[Beowulf] Re: "hobbyists"

Perry E. Metzger perry at piermont.com
Fri Jun 20 15:57:35 PDT 2008


"Robert G. Brown" <rgb at phy.duke.edu> writes:
> On Fri, 20 Jun 2008, Perry E. Metzger wrote:
>> That limits the number of attempts that may be made against your
>> particular machine. At the same time that they're attacking your
>> machine, that one instance is attacking a vast number of other
>> randomly selected boxes. There are also a vast number of the things
>> running out there, so in the long run, they succeed quite a bit of the
>> time.
>
> Yes, but only rarely, on a site that is actually registered with
> nameservice,

I don't understand what you mean by that...

>>From the evidence, they almost never succeed in the US,

A few days ago I informed an ISP in Florida that one of their servers
was running an ssh brute force agent, and I find that sort of thing
often enough that I don't think you're correct.

> when they do they almost NEVER succeed on a machine that is
> professionally managed,

The ISP seemed reasonably professional. Unfortunately they have to let
their web hosting customers log in with passwords...

> It isn't clear how many of the machines that are cracked and
> participating in the botswarm attack are linux based even globally.

A lot, but it is hard to say because the number of Linux boxes is so
small compared to Windows boxes. I could ask someone who knows
statistics if you're interested -- let me know.

> Of course a "real" professional ubercracker is damn near invisible once
> they get in and encapsulate, even on a Unix or Linux box.

Almost all root kits are professional these days -- they're written by
funded full time developers, and they're usually very good.

> In memoriam I to this day do try to watch network traffic from passive
> third party systems from time to time, especially if a system is
> behaving oddly, although with a switched network this is somewhat more
> difficult than it used to be

That's why they make passive taps out there. You put one on your
uplink and run Snort or something similar on a box attached to it.

> All of which is a cost.  Solving the cost-benefit equation for security
> is nontrivial and often leads to a fairly unique "best practices" for
> pros such as "read your logs", "get to know 'normal' on your systems",
> "watch for anomalies, deviations from normal", "read your logs", "watch
> your users and educate them gently", "tolerate not evil that lives in

It is actually a lot easier than that. I read my logs mostly to find
out what's new and not to keep my machines defended. Unfortunately,
living that way requires a lot of smarts to make things run safely. I
usually recommend automating the heck out of everything, and I also
don't recommend trying to educate users -- it is much like trying to
shovel the ocean. However, this isn't a security list so it is
portably not appropriate to discuss this much here.

>> There are many other similar sorts of things out there that you are
>> less aware of -- things knob-twisting on ebay, yahoo and gmail
>> accounts (I would explain why people want to steal something that's
>> free but its a long story), online banking, etc.
>
> No need to explain.  There are clear advantages to bot-spammers in
> autogenerating accounts on systems that can be used to launch bot-spam
> attacks (or can be convinced to accept the mail messages that make up
> bot-spam).

Actually, it is mostly so that account reputations can be stolen. On
eBay that's an obvious win -- it turns out that there are reasons to
want yahoo accounts that have been open for a while too. For spamming
via yahoo, people just use captcha crackers or the porn site
mechanical turk trick.

>>> Sure, it goes on and on.  I don't really LIKE seeing this, especially on
>>> a server with sensitive information, but that is precisely why one
>>> configures such servers with tight controls and runs a password checker.
>>
>> I don't run a password checker. I simply have no mechanisms in use
>> that *use* passwords, so it is irrelevant. Then again, I'm far more
>> paranoid than most people are. Professional hazard.
>
> Well, in many locations networks have to "serve the public", that is, a
> set of users.  Users who want to be able to work system to system at
> work, work system to system from home, work from remote sites in China
> where they happen to be attending a conference.

If they can't use public key auth, give 'em secure ids or something
similar. Works fine or such purposes. Passwords are dead.

> Cracking happens.  Such is life.  Almost nothing you can do on an open
> network with hundreds of users will completely prevent it, although if
> you want to spend money like water you can significantly reduce it.

You can make it rare enough not to worry much if you are willing to
do fairly mundane things, but most people don't.

>>>> It is true that this is only one of many modern attack vectors and
>>>> that buffer overflows, drive by malware downloads into browsers, etc.,
>>>> are all far more common ways in, but you will indeed get hacked by
>>>> automated systems if you leave an sshd on and have accounts with weak
>>>> passwords.
>>>
>>> Agreed as well.  Which is why professionals generally check for weak
>>> passwords (as do most of the password tools nowadays).
>>
>> Nah. Professionals don't even use passwords any more, as I said. (I'm
>> forced to use them on most e-Commerce sites because just about no one
>> does client cert based authentication, but my machines don't use
>> passwords. Most of my buddies machines don't use them either.)
>
> I meant "professionals managing networks or clusters of systems for
> users", not "professionals running their own servers or running their
> own network or cluster for themselves".

It is fairly rare in the circles I travel in for people to use
password based remote access. Hardware tokens and multi-factor auth
took over years ago. I'm talking about systems with tens of thousands
of users doing remote access, too.

> I avoid passwords myself when I can and choose strong ones when I
> can't and cross my fingers either way.  But a professional sysadmin
> managing a corporate, university, private, public network almost
> invariably has to support userid/password based access,

Not really, no. Tokens are cheap for remote access.

> usually to "most" of the network they manage.  How would you suggest
> that 15,000 students and 20,000 full time employees authenticate to
> access Duke's resources from absolutely anonymous hosts that could be
> anywhere on the global internet at any point in time

Hardware tokens, and multi-factor auth. The tokens these days fit on a
key ring. I know places with more users than you have and they're
happy with the solution. It is reasonably economical. I also realize
it won't happen on your network, but that's probably not because it is
economically infeasible.

>> Any given instance only tries a small random subset of the phase space
>> at a time on a given machine. However, the worms are pretty good about
>> picking random subsets. Over time, you will find they slowly will find
>> most of the more weakly defended boxes, just like water wearing down a
>> stone.
>
> The phase space is enormous.  I mean really, really enormous,

I can multiply too. It is not "big enough", though, and educating
users doesn't work.

> IMO, we are quite possibly moving towards a "healthy world" on the
> internet.  The problem we face is understandable, the linux solution is
> remarkably robust (and could be and is being made even more so).

I have my doubts. The problem appears to be getting much worse with
time from where I stand. I probably see more horror on a regular basis
than you do, though.

>> People do all sorts of things -- port knocking, filters that
>> autoblacklist IPs that have too many errors, etc. It is simpler and
>> safer just not to use passwords.
>
> Please explain how this works to me.  You keep saying that you don't use
> passwords.  How then do you and your users access your systems from
> remote anonymous sites (home or whereever)?

I talked about site wide solutions above.

For myself, I personally am too paranoid to use a keyboard I've left
out of my control for more than a trivial amount of time. I use ssh
with public key auth only.

>>> They are almost never driven by a real portscanner-driven attack,
>>
>> Only because they're not attacking you in particular. If someone had
>> reason to attack you in particular, then you would have more to worry
>> about. Again, I find it is better just to make sure that there is
>> nothing to attack.
>
> There is always something to attack. 

You can narrow the aperture a lot. Anything you don't run can't be
exploited. No one can guess passwords if you don't allow people to use
them. The principle can be extended a lot...

> No arguments, except that in a lot of cases I'd cut this down to sshd
> and nothing else for a user client.  However, we're back to the
> tradeoffs required by real world management.  Web servers ARE useful and
> are generally mandatory in many environments.

Mine run chrooted, unprived and heavily caged, and I generally don't
run Apache.

> And so is NFS.  And NFS often comes with a certain amount of
> baggage, although most people will block NFS-related ports at the
> firewall and limit their exposure to internal exposure.

I'm a believer in a different kind of firewall -- the kind that blocks
everything except the small number of things you know you need to let
through. One wants a firewall, not a firesieve... :)

> We have some pretty good people at Duke, actually.  I do NOT think that
> the physics department is in any sense "filled with exploited boxes" and
> the few that turn up can be instantly understood in terms of their
> distance from the centrally managed and monitored core (Windows
> machines, in other words).

If you exclude the overwhelmingly most popular OS, you're doing fine,
in other words. :)

The problem is, Windows takes all the hit these days because most
people have it so the pros who get paid attack Windows. If most people
ran OS X, the pros would be attacking OS X and you'ld be talking about
how secure you were except for the Macs...

> I think that our problem is that I have been prepending the word LINUX
> mentally to our discussions.  LINUX networks are not so commonly set up
> by people who know nothing.

Ubuntu is rapidly helping with that. :)


Perry
-- 
Perry E. Metzger		perry at piermont.com



More information about the Beowulf mailing list