Intel GMA 500 psb_gfx

acer-ao751h.jpg

Acer Aspire One AO751

I have been one of the frustrated owners of an Intel GMA 500 card – see how kick your friends face gma500 for details.

Support for this card in Linux has historically been poor, at best, and X typically fails when you boot most distros. For example, the GMA 500 is excluded from Fedora Intel Test Days .

Many people have resorted to attempting to reverse engineer various closed source (PSB and IEGD) and more recently the EMGD driver with mixed results. Support has been best for Ubuntu, and spotty at best for other distros.

In February of this year , Alan Cox started working on a driver gma500: Intel GMA500 staging driver and I have been using this driver on Gentoo for the past few months.

The advantage of the psb-gfx driver is that it is in the Linux kernel and performance is quite acceptable. The driver is 2D, No 3D, Xv, Hardware Accelerated Video.

With some minor changes to the kernel configuration, the psb-gfx driver should soon be working, at native resolution, out of the box, without any end user configuration in both Fedora and Ubuntu.

Note: When starting the live CD/Flash drive, X is distorted when it starts. You need to re-start X (log out an the log in screen is fine, ctrl-alt-backspace in Fedora). Once you install, it helps to disable the boot splash.

Thank you to Alan Cox for developing the psb-gfx driver and to the Fedora and Ubuntu teams for making the adjustments to the default distribution kernel.

Screen shots – click on the images for a larger picture.

Gentoo

Fedora

Ubuntu

Posted in Linux | Tagged , , , | 12 Comments

initramfs

I have used gentoo on my netbook mainly to test the gma500 staging driver with a custom kernel. I have used gentoo-hardened sources with LUKS and LVM as well as fbcondecor.

In order to get the system to boot I have written a custom initramfs. In case it helps others I am posting some information on the contents.

The files included are listed here:

initramfs tree

biraries in /bin or /sbin are either static, or libs identified with ldd are included in /lib

The init script is sort of adapted from several sources and is as follows

#!/bin/busybox ash
# Modified from http://lunaryorn.de/articles/initramfs_gentoo.html

# Report errors / print messages
err () { echo "ERROR: $@"; }
msg () { [ "${quiet}" != 'y' ] && echo $@; }

# Global variables
export ROOT="/dev/mapper/lotus-root"
export PATH="/bin:/sbin"
export CRYPTROOT="/dev/sda10"
export CRYPTNAME="gentoo"
export CONSOLEFONT="ter-v16n"

# Mount proc and sys
mount -t proc none /proc
mount -t sysfs none /sys

# Silence kernel messages
msg "Silencing procfs …"
echo 0 > /proc/sys/kernel/printk

# Read kernel command line options
read CMDLINE </proc/cmdline
export CMDLINE
for x in ${CMDLINE}
do
  case "${x}" in
    quiet)
      quiet='y'
      export quiet
      ;;
  esac
done

# Create devices
echo "/sbin/modprobe" > /proc/sys/kernel/modprobe

msg "Creating device nodes …"
echo /sbin/mdev > /proc/sys/kernel/hotplug
mdev -s

# set keymap
#kbd_mode -u /dev/tty1
printf "\033%%G" >> /dev/console
msg "Loading keymap …"
loadkmap < /etc/kmap-us

# set console font
msg "Setting font …"
setfont /usr/share/consolefonts/${CONSOLEFONT}.psf.gz -C /dev/tty
printf "\033(K" >> /dev/console

# Open LUKS Crypt
msg "Open LUKS Crypt …"
while ! cryptsetup luksOpen -T 3 $CRYPTROOT $CRYPTNAME >/dev/null ; do
  sleep 2;
done

# setup splash screen
. /etc/initrd.splash
msg "Setting up splashscreen …"
splash init

# LVM
lvm vgscan --ignorelockingfailure > /dev/null
lvm vgchange --ignorelockingfailure -ay >/dev/null

# Mount root fs ro for fsck
mount -o ro /dev/mapper/lotus-root /newroot

# Clean up and exit to rootfs
umount /sys
umount /proc
exec switch_root /newroot /sbin/init ${CMDLINE}

The only problem is that the boot splash does not display any area to enter the LUKS password. Hit alt-F1 and enter the password on the console.

The only other thing I think I need to address is running fsck, but I will leave that for another day.

thumb

Posted in Linux | Tagged | 3 Comments

Fedora classroom

I am going to try to offer a few sessions in Fedora Classroom starting next week with iptables.

I hope to cover “the basics” of iptables in #fedora-classroom on September 15th , 21:00 (UTC)

The session is planned to last an hour, with 30 minutes for questions. Target audience – users new to iptables.

The goal is to cover iptables syntax and configuration. To get the most out of the session it will help if you understand the basics of networking TCP/IP protocols and to that end I posted an outline at IPTables.odt.

The session will start with the filtering table and I can cover NAT as time allows.

Selinux has been suggested as a topic for future sessions.

Posted in Linux | 2 Comments

Ubuntu Membership via Forums participation

The Ubuntu Forums Council is pleased to continue the availability of Ubuntu Membership in recognition of Forums participation.

Benefits of Ubuntu membership include:

  1. Voting privileges to confirm Ubuntu Community Council nominations.
  2. An @ubuntu.com email alias that forwards to your real email address.
  3. An ”Ubuntu/member/your_nick” cloak on freenode.
  4. The right to print business cards with the Ubuntu logo.
  5. Syndication on Planet Ubuntu of your Ubuntu blog or the Ubuntu category posts in your blog, if you have one.
  6. An Ubuntu Member title at the Ubuntu Forums.
  7. A subscription to Linux Weekly News.
  8. Ability to join the Official Ubuntu Members group on LinkedIn.
  9. Signing up for SixXS account with an Ubuntu email address and a link to your Launchpad page will grant you an “Ubuntu Credit Bonus” of 25 credit points.
  10. SFTP access to a Web-accessible directory on people.ubuntu.com .

See The Ubuntu Wiki Membership page for details regarding the benefits of Ubuntu Membership.

In addition, we will almost certainly be selecting future forums staff from among Ubuntu Members active on the forums.

How to petition for membership:

  1. Create a wiki page.
  2. Create a Launchpad page. Although not mandatory, many people use the same identity/nick on Launchpad and on the forums.
  3. Sign the Ubuntu code of conduct. This has traditionally been one of the more difficult steps. FYI: A bug has been opened on Launchpad to make the process easier in the future.
  4. Create a thread in the Ubuntu Membership Applications section requesting a review of your application. Be sure to emphasize your forums contributions and include a link to your wiki and launchpad pages.
  5. Testimonials from friends may be posted on the thread you start on the above forums (preferable) or on your wiki page.

There is a “sticky” note in those forums Applying For Ubuntu Membership via Ubuntu Forums Contributions with a template for applications as well as some general advice on how to apply.

For additional information see Ubuntu Membership via Forums participation .

Current members are listed on Launchpad at: Ubuntu Forums Members .

If you are currently an Ubuntu member and would like to be added to the Launchpad team or if you need recognition on the forums feel free to send me a PM on the Ubuntu Forums with a link to your launchpad page.

We are moving to a system of open enrollment and we are accepting applications as they come in. Please keep in mind the FC is a volunteer staff thus the review process may take a few weeks.

Once one is approved and Ubuntu email is automatic (takes a few days), but many of the other benefits require a request from the approved individual to the proper team / location as outlined on the The Ubuntu Wiki Membership page.

Posted in Linux | Tagged , | 1 Comment

Fedora 15 remove kmod-nvidia

The post is in follow up to my post on installing the kmod-nvidia . I am a fanboi of the nouveau driver and the only reason I use the nvidia driver is when the nouveau driver fails.

This means removing kmod-nvidia and testing the nouveau driver with each new kernel. Typically I will do this when I have the time to work through the process and re-install kmod-nvidia if the nouveau driver fails (my wife hates it when X fails >_< ).

Unfortunately if you simply remove kmod-nvidia and reboot, gnome 3 then starts in fallback mode.

The easiest way to (for me) restore the nouveau driver is to boot to an older kernel, remove kmod-nvidia, and re-install the new kernel. Perhaps there is an easier method, but this seems fairly fool proof =)

1. Start by re-booting your computer and selecting an older kernel. Optionally you can boot to runlevel 3 but it is not necessary.

2. Remove the kmod-nvidia and akmod-nvidia.

yum erase --remove-leaves kmod-nvidia akmod-nvidia

3. Make sure nouveau is not black listed.

Using any editor, open /boot/grub/grub.conf and make sure the kernel line does NOT contain the following 2 options:

rdblacklist=nouveau nouveau.modeset=0

4. Move your xorg.conf.

mv /etc/X11/xorg.conf /etc/X11/xorg.conf.nvidia

5. Re-install the new kernel.

yum reinstall kernel

You will get a message about “Skipping the running kernel”, which is why we booted to an old kernel, but the new kernel should be re-installed.

6. Reboot. You should get a plymouth boot splash and the nouveau driver is should be working.

Personally, nouveau seems to be working on my nvidia card as of kernel 2.6.40-4.fc15 ( w00t !!! ).

Posted in Linux | Tagged | 2 Comments

selinux MCS

This is the second post regarding selinux arising from security discussions at our LUG.

Introduction

Selinux uses MAC, or mandatory access control, to grant or deny access to files or processes.

Multi-Category Security (MCS) is a method of giving users some flexibility within the selinux MAC framework.

James Morris gives a nice description here

In a nutshell, MCS is an enhancement to SELinux which allows users to label files with categories. These categories are used to further constrain DAC and TE logic.

An alternate, perhaps superior option to MCS would be ACL or access control lists.

See this link for a discussion of DAC vs MAC.

One last caution, some of the how-to’s on MCS seem outdated or incomplete and I managed to break selinux policy using chcat as root. I was only able to fix my system by re-installing selinux policy.

selinux context

Files have a selinux context displayed using the -Z option.

ls -Z

-rw-rw-r--. bodhi bodhi unconfined_u:object_r:user_home_t:s0 file

The first field is the selinux user. Users can be listed with semanage and by default users are mapped to unconfined_u. The second field is the role, the third field is the type of file.

In this blog, we are interested in the fourth field, s0. This field is used by the selinux MLS policy and is optional in targeted policy (the default for fedora). MLS policy is currently “experimental“. MLS would give up to 10 security levels, s0-s9.

MCS, however, is supported in targeted policy. The targeted policy uses a single MLS, s0, but allows up to 1024 “categories“, c0-c1023.

To use MCS, the system administrator would map users to a selinux user (such as user_u or staff_u) and assign the range of MCS categories the user can access. Users can then assign categories to files using the chcat command.

Using Multi-Category Security (MCS)

Configure categories

Note: this step is optional, you can use MCS categories by number, without defining them in setrans.conf . If you define them in setrans.conf you can then use a category by name.

As root, edit /etc/selinux/targeted/setrans.conf

sudo vim /etc/selinux/targeted/setrans.conf

Add categories at the bottom

s0:c1=secret

s0:c2=4youreyesonly

Save your changes and restart mcstrans

sudo systemctl restart mcstrans.service

List your categories. Note this command does not need to be run as root.

chcat -L
s0 SystemLow
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
s0:c1 supersecret
s0:c2 4youreyesonly

Set ranges of categories for your user my mapping them with semanage


Note: The documentation and how-to’s are outdated (for Fedora 15). They advise running chcat as root. The chcat tool should be run by users, and not root.

semanage is used to assign (map) category access to users using the -r flag

sudo semanage login -m -s staff_u -r s0:c0.c100 bodhi

Selinux user access can be listed with semanage login -l and the above command changes the default

bodhi staff_u s0

to

bodhi staff_u s0:c0.c100

To change back to the defaults, again use semanage

semanage login -m -s staff_u -r s0 bodhi

After making changes your user(s) will need to log out and back in.

id

uid=500(bodhi) gid=500(bodhi) groups=10(wheel) context=staff_u:staff_r:staff_t:s0:c0.c100

Changes the MCS categories of files as a user using chcat

Set your categories on files by running chcat as a user.

By number –

chcat -- c3 file

ls -Z

-rw-rw-r--. bodhi bodhi unconfined_u:object_r:user_home_t:s0:c3 file

Remove the category

chcat -- -s0 file

ls -Z

-rw-rw-r--. bodhi bodhi unconfined_u:object_r:user_home_t:s0 file

By name -

Note: By name seems a bit buggy as mcstrans does not recall names after rebooting and so must be restated.

chcat -- supersecret file

ls -Z

-rw--r--. bodhi bodhi user_u:object_r:user_home_t:supersecret file

Remove the category

chcat -- SystemLow file

ls -Z

-rw-rw-r--. bodhi bodhi unconfined_u:object_r:user_home_t:SystemLow file

You can assign multiple categories

c0.c10 assigns categories c0 – c10 inclusive
c0,c2 assignes categories c0 and c2

chcat -- c0.10 file

chcat -- c0,c2 file

Quirks

The biggest “problem” with MCS I find is that once you assign categories to a user, all new files have all the categories.

Example:

touch file

ls -Z

-rw-r--r--. bodhi bodhi staff_u:object_r:__t:s0:c0.c256 file

It seems we need a “semask” that would set a default category for new files, similar to umask.

Reference :

Fedora selinux user guide
Multi Category Security
A Brief Introduction to Multi-Category Security (MCS)
Getting Started with Multi-Category Security (MCS)
Centos Getting Started with Multi-Category Security (MCS)

The only problem with those tutorials is that they are somewhat outdated =)

Posted in Linux | Tagged , , | 1 Comment

selinux sandbox

This is the second in a series of blogs arising from security discussions in my LUG. This month we covered selinux and here I will show some examples of using the selinux sandbox.

Dan Walsh explains a selinux sandbox Introducing the SELinux Sandbox .

Many people first encounter sandbox when they find multiple mounts, see this discussion on the Fedora Forums.

Rather then turning this feature off, I would like to give examples of how to use it on a desktop with graphical applications such as a browser or pdf reader.

Sandbox uses Xephyr for graphical applications and although you can not resize a Xepher window, you can specify the size of the window and you can run a window manager within Xephyr.

Evince

Evince is a straight forward application to use with sandbox and you can open a PDF with

sandbox -X evince 1782.pdf &

The -X flag allows sandbox to use Xephyr.

Midori

I am going to use midori first as for me it works out of the box and is a fast browser.

sandbox -t sandbox_web_t -w 1672x968 -X midori &

Here we added the -t to specify a selinux type to allow web access and the -w to specify a Xepher window size.

We can also add the midori configuration file.

sandbox -t sandbox_web_t -i /home/bodhi/.config/midori -w 1366x768 -X midori &

The -i flag includes the specified file or directory in the selinux sandbox. Be sure to use the full path.

Firefox

Firefox is a much larger and more complex application and many people will use a variety of extensions and personas. I had a problem with firefox and Xephyr would open in a black screen, obviously some complex interaction between firefox, Xephyr, and sandbox, but am able to work around this by specifying a window manager.

First, create a new firefox profile to be used in the sandbox.

firefox -P

In the dialog box I created a profile named “sandbox”.

Next, run the new profile and customize it. Installed NoScript , adblock, a persona, and customized history and cookie settings the way I wanted.

Finally, start the sandbox with multiple -i (includes) and specifying the (sandbox) profile.

sandbox -X -t sandbox_web_t \

-i /home/bodhi/.mozilla/extensions \

-i /home/bodhi/.mozilla/plugins \

-i /home/bodhi/.mozilla/firefox/xxq3n2ci.sandbox \

-i /home/bodhi/.mozilla/firefox/profiles.ini \

-w 1366x768 -W fluxbox \

/usr/bin/firefox -P /usr/bin/sandbox &

The -i includes the specified files or directories in the sandbox and the -W specifies to use fluxbox as the window manager. Openbox also works as an alternate to fluxbox.

If you then look, your other profile, presumably containing things like passwords, is NOT in the sandbox. Open your mozilla directory in your browser

file:///home/bodhi/.mozilla/firefox

Use a script in ~/bin and create a launcher to use the sandbox. I call it sandfox.

#!/bin/sh

sandbox -X -t sandbox_web_t \

-i /home/bodhi/.mozilla/extensions \

-i /home/bodhi/.mozilla/plugins \

-i /home/bodhi/.mozilla/firefox/xxq3n2ci.sandbox \

-i /home/bodhi/.mozilla/firefox/profiles.ini \

-w 1366x768 -W fluxbox \

/usr/bin/firefox -P /usr/bin/sandbox &

You can now create a launcher for sandfox.

Copy and paste to your sandox

This blog was the resource I found to add copy-paste functionality to sandfox and contains additional tips.

Here we make the use of xsel and two scripts to copy and paste into the sandbox. The key is to know what X server is which.

To see your Desktop X session

echo $DISPLAY

:4

Here my desktop is on :4 as this is a shared computer and more then one user is logged in.

For firefox, open he file called “seremote” in your sandboxed home directory. Under File -> Open file in the firefox menu.

setsb copies selected text from your Desktop session to the Xephyr clipboard, paste by pushing the mouse wheel down.

#!/bin/sh

screen=$1

xsel -p -o | xsel --display $screen -p -i

getsb copies selected text from your Xephyr session to your Desktop clipboard, paste by pushing the mouse wheel down.

#!/bin/sh

screen=$1

xsel --display $screen -p -o | xsel -p -i

usage

setsb :4

getsb :6

Posted in Linux | Tagged , , | 5 Comments

Apparmor privoxy profile

This blog is an extension of a discussion we had at our LUG regarding security. We are reviewing both apparmor and selinux and started with apparmor.

One advantage of apparmor is that it is relatively easy to learn, but a potential downside is that as an end user you will need to learn to generate and maintain profiles. When learning to write profiles it is best to start with a smaller, simple application (rather then a large complex application such as firefox).

In this blog I will review how to generate a profile using privoxy as an example.

If needed, start by installing privoxy and apparmor-utils.

1. Generate a profile for privoxy using aa-genprof :

aa-genprof privoxy
Writing updated profile for /usr/sbin/privoxy.
 
Setting /usr/sbin/privoxy to complain mode.
 
Before you begin, you may wish to check if a
profile already exists for the application you
wish to confine. See the following wiki page for
more information:
 
http://wiki.apparmor.net/index.php/Profiles
 
Please start the application to be profiled in
another window and exercise its functionality now.
 
Once completed, select the “Scan” button below in
order to scan the system logs for AppArmor events.
 
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
 
Profiling: /usr/sbin/privoxy
 
[(S)can system log for AppArmor events] / (F)inish

2. Open a second terminal and “exercise” privoxy – start and stop it, configure your browser to use privoxy and open a few web pages.

sudo service privoxy start
sudo service privoxy stop
sudo service privoxy restart

3. Return to the first terminal and “Scan” the logs. You will be given a series of choices for apparmor to allow or deny privoxy access to various capabilities and system files. Select an option using the keyboard, I bolded the keys I typed to work through the questions.

[(S)can system log for AppArmor events] / (F)inish
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:
Profile: /usr/sbin/privoxy
Capability: setgid
Severity: 9
 
[(A)llow] / (D)eny / Audi(t) / Abo(r)t / (F)inish
Adding capability setgid to profile.
 
Profile: /usr/sbin/privoxy
Capability: setuid
Severity: 9
 
[(A)llow] / (D)eny / Audi(t) / Abo(r)t / (F)inish
Adding capability setuid to profile.
 
Profile: /usr/sbin/privoxy
Path: /etc/group
Mode: r
Severity: 4
 
1 – #include
[2 - /etc/group]
 
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
 
Profile: /usr/sbin/privoxy
Path: /etc/group
Mode: r
Severity: 4
 
[1 - #include ]
2 – /etc/group
 
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding #include to profile.
 
Profile: /usr/sbin/privoxy
Path: /etc/privoxy/config
Mode: r
Severity: unknown
 
[1 - /etc/privoxy/config]
 
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/privoxy/config r to profile.
 
Profile: /usr/sbin/privoxy
[1 - /etc/privoxy/default.action]
 
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
 
Profile: /usr/sbin/privoxy
Path: /etc/privoxy/default.action
Mode: r
Severity: unknown
 
1 – /etc/privoxy/default.action
[2 - /etc/privoxy/*]
 
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /etc/privoxy/* r to profile.
Deleted 1 previous matching profile entries.
 
Profile: /usr/sbin/privoxy
Path: /run/privoxy.pid
Mode: w
Severity: unknown
 
[1 - /run/privoxy.pid]
 
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /run/privoxy.pid w to profile.
 
Profile: /usr/sbin/privoxy
Path: /var/log/privoxy/logfile
Mode: w
Severity: 8
 
[1 - /var/log/privoxy/logfile]
 
[(A)llow] / (D)eny / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /var/log/privoxy/logfile w to profile.
 
= Changed Local Profiles =
 
The following local profiles were changed. Would you like to save them?
 
[1 - /usr/sbin/privoxy]
 
(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/privoxy.
 
Profiling: /usr/sbin/privoxy
 
[(S)can system log for AppArmor events] / (F)inish

4. Using any editor, review the profile, the one I generated looks like this:

# Last Modified: Tue Jul 26 21:39:52 2011
#include
/usr/sbin/privoxy {
#include <abstractions/base>
#include <abstractions/nameservice>
 
capability setgid,
capability setuid,
 
/etc/privoxy/* r,
/run/privoxy.pid w,
/var/log/privoxy/logfile w,
 
}

Note: You will have to allow rw access to file in /etc/privoxy/* if you wish to configure privoxy via the web interface.

5. Re-load the profile and set apparmor to enforce the profile.

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.privoxy
sudo aa-enforce privoxy
 
sudo service privoxy restart

6. Privoyx should start and be functioning normally. You can see apparmor is confining privoxy by reviewing aa-status (privoxy will be listed in the enforcing section).

sudo aa-status

Apparmor logs to /var/log/kern.log and /var/log/syslog

Posted in Linux | Tagged , | 8 Comments

Window manager smackdown

The challenge: Gnome 2 is dead, long live the king !!

The contestants: Gnome 3 (gnome shell), Gnome 3 fallback mode, Unity, KDE, XFCE, and fluxbox.

The battle field: Family of 6, the two youngest, 6 and 4, were not included (neither use the family box enough to have a preference).

The above DE/WM were taken for a test drive and each family member was allowed to try each of the DE/WM and after a few weeks each fell into a favorite work environment.

So What did they prefer, you might be surprised =)

bodhi.zazen – To my surprise I really like gnome shell. It was different at first, but I gave it a week and after a day or two it sort of grew on me. Have had a few issues with my nvidia card, so, if gnome shell is broken I fall back to Fluxbox.

Family matriarch – Gnome Fallback Mode. I was surprised she did not go with KDE.

First child – age 11 – Of all things Fluxbox . Who would have guessed ?

Second child – age 9 – Gnome shell The flashy menu was just too much for her, she could not resist, she took to gnome 3 like a natural.

First cat – Prefers to sleep on lap.

Second cat – Prefers to walk on keyboard.

Posted in Linux | Tagged | 2 Comments

SSH logs as a Honeypot

You can use your logs as a "poor mans" honey pot.

Review your logs and modify the following awk command to suit your needs. The exact syntax will vary depending on your authentication (passwords or keys) and server.

Debian:

awk 'gsub(".*sshd.*Invalid.*user", "") {print $1}' /var/log/auth.* | sort | uniq

Fedora:

awk 'gsub(".*sshd.*userauth.*user", "") {print $1}' /var/log/secure* | sort | uniq

If you are not familiar with awk, gsub is matching and substituting part of your log so that {print $1} is a user name. See an online awk guide for details.

A sample line from Debian log file is:

Jul 26 19:45:32 Debian sshd[18302]: Invalid user oracle from 211.137.134.74

A sample line from a Fedora log file is:

Jul 27 15:34:43 Fedora sshd[7546]: input_userauth_request: invalid user root

I cross-compiled a list of the users my ssh logs have seen over the last year or so ...

23-164-111-65
admin
alias
ant
anthony
bin
bureau
cote
david
db2inst1
fluffy
guest
httpd
jasmin
laura
nagios
office
oracle
pc
postgres
prueba
recruit
root
sales
samba
staff
teamspeak
test
ts
webmaster
wwwadmin

Now obviously some of these names are going to be unique, but, the list should give you an idea of what users to block. Add one of the options below to /etc/ssh/sshd_config and re-start (or reload) your (ssh) server.

Black list

Blacklist common user names used by "script kiddies"

DenyUsers admin guest http httpd nagios office oracle postgres root sales samba staff webmaster wwwadmin

White list

Of course an easier method is it use a white list. If you white list allowed users, users not on the list are by definition black listed (if a user is not on your white list they can not log in via ssh).

AllowUsers user_1 user_2

Just make sure none of the allowed user is on the above black list and be sure to monitor your logs ;)

Black list ip addresses

If you examine that awk command I used above, and you look at your logs, you can generate a list of ip addresses to black list if you desire. IMO this is not as helpful as it is rather trivial to change an ip address, and the list ip list becomes long ...

Alternates

Obviously you can use other tools to secure ssh such as ssh keys, TCPWrapper , denyhosts, and fail2ban.

Posted in Linux | Tagged , | 5 Comments