Tuesday, March 08, 2016

Bad usernames

There are a lot (a LOT!) of articles about bad and weak passwords. What about weak usernames?

I have a server with public facing sshd (stuck on standard port 22). Running this gives a rough idea of what default usernames are to avoid:

lastb -w | awk -F " " '{print $1}' | sort -n | uniq -c  | sort -n -r | more
     39 admin     29 oracle     21 test      9 user      9 postgres      8 guest      8 git      8 a      7 nagios      4 ubuntu      4 ftpuser      3 redmine      3 office      3 developer      3 b      3 alias      3 ADMIN      2 zhangyan      2 www      2 vyatta      2 ucpss      2 ubnt      2 tomcat      2 teamspeak3      2 teamspeak      2 steam



What else can be done besides passwordless ssh key only encryption for access? Well limiting exposure with fail2ban slows down any possibility of brute forcing and whitelisting by geo-locating IP addresses may help too: http://www.axllent.org/docs/view/ssh-geoip/
And of course only open the ports needed via firewall etc.


Wednesday, February 24, 2016

Mosh and SSH

I recently gave mosh a try. I'd read a bit about how useful it can be with unreliable connections and queuing commands and maintaining a local echo to screen as you type avoiding lag - all good stuff.

However using GNU screen (or tmux) solves a lot of the problems with reconnecting so I just never bothered. I was also under the impression that mosh and ssh were mutually exclusive when in fact they both work together. I was  concerned that installing mosh might break or hamper an exiting reliable ssh service. Well so far I've installed it on several systems and it's has no negative effects on sshd. And that's the point of this post. I could not find that information written anywhere on the web.

That's not to say it's been perfect. It is possible to orphan a mosh session to which you cannot reattach. That is a bit annoying if rare. It doesn't aid scp and  sftp transfers in terms of resumes. But that limitation doesn't bother me. Also there is no mosh support in putty (nor is there likely to be!) or its forks such as kitty which is disappointing if you use any windows systems. There are some mosh clients for windows but they're crippled versions of free or commercial packages or buggy cygwin hacks. Not against payware - there just isn't one around I like the look of.

On mobile platforms however, JuiceSSH implements mosh admirably. Highly recommended on the Android platform.

Mosh monitors active ssh connections on a high port so port 22 or equivalent isn't enough. It requires upd on an additional high port (~60001) to be opened on firewall etc. 

Tuesday, January 12, 2016

Filtering out old results from google search


For searching technical information, often it's the case that results older than a year may as well be in a glass case in a museum. If like me you're sick of scrolling through old results and various mouse clicks to set a suitable filter - append this to your search result:

&tbs=qdr:m

Ideally the "m" for month can be replaced with a year "y" or even "h" for hour.
It would be better if there was a quickly typed search operator for this. But there isn't. There is a date range filter but it requires dates in Julian Calendar format - yuck.


Tuesday, April 21, 2015

Monitoring users ssh tunnels (port forwarding)

I hope this aids others faced with the same issue. The problem was as follows. We have have a number of remote users to a Linux system who need to access resources on some machines on a private network range. There are a number of solutions that could be employed such as VPN but for a variety of reasons we have decided to use ssh.

The tunneling works fine via the allocated ssh server. It is quite secure in that all users are given private keys and password access is disabled along with fail2ban. And from a usage perspective it has proven very robust. But this is all on the basis that your users are trusted. Ours are to a point, but we still need some more visibility and accountability.

Whilst sshd does log connections and you can increase that verbosity up to debug level in sshd_config, it still will not make a record anywhere of tunnels created. In short sshd only allows you disable or enable port forwarding globally or per user. We still need more!

One option is to manually patch ssh:
http://blog.rootshell.be/2009/03/01/keep-an-eye-on-ssh-forwarding/

An alternative quick and dirty solution is what I've gone with. I've put a cron running a variant of this (also pipped into another grep to limit to specific username groups) every minute which feeds that into a log file in /var/log. In turn this is rotated daily and compressed.

lsof -i -n | egrep '\'

Something perhaps like this in a script:
date | tr '\n' ' '; lsof -i -n | egrep '\' | grep -v 22; printf '\n'

insert the date, trim newline characters, get rid of ordinary port 22 notices as they're already catered for in auth.log. You may need to alter slightly to suit your needs.

In crontab -e you can do something like:

*/1 * * * * /sbin/showtunnels.sh >> /var/log/sshd_tunnels

1 minute might be to verbose or insufficient depending on your system. Ideally it would be useful to report only the changes every minute rather than keep reporting the same tunnels still being open but that is another days work. This is very much a work in progress!

Tuesday, June 29, 2010

Symbian, MeeGo, Nokia and prospective developers

There's a lot of misinformation regarding the announcement that Nokia is moving to MeeGo for N-series phones. A lot of rumours, leaked prototypes and some panic amongst developers.

It certainly seems that this prototype E series currently called E7-00 is a spiritual successor to the N97 from the pictures. I would presume that the N8 and this phone were conceived long before the decision to move to MeeGo for N series. The re-badging of the N to E and/or X or even C series is just that, badge engineering. It will be the next crop of phones that really show any sign of dramatic changes. From right here right now, it looks like new E-series encompasses all existing E-series style and traditional N-series, whilst the N-series moves upmarket to a sector of UMPC (ultra mobile pcs) converged with smartphones.

UMPCs aren't new. There have been a few devices just before the N900 that have just missed the mark due to poor performance and the technology simply not being mature enough. The (now bankrupt) OQO Model 1 and Model 2 range was ahead of it's time in concept but lacked the ability to do phone functions, was pricey and had battery & reliability issues. But that seems to be the vacant market niche where N-series with MeeGo is headed. It's just not clear how much of the current E-series will be MeeGo. If I was a developer on Symbian I would port to it. Also it's an open Linux platform and it may open up new market opportunities beyond phones. Or perhaps even beyond just Nokia.

Back to the present, certainly Nokia has acquired a reputation for having dropped the ball and let Apple and HTC streak ahead. Apple partially by marketing, partially by fresh GUI design. HTC from pure technical ability. Nokia have done a lot of good things lately but they simply aren't shouting loud enough. The free for life OVI mapping alone should be dripping off billboards and blaring from FM and TV adverts. But it just isn't. Nokia also simply haven't made the phones a fashion accessory in the way that Apple have. Nokia are still seen as functional whereas the iPhone is seen as an object of desire. The iPhone may be flawed but it isn't stopping sales. Even the reception issue on iPhone 4 isn't preventing it selling out. No other phone has that same level of hysteria with the general public. And general public isn't tech enthusiasts, it isn't bloggers. They're ordinary people who want a simple self explanatory interface. Big buttons!


What also strikes me as insane is the cost of having multiple operating systems. If you look at a different industry - take airlines for example. They will generally try and only use (so far as possible) one aircraft brand with one engine brand (RollsRoyce or GE/CFM) etc as it simplifies training costs, maintenance costs, interoperability. Aer Lingus uses Airbus with CFM, Brititsh Airways uses Boeing etc. Another parallel would be engine and platform sharing in the car industry.

So  Nokia have to maintain S40, S60, MeeGo. Sony Ericsson have S60, Windows Mobile, Android. Samsung seem the worst as they have S60, Bada, LiMO and Android. Even HTC have this problem to contend with as they have Windows Mobile, Android etc. Many of the aforementioned have other their own propriety systems too. But Apple have one phone operating system. Yes they're only in the higher end smartphone market now but I'll bet lesser devices when they appear will use the same iOS operating system. That's just one to maintain and develop. That's going to have some cost and profitability implications. And for a prospective developer wondering what systems they will develop and test for, it's going to have a big impact on their decision too.
There was an error in this gadget