Plugins that are wanted - Part 4

  • I thought fail2ban was abandoned due to feature Volker added for to many login failures. Also, if you have your lan via OpenVPN why you do you need fail2ban??? Why open up router to your http or https of OMV?


    Hum I think Volker's feature (PAM configuration - "Improve 'openmediavault' PAM configuration. Block users for 180sec after 3 failed login attempts." )
    don't works fully. I can see in my auth.log :


    I don't use OpenVpn and my port 22 for ssh is open, i need fail2ban !!!!
    I would use official OMV plugin fail2ban instead fail2ban with "apt-get install"


    That's why i would help for dev OMV plugin fail2ban !

  • Quote

    subzero79


    Sorry for "!", i don't scream.


    Quote

    subzero79

    and

    Quote

    tekkb


    Rsa key for ssh is a good idea but does not prevent ssh remote ssh login.


    I need fail2ban.


    I work a bit on https://github.com/OpenMediaVa…s/openmediavault-fail2ban.
    I would like to know how share my contribution ? a pull request ?

  • This may not apply to you but I recommend it for most people:


    Don't open port 22 to internet.
    Use OpenVPN AS to make a VPN connection to your LAN.
    Once the VPN is connected you can make SSH connection through the VPN.
    Then you don't need fail2ban.

  • but does not prevent ssh remote ssh login.


    It only allows login to the person in possession of the private key. Anyway how can you open port 22 to WAN?, use another one, you have like 64 thousand to use. Otherwise you're likely being targeted by bots all the time.


    BTW pam tally was used only for the web interface not ssh


  • It only allows login to the person in possession of the private key. Anyway how can you open port 22 to WAN?, use another one, you have like 64 thousand to use. Otherwise you're likely being targeted by bots all the time.


    BTW pam tally was used only for the web interface not ssh


    Changing the port just makes you think that you're more secure but it is just security through obscurity. This could be worth reading: https://www.adayinthelifeof.nl…port-than-22-is-bad-idea/

    Edited once, last by HK-47 ().

  • That assumes someone is already in control of your machine launching ssh daemons different than 22. This measure is just for avoiding floods of login attempts, and you don't have to change it directly is just a NAT FWD in the router. The pka is a good defense, other than that the port knocking is a very good simple idea, and easy to implement with iptables

  • That assumes someone is already in control of your machine launching ssh daemons different than 22. This measure is just for avoiding floods of login attempts, and you don't have to change it directly is just a NAT FWD in the router. The pka is a good defense, other than that the port knocking is a very good simple idea, and easy to implement with iptables


    It still doesn't help changing the port. They just have to find the port and it's not hard. Try running this command: nmap -sV <ip> or this nmap -p- -sV <ip>.

  • It must help a little. I used to run on port 22 (still port 22 on server but router forwards from a different port) and I got thousands of attempts per month at the school I do work for. Now, it is on different port and I have had none in five years.

    omv 5.6.13 usul | 64 bit | 5.11 proxmox kernel | omvextrasorg 5.6.2 | kvm plugin 5.1.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • My system has root login over ssh disabled :)

    omv 5.6.13 usul | 64 bit | 5.11 proxmox kernel | omvextrasorg 5.6.2 | kvm plugin 5.1.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Also I don't think that OpenVPN is an absolute improvement. I mean both use two stage authentication with RSA key handshaking. OpenVPN main port may be slightly more secure, as for isn't as common as SSH, but the risk is greater. Someone that grants your VPN access directly gains access to your entire network.
    And also there is the OpenVPN web interface open for anyone to discover and play with.


    Opening ports it's always the same whatever you do. Except if you start MAC filtering (IPs can be easily substituted)

  • Rsa key for ssh is a good idea but does not prevent ssh remote ssh login.


    It does, if you tell it to. See:


    Code
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no


    And bam, no more login via SSH without PKA. The Private part of the SSH Key never leaves your PC!!! You never ever generate a SSH Key pair on the target server you want to access!


    I mean both use two stage authentication with RSA key handshaking.


    The Passphrase for the Private Key never leaves the authenticating PC. So unless the PC that authenticates is vulnerable big time SSH with PKA is a very decent security mechanism. You may also add a Port know like mentioned in hk-47's linked article.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

  • The Passphrase for the Private Key never leaves the authenticating PC. So unless the PC that authenticates is vulnerable big time SSH with PKA is a very decent security mechanism. You may also add a Port know like mentioned in hk-47's linked article.


    That's interesting.
    So there are only two ways of doing this:
    The server receives the key and validates himself, paired with some channel checksum validation so the server can authenticate the source of the key and that there's no man-in-the-middle.
    Or the client validates himself and sends OK to the server that acknowledges. If there's and intrusion in progress, you may expect the ssh client not being reliable. So I find second option more vulnerable.
    In any case, the private key is not travelling. Only the public key and the certificate is stored on the server.
    Anyway RSA certificates are only for handshaking, to establish the security of the channel where the credentials may travel after.


  • Source: http://www.slashroot.in/secure-shell-how-does-ssh-work


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!