Security Basics

Re: Reporting SSH abuse

Wed, 10 Mar 2010 22:35:13 GMT

Posted by James Bensley on Mar 10

I find in these situations, who is it you should actually tell? In the
your case were the traffic is coming from a University I'm sure the
Uni tech team would appreciated knowing but I have had it from some IP
in Brazil, I never reported it because I couldn't think who would give
a damn?

Re: Help hardening router

Wed, 10 Mar 2010 21:49:42 GMT

Posted by Dave LaDuke on Mar 10

Thanks for telling him, I had planned to have some fun later.

--------------------------------------------------
From: "Curt Shaffer" <cshaffer () gmail com>
Sent: Tuesday, March 09, 2010 1:49 AM
To: <mzcohen2682 () aim com>
Cc: <security-basics () securityfocus com>
Subject: Re: Help hardening router

------------------------------------------------------------------------
Securing Apache Web Server with thawte...

RE: Reporting SSH abuse

Wed, 10 Mar 2010 21:43:57 GMT

Posted by Dan Lynch on Mar 10

I could swear I once read an "authoritative" source doc on this subject, maybe an RFC (Site Security Handbook?), or
something from CERT. But I can't seem to dig it up. Anyone?

Here's what I did find:

Going to the Source: Reporting Security Incidents to ISPs (2002)
http://www.securityfocus.com/infocus/1555

And a most-excellent write up "Composing abuse reports" (2007)
http://blog.anta.net/2007/04/18/composing-abuse-reports/...

Re: Reporting SSH abuse

Wed, 10 Mar 2010 19:51:44 GMT

Posted by Liquid on Mar 10

Dan Pilcheck wrote:

Dan,

Honestly thats more than enough. I've had client sites that were doing
the same and the notifications were more than ample to at least look
into it. A nice note to the person should work, we had a couple in the
past where the admin was a complete jerk in letting us know. So
personally I'd recommend a screenshot of a log and perhaps just listing
the IP and what its hammering against. (ssh in this case). Hope this...

Re: Help hardening router

Wed, 10 Mar 2010 19:44:32 GMT

Posted by doug schmidt on Mar 10

http://www.cymru.com/Documents/secure-ios-template.html

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a...

Reporting SSH abuse

Tue, 09 Mar 2010 20:11:09 GMT

Posted by Dan Pilcheck on Mar 09

Hello list,

I've been getting a slew of SSH brute forces coming from a university
inside the US over the
past week. Normally I wouldn't even bother with reporting, but I
figured this would be a
chance to clear this up.

Fail2ban bans for 10 hours, and then the login attempts area right
back at it. Repeat.

An email with associated logs, and perhaps a little info from this
side is the best I can come
up with. I suppose there's not much else to...

Re: Help hardening router

Tue, 09 Mar 2010 20:04:56 GMT

Posted by Mike Hale on Mar 09

Wouldn't you want to encrypt your passwords in 5? Level 7 can be
cracked in seconds online.

Re: Help hardening router

Tue, 09 Mar 2010 19:57:58 GMT

Posted by Curt Shaffer on Mar 09

Step one is to now change all of your passwords unless you put bogus hashes in there when you posted this. Otherwise,
everyone on this list can tell you what they are now :)

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your...

Re: Help hardening router

Tue, 09 Mar 2010 19:46:24 GMT

Posted by Alex on Mar 09

Hi you

Take a look at the Cisco IOS benchmark from CIS [1]

type this

MARIO (config)#ip ssh?

does it show anything? [2]

Yes. You better change this access list with one that only allows the
traffic that you want and place a deny-all rule at the end. (You will
see this int the CIS benchmark as well)

But that's the access list that's applied to your internal network
going out. You also have an access-list that seems to be applied to
the...

RE: Help hardening router

Tue, 09 Mar 2010 16:15:48 GMT

Posted by Jatmoko, Arif (ID - Jakarta) on Mar 09

If this is a Cisco Catalyst, that should be support SSH. Just enable SSH by entering the command :
crypto key generate rsa
line vty 0 4
And disable telnet, make SSH the only transport agent, use ACL to restrict inbound & outbound packet passing your
interfaces (by ip address & services), enable logging, secure your login, etc...etc.

You should, at least learn some basic command or consults about configuring Catalyst IOS to someone has...

Re: securing a segment of a network

Tue, 09 Mar 2010 16:09:38 GMT

Posted by krymson on Mar 09

Would that be a primary concern about the current state of audits and checklists? Basically, there is a *lot* of effort
to camoflage or "limit the scope" of such audits.

<- snip ->
Now to the issue itself.

I am willing to believe the issue was actually about potential inappropriate access to system resources such as
applicatiions, shares and/or privileges. Splitting the network does not address this in any way, at best it...

FW: Help hardening router

Tue, 09 Mar 2010 16:05:21 GMT

Posted by Craig S. Wright on Mar 09

ARGGG!
Always obscure the details.

It is clear you are not experienced with Cisco security. As such, I would
start with an automated tool such as the router audit tool (RAT) and Nipper.

You get these from the following sites respectively:
Centre for Internet Security (CIS) website
http://www.cisecurity.org/bench_cisco.html.
Nipper, (Network Infrastructure Parser)...

Re: Help hardening router

Tue, 09 Mar 2010 15:59:15 GMT

Posted by John Morrison on Mar 09

Joe,

To protect, or secure, the router there are a few basics. These boil down to:
Install the latest IOS updates
Only run required services and disable all others
Allow only authenticated and encrypted access to the router
Use ACLs to control remote access to the router

See
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Latest IOS Update
==============
Download and installed the latest...

Re: Help hardening router

Tue, 09 Mar 2010 15:54:11 GMT

Posted by David Goldsmith on Mar 09

Did you change the various encrypted passwords before posting the
config? If not, we may not have the IP address of the router, but you
just exposed their passwords (which may be used elsewhere)

There are also IP address for other interfaces on the router and other
endpoints, descriptions of connections, etc, in the configuration that
you posted.

If you post configurations to public lists asking for review, you should
be sure to fully...

Re: securing a segment of a network

Tue, 09 Mar 2010 00:23:19 GMT

Posted by Adam Pal on Mar 08

Hi Roger,

First point: what you described bellow is nice, but it is one special scenario.
What is the most likely threat you want to mitigate?
Try to keep in mind, that mitigating exitic threats can lead you to higher costs and that is what you wanted to avoid
acording to your first email.
Also another question you can take in consideration: what would be your acceptable risks?

If the requirement is:
"Keep the same, maintain the...