[SGVLUG] Wake-On-LAN -- was Re: ssh breakins - tcp wrappers
cafelizardo at gmail.com
Sun Aug 6 01:41:54 PDT 2006
On 8/4/06, Claude Felizardo <cafelizardo at gmail.com> wrote:
> I have tcpwrappers configured to only allow specific machines and send
> an email message when something unexpected comes in. Assuming little
> traffic due to the non standard port, this has helped track down
> problems when i try to connect from a new machine that isn't on the
> sshd: host1.domain: ALLOW
> sshd: host2.domain: ALLOW
> ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
> Denial on XXXXX for %d from %h" root) &: DENY
> which sends me a message that looks like this:
> Subject: Port Denial on XXXXX for sshd from xxx.yyy.zzz
> Hey, anyone know what %flag to use in the hosts.allow file to get the
> name of your local machine? I just noticed it's hard coded. Don't
> want the fully qualified name.
> At work it's pretty much the same except they block all traffic now
> unless you go through their gateway.
> Most machines block finger now a days but I used to get email with a
> list of who was logged onto the remote machine. At work, the network
> police run a daily scan so I get at least one email a day which lets
> me know everything is running fine.
> If you don't know in advance where people will be connecting from, you
> might want to consider a script that blocks an IP if there's too many
> failed attempts. I've been wanting to try port knocking but just
> haven't gotten around to it.
Now this is cool. I was looking at the BIOS settings of my file server
to see if there was a way to get it to power up after a power failure.
The closest was an alarm feature but that's only once a day. Noticed
that it has a Wake-On-LAN feature but the network card in the machine
doesn't support it. After digging around the old computers I managed
to find not just a card but the cable that goes with it. Never tried
it before but it was worth a shot.
The next question was how to send the magic packet (TM of AMD) from
the Internet. Thinking I might have to install something on my
laptop, a quick google search led me to dslreports which has a cgi for
sending them. Added an entry in my router to forward port 9 to my
file server and it worked!
Also been playing with port knocking but think my tcpwrapper entries
might get in the way. I want local machines to access via port 22 w/o
alerts. Remote machines explicitly listed w/o alert and an alert if
other machines connect after using knock code. In other words if it's
me transferring files from work or from other machines at home, I
don't want the email but any other access, I want to know about it.
Oh, as for the hostname in the deny messages, I was able to use %N
which returned the hosthame. %H was returning the IP which was a
little too long in the subject line.
ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
Denial on %N for %d from %c" root) & : DENY
More information about the SGVLUG