and adds ssh attack automated attack attempts to tcp_wrappers’ /etc/hosts.deny. This is the same concept as this little shell script I cooked up. Of course my little script was derived from another script specific to openbsd and it’s pf firewall.

Denyhosts is pretty much the same idea as mine but it uses python rather than a shell script. Python is common enough on most platforms but some non-linux platforms may not have it within installing 3rd party resources. The attacks on non-vulnerable machines with sshd running are harmless enough, but the extra layer can’t hurt. And if a later vuln is discovered, you’ve already got a list of compromised hosts blocked out via tcp_wrappers.

ssh blocker script for TCP Wrappers

scotth — Mon, 03 Jan 2005 22:55:00 +0000

Since this past summer, compromised machines have been attempting to brute force user accounts via ssh. Mostly this is annoying but it would be nice to detect and block these IPs. Francisco de Borja Lopez Rio made a Python script that watches /var/log/authlog on OpenBSD and adds IPs to a filter table for OpenBSD’s pf. Script can be found here.

Later Juan J. Martinez used the same concept to create a simple shell script to behave similarly. While this is nice, some of my own bastion hosts running ssh are not OpenBSD machines and thus cannot run pf. So I modified Juan’s script to use Weitse Venema’s ubiquitous tcp wrappers instead. The bash shell script also expects GNU variants of cat, echo, awk, etc. but should be easily modifiable to operate on, say, Solaris. You can get it right here. It would also be relatively easy to edit to use Linux iptables instead.

Incidently, there may be some other, perhaps better approaches for dealing with this. One is to only allow key-based authentication instead of simple password authentication. Another might be to run ssh on a port other than 22. The first option is probably the most secure and some useful details can be found here. Running somewhere other than 22 may be out of the question and automated attack scripts may use port scanning to find running sshd’s rather than assuming the well-known service port.

If you don’t need to ssh from arbitrary hosts, then you should be blocking that at the firewall level, though you can add it to hosts.deny as well. Since this is IP based, attackers that can figure out your “whitelist” allowed machine IPs could utilize spoofing for a determined attack. The attacks we’re blocking here are almost certainly automated and more of a nuisance. Restricting logins to key-based authentication only should be considered. This script or one of the firewall scripts noted above could then be added as well to block automated nuisance attempts. For a little extra obscurity, Port Knocking could be layered into the mix….

Download link: ssh_blocker_wrap-sh.tar.gz