Exposing a server ==========================0
Using digital ocean, we will spin up a VM that is accessible from the internet, and see what is received from the internet.
Spin up a droplet
-
Sign in to Digital ocean
- Either signup using using my affiliate link, og directly on digitalocean.com.
-
Create droplet by clicking the "create" button and select "Droplets". It will take you here
-
Select
- Distribution: Debian 11
- Basic plan
- Regular with ssd
- Select the cheapest option ($5/month)
- No extra block storage
- Select region of your liking, e.g. Amsterdam
- Default VPNC network (unused in this exercise)
-
Select SSH key for Authentication
- Passwords should not even be considered an option.
- create a key, if you don't already have one.
-
No additional options
- 1 droplet only
- set a hostname if yo ulike
- no tags needed
- "Create droplet"
-
Go to "droplets" in the navigator to the left
-
Copy the IP address of the new droplet
-
use
ssh root@<ip>
to acces the new droplet.
Try ip a
, ping
, traceroute
and such to get a feel for the environment.
lookup at traffic
-
Issue an
ss -antp
on the VM -
Make a note of the IP address you connect from
-
Start tcpdump:
tcpdump -n -i eth0 host not <ip>
- the extra filter is to avoid seeing our own SSH traffic.
-
Look at the traffic.
- what leaves?
- what comes in?
- Any unsolicited?
ssh
Depending on the system, you may have a lot of ssh brute force attacks.
It is seen by either in tcpdump
by the amount of connections to port 22, og by looking into /var/log/auth.log
A failed login attempt - Invalid user:
Apr 19 12:17:12 netsec-ssh-test-fra sshd[1075]: Invalid user cirros from 211.36.141.239 port 15889
Apr 19 12:17:12 netsec-ssh-test-fra sshd[1075]: Received disconnect from 211.36.141.239 port 15889:11: Bye Bye [preauth]
Apr 19 12:17:12 netsec-ssh-test-fra sshd[1075]: Disconnected from invalid user cirros 211.36.141.239 port 15889 [preauth]
Login failed of known user. Probably trying a password on a keys-only login.
Apr 19 12:16:18 netsec-ssh-test-fra sshd[1024]: Received disconnect from 211.36.141.239 port 36477:11: Bye Bye [preauth]
Apr 19 12:16:18 netsec-ssh-test-fra sshd[1024]: Disconnected from authenticating user root 211.36.141.239 port 36477 [preauth]
Failed login user after a couple of hours
cat /var/log/auth.log | grep "Invalid user" | cut -d ' ' -f8 | sort | uniq | tr '\n' ','
admin,alarm,cirros,debian,ethos,guest,mine,miner,nagios,oracle,pi,postgres,soporte,support,test,tomcat,ubnt,ubuntu,user,vagrant,volumio,xbmc,
Note that "root" is not in the list, since it is a valid user on the system.
This matches a top-10 list from 2010.
Failing to establish key exchange
Apr 19 12:15:39 netsec-ssh-test-fra sshd[994]: Unable to negotiate with 61.177.173.40 port 42524: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]
Notice the -sha1
. That should not be used anymore. See RFC9142 for details.
We are running debian/bullseyes
and default behavior is to disable old key exchanges.
For reference, a successful login looks like this
Apr 19 12:45:20 netsec-ssh-test-fra sshd[1211]: Accepted publickey for root from <my ip> port 36255 ssh2: ED25519 SHA256:<my pub fingerprint>
Apr 19 12:45:20 netsec-ssh-test-fra sshd[1211]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)