Comments
Comment by d.w.:
¶
Most likely, higherachievement.org has been compromised/cracked/rooted and someone else is using it as a zombie from which to launch other attacks. I doubt anyone at that site has a clue about security, or realizes that they’re running a hotel for creeps. You could always try dropping an email to postmaster, root, or administrator@higherachievement.org, but it would likely bounce. You could also do a WHOIS and drop a line (phone or snail mail) to the technical contact (apparently a Mr. Fernando Batista, in Washington, D.C. USA)
As far as locking down ssh, there are a number of things you can do — changing the port, as you’ve already consider, restricting the allowed source IPs (which is a PITA if you travel often and want to be able to hit your machine from anywhere), turning off PW authentication, restricting the accounts that can log in remotely, etc.
Comment by fudo:
¶
If you haven’t already, turn on firewall logging, and then leave a Console window open with ipfw.log showing. It’s quite fascinating what you’ll see…
Comment by ssp:
¶
Dave: Sure, they may be innocent victims. But they’re still incompetent then. If they weren’t they’d have hired better geeks to run their computers. [As bosses like to take credit when things work well, I think they also should take responsibility when things go wrong - a little detail that’s often forgotten these days.]
I tried to send a message to an address from their web site, info@…, but it bounced. But to be honest I don’t really care about their system. If they want it to be compromised, so be it. There are probably too many bad guys on the net that getting those out of the game would help anyone.
I really wish OS X had comfortable control for remote access. I have some accounts on my machine which don’t need remote access at all, and I have others for which just having sftp access will do. But it looks like there’s neither a GUI for setting this nor may those settings be preserved when you move to a new machine or have to reinstall things. So I don’t want to make the effort…
fudo: I may have a look at that when I’m in a good mood. I might get the impression that I’m all popular!
Comment by Hauke Fath:
¶
Aside from the load created by these dumb dictionary attacks, as long as you have strong passwords on the machine, you are quite safe. It becomes more of a problem on machines with many Luser accounts, obviously.
While you can of course respond by moving ssh to a different port, =/etc/hosts.{allow,deny}= access rules, port knocking etc., the cure will likely be worse than the disease.
Comment by Jerry Kindall:
¶
Don’t allow passwords with ssh, accept only public-key encryption. Very easy to configure sshd to do this, just change PasswordAuthentication to No in /etc/sshdconfig. (You might also have to turn off UsePAM, I don’t remember.) You then use the application ssh-keygen to generate an RSA key pair and store the private key in ~/.ssh/authorizedkeys. Copy the public key to the client machine and use it with the ssh client (this varies from client to client; for a ssh command line tool you usually put it in ~/.ssh/id_rsa). Once you turn off password authentication, the only people who can log in to your machine are those for whom you generate key pairs (or have physical access to your machine when it’s logged in).
Comment by ssp:
¶
Thanks for the hint Jerry. While I am a bit sceptical about changing files in OS X’s /private folder (because I fear that these changes will come to haunt me if I move to another computer or have to reinstall things - and I’ll probably have to both remember the changes I made and redo them in that case), this sounds interesting.
What’s not quite clear to me about using those keys for ssh is whether I can still access my machine from anywhere then. I.e. when I am at a friend’s and want to do something on my home computer or show them a file, can I still do that with a reasonable setup effort (on a Windows machine) and without compromising my own computer’s security in the process?
