re: /etc/suauth

re: /etc/suauth

[Jude DaShiell]

The analysis is flawed.  A machine with 99 user accounts on it and a root 
account with only one line in /etc/suauth with one user account on it 
presents a hacker with 98 decoys and one hackable account.  The hacker has 
to go to the trouble of stealing a user account password not a root 
account password and that is more difficult to do.  It never was only the 
possibility of irreversible system damage that was the only reason not to 
run as root on the internet with the security specialists in the first 
place.  Now if on a 99 user account machine you insist on having 99 lines 
in /etc/suauth, then a hacker would have 99 possible targets and would be 
more likely to break into a machine.

re: /etc/suauth

[Adam Myrow]

On Sat, 17 Dec 2005, Jude DaShiell wrote:

> The analysis is flawed.  A machine with 99 user accounts on it and a root 
> account with only one line in /etc/suauth with one user account on it 
> presents a hacker with 98 decoys and one hackable account.  The hacker has to 
> go to the trouble of stealing a user account password not a root account 
> password and that is more difficult to do.

I fail to see why you don't understand the problem you would create. 
Essentially, you would be saying that any of your 99 users may su to root 
without knowing the root password.  Any one of them could now do whatever 
they want without having to put forth any effort at all.  The hacker could 
be one of your users.  If you are so concerned with the root password 
getting out on the Internet, then you would be much better off forbidding 
the use of the su command entirely, or at least blocking attempts to su to 
root.  No ordinary user should be using it anyhow.  While you are at it, 
prevent root logins via SSH.  You can't do administration anywhere except 
the console this way, but it's a lot better than opening up your machine 
to anybody who just happens to try to su to root.

RE: /etc/suauth

[Sina Bahram]

So you have increased the chances from 1 out of 99, to 2 out of 99 ...
Actually you have doubled their chances ...

But, regardless of that, I have a question. You said it's harder to find the
password to a user account than to root. Please explain.

Take care,
Sina 

-----Original Message-----
From: speakup-bounces@braille.uwo.ca [mailto:speakup-bounces@braille.uwo.ca]
On Behalf Of Jude DaShiell
Sent: Saturday, December 17, 2005 4:00 PM
To: speakup@braille.uwo.ca
Subject: re: /etc/suauth

The analysis is flawed.  A machine with 99 user accounts on it and a root
account with only one line in /etc/suauth with one user account on it
presents a hacker with 98 decoys and one hackable account.  The hacker has
to go to the trouble of stealing a user account password not a root account
password and that is more difficult to do.  It never was only the
possibility of irreversible system damage that was the only reason not to
run as root on the internet with the security specialists in the first
place.  Now if on a 99 user account machine you insist on having 99 lines in
/etc/suauth, then a hacker would have 99 possible targets and would be more
likely to break into a machine.



_______________________________________________
Speakup mailing list
Speakup@braille.uwo.ca
http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: /etc/suauth

[Sean McMahon]

Perhaps the original poster could simply tell us where he obtained this
information.  Think we're talking about 2 different things here.
----- Original Message ----- 
From: "Adam Myrow" <amyrow@midsouth.rr.com>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Saturday, December 17, 2005 3:40 PM
Subject: re: /etc/suauth


> On Sat, 17 Dec 2005, Jude DaShiell wrote:
>
> > The analysis is flawed.  A machine with 99 user accounts on it and a root
> > account with only one line in /etc/suauth with one user account on it
> > presents a hacker with 98 decoys and one hackable account.  The hacker has
to
> > go to the trouble of stealing a user account password not a root account
> > password and that is more difficult to do.
>
> I fail to see why you don't understand the problem you would create.
> Essentially, you would be saying that any of your 99 users may su to root
> without knowing the root password.  Any one of them could now do whatever
> they want without having to put forth any effort at all.  The hacker could
> be one of your users.  If you are so concerned with the root password
> getting out on the Internet, then you would be much better off forbidding
> the use of the su command entirely, or at least blocking attempts to su to
> root.  No ordinary user should be using it anyhow.  While you are at it,
> prevent root logins via SSH.  You can't do administration anywhere except
> the console this way, but it's a lot better than opening up your machine
> to anybody who just happens to try to su to root.
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: /etc/suauth

[Igor Gueths]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi. In terms of the port knocking, there are various implemenntations floating around afaik. http://portknocking.org is the oriiginal Perl prototype. Knockd I've heard of somewhere as well; 
another implementation that I think is based on the original.
On Mon, Dec 19, 2005 at 10:54:53AM -0700, Sean McMahon wrote:
> Actually ssh is usually port 22 23 is usually telnet.
> ----- Original Message ----- 
> From: "Charles Hallenbeck" <chuckh@hhs48.com>
> To: <sdawes@telus.net>; "Speakup is a screen review system for Linux."
> <speakup@braille.uwo.ca>
> Sent: Sunday, December 18, 2005 11:37 AM
> Subject: Re: /etc/suauth
> 
> 
> > Steve,
> >
> > There is a Debian package called "knockd", not sure about other distros.
> > It comes with a port sniffing daemon and a client program. You configure
> > the daemon by specifying a trio of ports to monitor, and a couple of
> > timing parameters. Once you do that you can close port 23 on your
> > firewall, but keep the sshd daemon and the knockd daemon running.
> >
> > When some user wants to connect with ssh, she first issues the knock
> > command giving the host name and the three ports, which is detected on
> > the remote host, causing the firewall to open port 23 for a specified
> > period. In my case it is 10 seconds. During that time the calling
> > system issues the usual ssh or sftp command, makes connection, and the
> > connection remains alive as long as needed. However, once the 10 second
> > period expires, the firewall once again closes port 23 to any further
> > connection requests unless again preceded by the correct port sequence.
> > It is analogous to a "secret knock"  on a door, as in spy movies or
> > prohibition films. Very cool.
> >
> > I connect to my system this way by issuing something  like this, but
> > with the correct port numbers:
> >
> > knock hhs48.com 1234 2345 3456 ; ssh username@hhs48.com
> >
> > and it looks on the console identical to the case where port knocking is
> > not in the picture.
> >
> > What distro do you use? Can you search for "knockd" for your system?
> >
> > Ch;uck
> >
> > -- 
> > The Moon is Waning Gibbous (91% of Full)
> > But you can still get downloads from http://www.mhcable.com/~chuckh
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

- -- 
Any society that would give up a little liberty to gain a little
   security will deserve neither and lose both.
- -- Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iQIVAwUBQ6g4x6e2pgKIdGq4AQr3GA/8CVhmjGkmQxCkniWRZiggFH0rSUhCH9UL
nneI63JUN44M+hQioFvAdLAHW6w11xq7oXwUP5P+p7QKIW6kyvx+lT0fZe1E6dOY
TYsmTSeF3IaXKHSKICrnKCuph2Hysh0LAKsWSQXRAzDMgNGOFRMVWKI8Cym4V4go
M3UdHN0e23BJu02ZD9FS4BumnCnFurOknwV3uCaRHc6YCGbKgSo5wVGHq9n+efBy
zc/CeQA+ofVZ4QMSiOxFlPd3xGmTyP07ZbF0tvaz8TXnELthp1iG57kLcV5Q+ID2
XxscYEUsPJAzLwcpOCoGexma8DSwzgWCtPXqoEcFhTMTXJGzE+nD9TuyPbM203yS
r5OTfnfX2euN+p3X6nVbVy9XbAx2L8iTRm0AlORiAVNLrc6x7ZRpZXhhErnqVLDj
9u7ONXFUK9Dq0RU5JbV/nT0CBC9dsq+sYJbreDNhTnNmFJIcXOB6upwc1pBKBEdt
+bF3iqvJDtl7CRuXiDPDHSiOeU+1oHXLJtYEOVoU6ZmZrzDaKZtvZccPL204jt+U
tEfByTuyODBEGYIbu7lybX5smW510oGzuWe7eZpfnkctuLzyHEfojAvfwiorbeLS
DGgqeGd7PkEzuBQ4dNkTKcvhcLE+y1voRRicb+cTEbuqZcQY8J1uXVIhtfY6lWCe
39MtSf0cStI=
=+lVs
-----END PGP SIGNATURE-----

Re: /etc/suauth

[Sean McMahon]

Actually ssh is usually port 22 23 is usually telnet.
----- Original Message ----- 
From: "Charles Hallenbeck" <chuckh@hhs48.com>
To: <sdawes@telus.net>; "Speakup is a screen review system for Linux."
<speakup@braille.uwo.ca>
Sent: Sunday, December 18, 2005 11:37 AM
Subject: Re: /etc/suauth


> Steve,
>
> There is a Debian package called "knockd", not sure about other distros.
> It comes with a port sniffing daemon and a client program. You configure
> the daemon by specifying a trio of ports to monitor, and a couple of
> timing parameters. Once you do that you can close port 23 on your
> firewall, but keep the sshd daemon and the knockd daemon running.
>
> When some user wants to connect with ssh, she first issues the knock
> command giving the host name and the three ports, which is detected on
> the remote host, causing the firewall to open port 23 for a specified
> period. In my case it is 10 seconds. During that time the calling
> system issues the usual ssh or sftp command, makes connection, and the
> connection remains alive as long as needed. However, once the 10 second
> period expires, the firewall once again closes port 23 to any further
> connection requests unless again preceded by the correct port sequence.
> It is analogous to a "secret knock"  on a door, as in spy movies or
> prohibition films. Very cool.
>
> I connect to my system this way by issuing something  like this, but
> with the correct port numbers:
>
> knock hhs48.com 1234 2345 3456 ; ssh username@hhs48.com
>
> and it looks on the console identical to the case where port knocking is
> not in the picture.
>
> What distro do you use? Can you search for "knockd" for your system?
>
> Ch;uck
>
> -- 
> The Moon is Waning Gibbous (91% of Full)
> But you can still get downloads from http://www.mhcable.com/~chuckh
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: /etc/suauth

[Sean McMahon]

Interesting!  Where do you rtfm port knocking?
----- Original Message ----- 
From: "Charles Hallenbeck" <chuckh@hhs48.com>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Friday, December 16, 2005 5:27 PM
Subject: Re: /etc/suauth


> Adam,
> 
> Thanks for that analysis. I agree. And I would Add that if you need to 
> rely on remote access to your system with ssh, it is an extra precaution 
> to use port knocking, so that the ssh port can remain closed by your 
> firewall until the correct sequence of "knocks" is issued. It is very 
> simple to set up and works like a charm. 
> 
> Chuck
> 
> -- 
> The Moon is Waning Gibbous (98% of Full)
> But you can still get downloads from http://www.mhcable.com/~chuckh
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: /etc/suauth

[Charles Hallenbeck]

Right you are! telnet is 23, ssh is 22.  Thanks.

On Sun, Dec 18, 2005 at 02:04:36PM -0500, Sina Bahram wrote:
> One minor point
> 
> I think you mean port 22, not 23
> 
> Take care,
> Sina 
> 
> -----Original Message-----
> From: speakup-bounces@braille.uwo.ca [mailto:speakup-bounces@braille.uwo.ca]
> On Behalf Of Charles Hallenbeck
> Sent: Sunday, December 18, 2005 1:38 PM
> To: sdawes@telus.net; Speakup is a screen review system for Linux.
> Subject: Re: /etc/suauth
> 
> Steve,
> 
> There is a Debian package called "knockd", not sure about other distros. 
> It comes with a port sniffing daemon and a client program. You configure the
> daemon by specifying a trio of ports to monitor, and a couple of timing
> parameters. Once you do that you can close port 23 on your firewall, but
> keep the sshd daemon and the knockd daemon running.
> 
> When some user wants to connect with ssh, she first issues the knock command
> giving the host name and the three ports, which is detected on the remote
> host, causing the firewall to open port 23 for a specified period. In my
> case it is 10 seconds. During that time the calling system issues the usual
> ssh or sftp command, makes connection, and the connection remains alive as
> long as needed. However, once the 10 second period expires, the firewall
> once again closes port 23 to any further connection requests unless again
> preceded by the correct port sequence. 
> It is analogous to a "secret knock"  on a door, as in spy movies or
> prohibition films. Very cool. 
> 
> I connect to my system this way by issuing something  like this, but with
> the correct port numbers:
> 
> knock hhs48.com 1234 2345 3456 ; ssh username@hhs48.com
> 
> and it looks on the console identical to the case where port knocking is not
> in the picture.
> 
> What distro do you use? Can you search for "knockd" for your system?
> 
> Ch;uck
> 
> --
> The Moon is Waning Gibbous (91% of Full) But you can still get downloads
> from http://www.mhcable.com/~chuckh
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
The Moon is Waning Gibbous (91% of Full)
But you can still get downloads from http://www.mhcable.com/~chuckh

RE: /etc/suauth

[Sina Bahram]

One minor point

I think you mean port 22, not 23

Take care,
Sina 

-----Original Message-----
From: speakup-bounces@braille.uwo.ca [mailto:speakup-bounces@braille.uwo.ca]
On Behalf Of Charles Hallenbeck
Sent: Sunday, December 18, 2005 1:38 PM
To: sdawes@telus.net; Speakup is a screen review system for Linux.
Subject: Re: /etc/suauth

Steve,

There is a Debian package called "knockd", not sure about other distros. 
It comes with a port sniffing daemon and a client program. You configure the
daemon by specifying a trio of ports to monitor, and a couple of timing
parameters. Once you do that you can close port 23 on your firewall, but
keep the sshd daemon and the knockd daemon running.

When some user wants to connect with ssh, she first issues the knock command
giving the host name and the three ports, which is detected on the remote
host, causing the firewall to open port 23 for a specified period. In my
case it is 10 seconds. During that time the calling system issues the usual
ssh or sftp command, makes connection, and the connection remains alive as
long as needed. However, once the 10 second period expires, the firewall
once again closes port 23 to any further connection requests unless again
preceded by the correct port sequence. 
It is analogous to a "secret knock"  on a door, as in spy movies or
prohibition films. Very cool. 

I connect to my system this way by issuing something  like this, but with
the correct port numbers:

knock hhs48.com 1234 2345 3456 ; ssh username@hhs48.com

and it looks on the console identical to the case where port knocking is not
in the picture.

What distro do you use? Can you search for "knockd" for your system?

Ch;uck

--
The Moon is Waning Gibbous (91% of Full) But you can still get downloads
from http://www.mhcable.com/~chuckh

_______________________________________________
Speakup mailing list
Speakup@braille.uwo.ca
http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: /etc/suauth

[Charles Hallenbeck]

Steve,

There is a Debian package called "knockd", not sure about other distros. 
It comes with a port sniffing daemon and a client program. You configure 
the daemon by specifying a trio of ports to monitor, and a couple of 
timing parameters. Once you do that you can close port 23 on your 
firewall, but keep the sshd daemon and the knockd daemon running.

When some user wants to connect with ssh, she first issues the knock 
command giving the host name and the three ports, which is detected on 
the remote host, causing the firewall to open port 23 for a specified 
period. In my case it is 10 seconds. During that time the calling 
system issues the usual ssh or sftp command, makes connection, and the 
connection remains alive as long as needed. However, once the 10 second 
period expires, the firewall once again closes port 23 to any further 
connection requests unless again preceded by the correct port sequence. 
It is analogous to a "secret knock"  on a door, as in spy movies or 
prohibition films. Very cool. 

I connect to my system this way by issuing something  like this, but 
with the correct port numbers:

knock hhs48.com 1234 2345 3456 ; ssh username@hhs48.com

and it looks on the console identical to the case where port knocking is 
not in the picture.

What distro do you use? Can you search for "knockd" for your system?

Ch;uck

-- 
The Moon is Waning Gibbous (91% of Full)
But you can still get downloads from http://www.mhcable.com/~chuckh

RE: /etc/suauth

[Steve Dawes]

where can you find out more on this port knocking stuff?
How does one go about setting it up?


Steve

Re: /etc/suauth

[Charles Hallenbeck]

Adam,

Thanks for that analysis. I agree. And I would Add that if you need to 
rely on remote access to your system with ssh, it is an extra precaution 
to use port knocking, so that the ssh port can remain closed by your 
firewall until the correct sequence of "knocks" is issued. It is very 
simple to set up and works like a charm. 

Chuck

-- 
The Moon is Waning Gibbous (98% of Full)
But you can still get downloads from http://www.mhcable.com/~chuckh

Re: /etc/suauth

[Adam Myrow]

If I understand what you are saying, this would allow one to become root 
without giving the root password.  This sounds like a really bad idea to 
me.  If a cracker should get the regular password to any account on the 
system, he can just type "su" and become root without the password.  The 
whole point is to prevent the cracker from gaining root access, not make 
it easier.  In order to install a key logger on a system, the cracker must 
either be root, or trick an administrator into installing it, possibly via 
a Trojan Horse.  If you are accessing your Linux system via the console, 
I.E. sitting at the computer, the root password will not be sent out over 
the Internet unless your system has been compromised.  If you must access 
the root account remotely via the "su" command, connecting to the system 
via SSH is strongly recommended.

/etc/suauth

[Jude DaShiell]

If you have a user account on a liinux box for this purpose called user, 
and you're not running pam a line like root:user:NOPASS in /etc/suauth 
chmod 600 /etc/suauth once saved may provide you with some security 
benefits.  When you next type su - <cr> after you've rebooted you'll read 
a message saying password authentication bypassed if you were user at that 
time and you will have full root privileges and root's environment.  The 
security benefits come as a result of computer crackers installing packet 
sniffers to capture passwords.  So if you install a new system and use new 
passwords and make your /etc/suauth file and reboot before you go onto the 
internet for the first time, all thoose packet sniffers will ever see is 
password authentication bypassed each time you become root.  Very 
frustrating for computer crackers, but then again who better deserves to 
be frustrated?