Security

[SteveD]

Someone is trying to hack my Sagetv Server. I use bitvise for remote access. They are trying to break through on the WinSSHD/Sagetv server. Any suggestions on how to prevent the attack or make the system more secure. Windows XP service pac 3. I don't want to stop using my webserver, squeezebox, and remote access. Any apps out there, I can't use McAfee, crashes my server.

Suggestions Please.

[reggie14]

Quote:

Originally Posted by SteveD

Someone is trying to hack my Sagetv Server. I use bitvise for remote access. They are trying to break through on the WinSSHD/Sagetv server. Any suggestions on how to prevent the attack or make the system more secure. Windows XP service pac 3. I don't want to stop using my webserver, squeezebox, and remote access. Any apps out there, I can't use McAfee, crashes my server.

What makes you think someone is trying to hack into your server?

What firewall are you running now? Presumably you're running a regular, consumer-grade wireless router with NAT. Is your Sage server configured to be on the DMZ, or have you forwarded the SageTV/WinSSHD ports to it.

I'm not really sure you have reason to be terribly concerned (assuming you're using strong passwords). You'd expect a certain amount of port scanning. I wouldn't even be surprised to see some invalid login attempts from WinSSHD. You can't really stop those, since as long as your machine on the Internet with either a publicly addressable IP or forwarded ports, people outside your network will be able to contact it.

I don't think McAfee's (or Norton's, etc.) software firewall would be a big help. The software firewall in WinXP SP2/3 is actually pretty good, so you might as well just use that. But, probably the attack traffic your seeing is happening over the SageTV and WinSSHD ports, and any other ports you've had to open up.

If you're really, really concerned, you could set up a VPN gateway on your network, and basically block all incoming connection attempts to your network except to your VPN gateway. There are lots of ways to set something like that up. You could buy a standalone device, like a Cisco RVL200, for about $160. Or, with some effort and the right wifi router, you could install the DD-WRT firmware and get OpenVPN running on it. Or, if you have an old machine with 2 NICs sitting around somewhere, you could set up a dedicated firewall box running ClearOS or pfSense.

[evilpenguin]

That's actually a good question. Right now my only security is being behind a NAT and on port 8080, is that enough to thwart most attacks or am I less secure than I think?

[reggie14]

Quote:

Originally Posted by evilpenguin

That's actually a good question. Right now my only security is being behind a NAT and on port 8080, is that enough to thwart most attacks or am I less secure than I think?

A NAT router serves as a halfway decent firewall. Unless you have a good reason to do otherwise, you should probably make sure you can't access your router's configuration page without being on your network. Is port 8080 the only port you've forwarded?

Really, using port 8080 doesn't help you when it comes to security. It's a common port for HTTP traffic, so its not really going to to trick hackers. Mainly it helps because cable/DSL companies have a tendency to block incoming port 80 traffic to discourage you from running servers.

I've always been a little nervous about security. While Java is a relatively safe language to program in, you can still certainly screw things up on the security side. Frankly, I'd be surprised if the Sage developers have any real training writing secure code.

The web server worries me a bit more. A quick check suggests its still running Jetty version 6.1.19, which has some known vulnerabilities. None of them seem to be too bad though. But I kind of wonder about how secure some aspects of it are. For instance, has anyone tried a shell injection attack on the "Custom Transcode Mode" box on the streaming option pages? I haven't tried it, but it wouldn't surprise me if there's a vulnerability there. If that is there, then it would give any attacker that breaks into your SageTV webserver page the ability to run arbitrary commands at the command line. That would give even more reason to turn off regular HTTP access and switch to HTTPS only.

[SteveD]

Repeated login attempts on WinSSHD. The log files show the attempts, and it is showing in event viewer. My DSL router is bridged to A Cisco wireless router. Ports are forwarded for web server, remote, and squeezebox. Remote administration of the router is turned off. I reconfigured the remote user, to user only, no admin rights on the server. I am current using windows xp built in firewall, and microsoft essential with exclusions on all video shares. This did not start happening until I moved WinSSHD to port 22.

Person trying to login using root and administrator as username, and password as the password. I would think after they had not gotten there fill of playing with it. But when I got home from work, they were still at it. They will be sadly disppointed if they ever get in, just a lot of video.

[david1234]

Quote:

Originally Posted by SteveD

Repeated login attempts on WinSSHD. The log files show the attempts, and it is showing in event viewer. My DSL router is bridged to A Cisco wireless router. Ports are forwarded for web server, remote, and squeezebox. Remote administration of the router is turned off. I reconfigured the remote user, to user only, no admin rights on the server. I am current using windows xp built in firewall, and microsoft essential with exclusions on all video shares. This did not start happening until I moved WinSSHD to port 22.

Person trying to login using root and administrator as username, and password as the password. I would think after they had not gotten there fill of playing with it. But when I got home from work, they were still at it. They will be sadly disppointed if they ever get in, just a lot of video.

While your in there, I would go ahead and block the IPs of the system that seems to be trying to get in.

[reggie14]

Quote:

Originally Posted by SteveD

This did not start happening until I moved WinSSHD to port 22.

That basically makes sense. There really isn't a commonly used alternative to port 22, so I think people doing scanning are likely to only look for ssh traffic on port 22. Why did you change the port?

Quote:

Originally Posted by SteveD

Person trying to login using root and administrator as username, and password as the password. I would think after they had not gotten there fill of playing with it. But when I got home from work, they were still at it.

Do they keep trying only user names "root" and "administrator" with "password" as the password? If that's true, I don't think this is really worth worrying about.

The WinSSHD documentation claims that it enforces delays when credentials are incorrect (although I don't know if they're constant-length delays or exponential), and it even claims it will automatically block the IP address of repeat offenders. You might want to send an email to the WinSSHD developers if it doesn't look like that's working.

Quote:

Originally Posted by david1234

While your in there, I would go ahead and block the IPs of the system that seems to be trying to get in.

It sounds like the OP is running the stock Cisco firmware, which might not let you easily configure the firewall to block an IP.

[SteveD]

Changed to port 22 so I could access the system from work. The other port I was using was blocked. I'm not sure if it had anything to do with it, but when my wife attempted to watch tv, sage was hosed until i did a reboot. Stopping and restarting the service did not help.


I have an old wrt54g that has the DD-WRT running on, stop using it because wireless began to fail while it was original cisco software. Changed firmware attempting to fix. But I could install it between switch and current wireless router if is has better filtering capabilities.

[PiX64]

i say to be safe setup a pfSense box to act as your one stop show. I have this sitting right behind my cable modem and just before my 24port gigabit switch. It will allow you to do pretty well anything.

DMZ
VPN,
FIREWALL,
NAT,
so on and so forth.

Its super easy to setup and will allow you the flexibility in my opinion for a pretty stinkin secure network.

Oh yeah you can see traffice logs which will alert you of attacks and stuff like that too.

http://www.pfsense.org/?gclid=CLKBus...FQIGbAodqT9VQA

~Pix64

[reggie14]

SteveD-

As I'm sure you realize, you're somewhat limited in what you can do. If you want to be able to remotely access your computer from anywhere, anyone else can remotely access it (although, hopefully not log in).

In general, programs implemented with security in mind should be OK. WinSSHD doesn't have much documentation available. You'd expect WinSSHD to enforce some type of delay (hopefully an increasing delay) for invalid login attempts, to limit the number of guesses. It might also block IPs of users that have done many invalid login attempts in a row. I'm not sure what the limit on that would be. I'd probably put it at 10 or 20. Like I suggested before, I think you should contact WinSSHD and figure out if you have anything to worry about.

Running something like pfsense seems like overkill, based on what it sounds like your needs are. It might make a bit more sense if you also wanted a VPN gateway, but I doubt you'd be able to use that from work. I doubt you're seriously threatened right now, so it doesn't seem worth it to send the extra money each month on electricity to power an old computer running pfsense.

You could use the old WRT54G as a firewall. It could be a little tricky to set up, since you probably don't want two levels of NAT. What cisco wifi router do you have? Many of the newer ones will run DD-WRT too.

Another possibly simpler option is to change your WinXP firewall settings. WinXP doesn't have a nice GUI for creating custom firewall rules, but you can pretty easily set it up so only IPs in a certain range can poke through your firewall. So, if you only care about accessing your box from work, you could just put in your workplace's IP range in the WinXP firewall settings for port 22. You might be able to add custom firewall rules at the command line to do things like drop traffic from a certain IP. I'm not sure though.

But I also don't think it makes sense to go to great trouble to block a specific IP. If you're running with port 22 open, potential hackers will see it when doing port scans, and some will try a small number of commonly used passwords. I wouldn't worry too much unless you see someone running though a few thousand dictionary words (which you shouldn't be using as a password anyway), as that sort of implies someone has singled your box out.

[DevNull]

SSH servers are typically attacked using a dictionary style method. It can quickly fill up your logs with these attacks and potentially slow your net connection/server. One way to thwart any chance of them guessing correctly is to switch to public key authentication. Once you have it configured properly, you should be able to disable the standard login/password authentication. This will cause the SSH server to quickly punt anyone who tries to connect via the "old" method.

For additional info, see this page for more security tips for WinSSHD.

[reggie14]

Quote:

Originally Posted by DevNull

SSH servers are typically attacked using a dictionary style method. It can quickly fill up your logs with these attacks and potentially slow your net connection/server. One way to thwart any chance of them guessing correctly is to switch to public key authentication. Once you have it configured properly, you should be able to disable the standard login/password authentication. This will cause the SSH server to quickly punt anyone who tries to connect via the "old" method.

That's a very good suggestion. I didn't realize you could configure WinSSHD that way. And the OP should still be able to log in from work.

[Polypro]

I would set up the free version of Hamachi. Total access to anything you want, not one port open to the net. Use it with the free Team Viewer for remote admin. All you ever need to do is type in the 5.xxx.xxx.xxx address into anything and your in...since it's a VPN, no one else can access anything.

P

[Peter_h]

Yeah, I would turn off all forwarded ports and rely on a secured VPN connection. Generate a key with something like openvpn. If your router is flashed with DD-wrt it will support this.

For work access you install Hamachi/logmein/gotomypc on your sage server.