[SGVLUG] Wake-On-LAN -- was Re: ssh breakins - tcp wrappers

Erik Espinoza erik.espinoza at gmail.com
Sun Aug 6 01:58:32 PDT 2006 

Careful putting mail statements in tcp_wrappers. I've seen huge mail
servers crumble to their knees during a nessus scan or remote dos
attack.



On 8/6/06, Claude Felizardo <cafelizardo at gmail.com> wrote:
> On 8/4/06, Claude Felizardo <cafelizardo at gmail.com> wrote:
>
> > I have tcpwrappers configured to only allow specific machines and send
> > an email message when something unexpected comes in.  Assuming little
> > traffic due to the non standard port, this has helped track down
> > problems when i try to connect from a new machine that isn't on the
> > list:
> >
> > sshd: host1.domain: ALLOW
> > sshd: host2.domain: ALLOW
> >
> > ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
> > Denial on XXXXX for %d from %h" root) &: DENY
> >
> > which sends me a message that looks like this:
> >
> > Subject: Port Denial on XXXXX for sshd from xxx.yyy.zzz
> >
> > Hey, anyone know what %flag to use in the hosts.allow file to get the
> > name of your local machine?  I just noticed it's hard coded.  Don't
> > want the fully qualified name.
> >
> > At work it's pretty much the same except they block all traffic now
> > unless you go through their gateway.
> >
> > Most machines block finger now a days but I used to get email with a
> > list of who was logged onto the remote machine.  At work, the network
> > police run a daily scan so I get at least one email a day which lets
> > me know everything is running fine.
> >
> > If you don't know in advance where people will be connecting from, you
> > might want to consider a script that blocks an IP if there's too many
> > failed attempts.   I've been wanting to try port knocking but just
> > haven't gotten around to it.
> >
> > http://www.shorewall.net/PortKnocking.html
> >
>
> Now this is cool. I was looking at the BIOS settings of my file server
> to see if there was a way to get it to power up after a power failure.
>  The closest was an alarm feature but that's only once a day.  Noticed
> that it has a Wake-On-LAN feature but the network card in the machine
> doesn't support it.  After digging around the old computers I managed
> to find not just a card but the cable that goes with it.  Never tried
> it before but it was worth a shot.
>
> http://en.wikipedia.org/wiki/Wake_on_lan
>
> The next question was how to send the magic packet (TM of AMD) from
> the Internet.  Thinking I might have to install something on my
> laptop, a quick google search led me to dslreports which has a cgi for
> sending them.  Added an entry in my router to forward port 9 to my
> file server and it worked!
>
> http://www.dslreports.com/wakeup
>
> Also been playing with port knocking but think my tcpwrapper entries
> might get in the way.  I want local machines to access via port 22 w/o
> alerts.  Remote machines explicitly listed w/o alert and an alert if
> other machines connect after using knock code.  In other words if it's
> me transferring files from work or from other machines at home, I
> don't want the email but any other access, I want to know about it.
>
> Oh, as for the hostname in the deny messages, I was able to use %N
> which returned the hosthame.  %H was returning the IP which was a
> little too long in the subject line.
>
> ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
> Denial on %N for %d from %c" root) & : DENY
>
> claude
>

More information about the SGVLUG mailing list