>
>>
>>
>> Sent from my BlackBerry wireless handheld.
>>
>> -----Original Message-----
>> From: "Spransy, Derek" <DSPRANS (at) emory (dot) edu [email concealed]>
>> Date: Mon, 8 Jan 2007 12:39:38
>> To:"kevhoy" <kevhoy (at) gmail (dot) com [email concealed]>, <focus-apple (at) securityfocus (dot) com [email concealed]>
>> Subject: RE: several news stories on Macs being zombies
>>
>> We've has several instances where Macs have been used for DDoS
>> attacks and >distributing spam. Each time the machines were
>> compromised via SSH brute force >attacks. The systems would have
>> SSH enabled and local user accounts with usernames >and passwords
>> such as test or temp. The attacker didn't exploit a vulnerability
>> in these >cases, just a bad configuration. We do not enable SSH on
>> our workstations as a rule, >however, some faculty and staff take
>> it upon themselves to do so. As a result we've begun > putting in
>> our own custom sshd_config files that prevent root login via SSH
>> and restrict >SSH logins to our admin accounts only.
>>
>>
>>
>> Don't forget that at its heart OS X is UNIX. Apple also uses open
>> source software such as > OpenSSH and Samba which makes OS X as
>> susceptible as any UNIX or Linux box to >attacks utilizing flaws
>> in that software. However, as far as I know, we've never had a
>> >compromise that was the direct result of true vulnerability
>> exploitation on the Apple >platform.
>
> Precisely. Anything that can run on a linux box, can feasibly be
> ported (even compiled out of the box) for OS X. The open source
> community patches bugs promptly and releases fixes. Apple, on the
> other hand, waits months before releasing the most current patches.
> This lag puts Mac users at risk.
>
> The only way around this situation is to install Darwin Ports or Fink
> so that you have a chance of getting a patched OpenSSH install. Apple
> waited almost a fulll year to patch one SSH vulnerability.
>
> Cheers,
> David
>
>
> --
> David Fedoruk
>
> http://recordjackethistorian.wordpress.com
> "Music is enough for one's life time, but one life time is not enough
> for music" Sergei Rachmaninov

On Jan 16, 2007, at 2:32 PM, David Fedoruk wrote:

>> authentication as the only valid authentication method enabled.
> However, I still notice >numerous attempts in my log files of trying
> brute force attacks. I've seen upwards of over >1000+ tries from the
> same IP in some instances. SSH really needs better defense
>> mechanisms against these script kiddies like a timeout for some
> period of time for an IP >when they're trying an obvious brute force.
>
> This issue has come up on Linux forums. Some of my Linux servers have
> had rregular attacks of this nature. They're frequency is increasing.
> Some of them go on to attack other ports like 2049 which is NFS mount.
> There was a bug in that system, patched years ago which crackers
> target next. Running Port Sentry takes care of that problem.
>
> But the SSH problem was bad enough that Cyril Jaquier wrote a python
> script called Fail2ban.
>
> "Fail2Ban monitors log files like /var/log/pwdfail or
> /var/log/apache/error_log and bans failure-prone addresses. It updates
> firewall rules to reject the IP address or executes user defined
> commands."
>
> So this updates IPTABLES dynamically in response to brute force
> attacks. The script is a godsend. Even if all the attempts are
> failures, it still afffects system performance so dealing with it
> prompty like fail2ban does vasty improves this scenario. OS X needs a
> script like this for ipfw.

I had no trouble getting denyhosts to work on a 10.3.9 server,
haven't bothered with 10.4.x , all are behind a firewall/VPN and ssh
is properly locked down.

Some brief mention of denyhosts for ssh in 10.4 server here:
http://www.mail-archive.com/denyhosts-user (at) lists.sourceforge (dot) net [email concealed]/
msg00100.html

[ reply ]