Frackin script kiddies!!

[dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org (Dan Ritter)]

On Tue, Aug 03, 2010 at 12:25:03AM -0400, David Kramer wrote:
> Matthew Gillen wrote:
> > On 08/02/2010 10:20 PM, Dan Ritter wrote:
> >> On Mon, Aug 02, 2010 at 08:49:43PM -0400, David Kramer wrote:
> >>> Long story short, the MythTV mailing list folks pointed out that
> >>> AutoExpire could not have done this, and it was more likely my MythWeb
> >>> interface was left unprotected, and some script kiddie had some fun
> >>> deleting it all.  And they were right.  After some update my .htaccess
> >>> file disappeared, and I never noticed I didn't need a password anymore.
> >> I don't have an .htaccess file.
> >>
> >> That's because my MythTV isn't listening to any ports from the
> >> outside world. If I want to jigger it remotely, I have to SSH in
> >> to my main machine, then tunnel over to the MythTV.
> 
> My needs are different.  I can't do that, in part because I use
> passphrases so my keys have to be installed on the ssh client machine
> (so I can't use any random machine), and because most ports out are
> blocked at work, the most likely place for me to need it.

Carry a USB key with a passphrased SSH key, then?

Run an sshd on a port that isn't blocked?

> >> If you can afford to have a gateway machine on all the time --
> >> and a $99 SheevaPlug only sips about 12W -- I do recommend this
> >> approach.
> 
> ... which would not have done ANYTHING in this scenario.  I keep hearing
> people talking about a separate firewall in front of my server that
> already has a firewall, but it only adds another layer to slow them
> down.  And any port that has to be opened to the outside world (which is
> a lot on my server since it does so much) is just being passed through
> anyway.

No, no it isn't.

You cannot make a TCP connection from the outside world to my
MythTV. The port is not open. 

This isn't a firewall. It's a bastion host. Packets aren't
inspected and passed through. You need to make an SSH connection
to it -- valid user, valid password or key. Then you can connect 
to tunnels you have set up via SSH: they appear as local ports
on your client machine, so instead of 

http://externaladdress/mythweb/

you need to go to 

http://127.0.0.1:specialport/mythweb/

And that's still not exposed to the outside, unless you have
done silly things to your SSH config. (It is exposed to other
users of your client, though, while it's up.)

> Well, I actually did some academic research into this area when I was
> working at Aptima, but more importantly, as an Agile Software Engineer I
> am into continuous improvement.  Every new thing I learn I can check
> for, every time I find an avenue of attack, I adapt to it.

Good. This time, the lesson I hope you learn is that reducing
your attackable surface will lower the amount of work you have
to do in future.

-dsr-

-- 
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.