DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 118
Default Prevent Brute Force Attack on Root Account

Dear All,

How to set up login attempt for root account? Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 13th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,287
Default

Your question is unclear. I shall guess that you are asking us, "How do I prevent SSH password attacks against the root account?"

If that is your question, then just disable root login via SSH. You do this via the sshd_config(5) setting: PermitRootLogin no. The default has historically been PermitRootLogin yes, to simplify remote provisioning of new installations, with the best practice of the admin setting the option to no after installation has completed. For 5.8, the default will be no.

Though this is outside the scope of your question as I understand it, you can also disable passwords as an authentication mechanism, so that passwords cannot be used to log on at all. This is done via the sshd_config(5) setting PasswordAuthentication no. Alternative, and better authentication mechanisms, such as public keys, would be required when passwords cannot be used.
Reply With Quote
  #3   (View Single Post)  
Old 13th June 2015
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 567
Default

There's also a pf method to lock out ssh from an IP after a certain amount of attacks.

http://home.nuug.no/~peter/pf/en/bruteforce.html
Reply With Quote
  #4   (View Single Post)  
Old 13th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 118
Default

Sorry to tell you all that my question is not clear.

How to set up login attempt for root account via local and not SSH since I don't have sshd running?

For instance, a user had su more than 3 times, then it is disable to login again for several hours until the lock had released.

Thanks.
Reply With Quote
  #5   (View Single Post)  
Old 13th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,287
Default

To prevent local root login, you must disable local login by root. This is done via removing the secure option on all local tty records in ttys(5).

However, please note that physical access introduced many additional risks that you must consider, which have nothing to do with passwords. Keep in mind, any data on the system which is unencrypted is accessible to any attacker with physical access.
Reply With Quote
  #6   (View Single Post)  
Old 13th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,287
Default

Peter, physical access to a computer provides many ways an attacker can gain access to your data. As an example, OpenBSD FAQ 8.1 discusses how to reset the root password when it is unknown. Anyone with physical access to the system can use this method to "become" root or change the root password.

While there are mitigation techniques discussed in that FAQ entry, such as forcing a root password to be used to boot into single-user mode, nothing prevents access to data stored in unencrypted form. But even encryption doesn't eliminate the problem, it only mitigates it. There is an entire class of physical access attacks, Evil Maid Attacks, which attack users of encrypted storage media.

I encrypt the /home partition on an OpenBSD netbook I travel with. And my $DAYJOB laptop has full disk encryption by corporate policy. But neither of these encryption schemes protect me from Evil Maid attacks -- they only protect data stored on a powered-down netbook or laptop if lost or stolen. And, if the devices happen to be powered up and running when lost or stolen, disk encryption is less protective.
Reply With Quote
  #7   (View Single Post)  
Old 18th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 118
Default

Thanks for the information. I had removed the secure keywords from /etc/ttys. Thanks.

Questions:
1. How to permit the root login on certain time only?
For instance, allow root login between 9AM to 9.30AM only.

2. How to prevent user from local net login to OpenBSD box?

Last edited by Peter_APIIT; 18th June 2015 at 07:31 AM.
Reply With Quote
  #8   (View Single Post)  
Old 18th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,287
Default

Quote:
Originally Posted by Peter_APIIT View Post
1. How to permit the root login on certain time only?
For instance, allow root login between 9AM to 9.30AM only.
You would have to write shell scripts that make the appropriate provisioning changes to ttys(5) and send a SIGHUP to init(8) to initiate getty(8) changes, with timing managed via cron(8)/crontab(5). You would be responsible for designing, testing, and implementing this yourself. And, you would be responsible for support, such as managing a situation where you have locked yourself out of your own system.

The OS has plenty of weapons that you can use to shoot yourself in the foot.
Quote:
2. How to prevent user from local net login to OpenBSD box?
You stated you do not have sshd(8) running. If that is still true, there is no network originated shell access on OpenBSD.
Reply With Quote
  #9   (View Single Post)  
Old 20th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 118
Default

Thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Root Account Timeout Peter_APIIT OpenBSD Security 13 26th June 2015 02:56 AM
Brute force attacks Dr-D OpenBSD Security 1 18th July 2011 04:06 PM
ssh brute force attacks sniper007 FreeBSD Security 21 12th June 2011 01:28 AM
prevent root ssh access carpman FreeBSD Security 7 18th December 2009 04:24 PM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM


All times are GMT. The time now is 12:57 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick