How secure are your servers? Check this out... - GoFuckYourself.com

Varius · 08-31-2004, 04:15 PM

We have installed a new verification system on our gateway server (the sole point of entry on our network).

Check this out:

Each person who needs access is given a pager-like device. This device displays a 6-digit random sequence that changes EVERY 10 SECONDS.

When you login to the server, through SSH or SCP, you are prompted for your name as usual. Then instead of password, you get:

PASSCODE:

which is a 4 digit PIN you choose + the 6 digits you see on the pager-thing.

Then it asks you to wait until the numbers change (so max 10 seconds) and enter that sequence.

If all is good, yo get in. If not, you're stuck outside.

This is awesome to me, as even if someone broke your code and the sequence (which is already next-to-impossible), they would then only have 10 seconds to get the next sequence.

How secure are you ??

JSA Matt · 08-31-2004, 04:16 PM

what are you hiding?

piker · 08-31-2004, 04:17 PM

Yes, but does that secure you from a pissed off employee? or someone he doesnt enter that way?

Varius · 08-31-2004, 04:19 PM

Quote:

Originally posted by JSA Matt
what are you hiding?

The real addresses and names of everyone GFY hehe

liquidmoe · 08-31-2004, 04:20 PM

That prevents people from entering by guessing common passwords or otherwise discovering a password since the passes would change every 10 seconds. However, most servers are broken into through imporperly configured system daemons or taking advantage of holes in software or the OS itself. Which doesnt have anything to do with knowing or entering the password, so for those kind of breakins that system you implemented doesnt do anything to protect your servers.

Varius · 08-31-2004, 04:20 PM

Quote:

Originally posted by piker
Yes, but does that secure you from a pissed off employee? or someone he doesnt enter that way?

Employees don't have access to our real network. Only a demo network.

Only myself, our SysAdmin and our CTO have access (and a pager-thingy).

Aside from that....how else do you expect them to be able to enter by ??

exposed · 08-31-2004, 04:21 PM

Quote:

Originally posted by Varius
We have installed a new verification system on our gateway server (the sole point of entry on our network).

Check this out:

Each person who needs access is given a pager-like device. This device displays a 6-digit random sequence that changes EVERY 10 SECONDS.

When you login to the server, through SSH or SCP, you are prompted for your name as usual. Then instead of password, you get:

PASSCODE:

which is a 4 digit PIN you choose + the 6 digits you see on the pager-thing.

Then it asks you to wait until the numbers change (so max 10 seconds) and enter that sequence.

If all is good, yo get in. If not, you're stuck outside.

This is awesome to me, as even if someone broke your code and the sequence (which is already next-to-impossible), they would then only have 10 seconds to get the next sequence.

How secure are you ??

It's called a secureID smart guy

toddler · 08-31-2004, 04:22 PM

Its called a SecureID. I've been using one for 8 years now. Course, mine is an 8 char alpha passcode + 6 digit rotating PIN that changes every 60 seconds.

VERY handy...course, you all should be using ssh anyway, or scp at the least. ssh+secureID is teh shit.

Varius · 08-31-2004, 04:22 PM

Quote:

Originally posted by liquidmoe
That prevents people from entering by guessing common passwords or otherwise discovering a password since the passes would change every 10 seconds. However, most servers are broken into through imporperly configured system daemons or taking advantage of holes in software or the OS itself. Which doesnt have anything to do with knowing or entering the password, so for those kind of breakins that system you implemented doesnt do anything to protect your servers.

Well, first we run FreeBSD which is less exploited than Windows/Linux to my knowledge.

Second, none of our servers have external IP addresses, so they cannot be reached. He would have to exploit our BigIP F5s, which is quite difficult to do.

sirrobin · 08-31-2004, 04:22 PM

my bank uses this for online banking - very cool system until you loose the fucking device and have to wait a month to get a new one.

AlienQ - BANNED FOR LIFE · 08-31-2004, 04:23 PM

Thats pretty fucken solid.

Varius · 08-31-2004, 04:24 PM

Quote:

Originally posted by exposed
It's called a secureID smart guy

Ours is actually a "SecurID", one less 'e'

However yes, you are right. It's still a nice system though

Varius · 08-31-2004, 04:25 PM

Quote:

Originally posted by toddler
Its called a SecureID. I've been using one for 8 years now. Course, mine is an 8 char alpha passcode + 6 digit rotating PIN that changes every 60 seconds.

VERY handy...course, you all should be using ssh anyway, or scp at the least. ssh+secureID is teh shit.

Wow 8 years? We only became aware of it about 2 years ago, but didn't bother until now...

toddler · 08-31-2004, 04:28 PM

Quote:

Originally posted by Varius
Wow 8 years? We only became aware of it about 2 years ago, but didn't bother until now...

Its matter of how much of a target you are. At one point we had 12,000 remote users.

wdsguy · 08-31-2004, 04:29 PM

how much is this thing costing u?

Shoehorn! · 08-31-2004, 04:33 PM

Quote:

Originally posted by Varius
We have installed a new verification system on our gateway server (the sole point of entry on our network).

Check this out:

Each person who needs access is given a pager-like device. This device displays a 6-digit random sequence that changes EVERY 10 SECONDS.

When you login to the server, through SSH or SCP, you are prompted for your name as usual. Then instead of password, you get:

PASSCODE:

which is a 4 digit PIN you choose + the 6 digits you see on the pager-thing.

Then it asks you to wait until the numbers change (so max 10 seconds) and enter that sequence.

If all is good, yo get in. If not, you're stuck outside.

This is awesome to me, as even if someone broke your code and the sequence (which is already next-to-impossible), they would then only have 10 seconds to get the next sequence.

How secure are you ??

That's pretty fucking cool. People who bank through Swedish banks get a similar thing, it looks like a little calculator and it generates a code to enter when they log onto their account through internet banking.

garett · 08-31-2004, 04:35 PM

Quote:

Originally posted by Varius
Employees don't have access to our real network. Only a demo network.

Only myself, our SysAdmin and our CTO have access (and a pager-thingy).

Aside from that....how else do you expect them to be able to enter by ??

Is this network located in the same office as your employees ?

If there's no physical security there's no security. If I wanted to 'hack' into a server all I would need is a screwdriver and a key to the building. Just keep that in mind.

ytcracker · 08-31-2004, 04:36 PM

securid is old school

i even rap about it in some old songs

my dad used to have to use it to log on to lockheeds ip network

Volantt · 08-31-2004, 04:38 PM

Over kill

Hackers = holes, exploits, and poor configurations.

garett · 08-31-2004, 04:39 PM

Quote:

Originally posted by Varius
Well, first we run FreeBSD which is less exploited than Windows/Linux to my knowledge.

Second, none of our servers have external IP addresses, so they cannot be reached. He would have to exploit our BigIP F5s, which is quite difficult to do.

Well see above .. if the employees have physical access then your security is dead. You have none. Even if it's on a local network.

As for FreeBSD .. I wouldn't count on your OS choice for protection. Especially because FreeBSD and Linux run mostly the same software. For example, if you're using Apache then apache is apache .. it doesn't matter what operating system you're using.

It mostly comes down to two things.. 1) how the machine was configured and 2) are there any exploitable bugs in the code for any of the software that you're running.

The only exception to the above is OpenBSD. It has a reputation for security because every single piece of software in the default install is audited to try and weed out exploitable bugs .. and the guys behind it know their shit when it comes to security so the default install is automatically configured to be lock-tight. However, if you install 3rd party software then that paradigm goes down the drain.

Varius · 08-31-2004, 04:39 PM

Quote:

Originally posted by garett
Is this network located in the same office as your employees ?

If there's no physical security there's no security. If I wanted to 'hack' into a server all I would need is a screwdriver and a key to the building. Just keep that in mind.

We're also a hosting company, so servers are in their own cage up in Montreal datacenter (Peer1). All our devel team is here in Costa Rica though

Varius · 08-31-2004, 04:40 PM

Quote:

Originally posted by wdsguy
how much is this thing costing u?

Not sure, checkout RSA's site...I don't pay the bills here =)

Varius · 08-31-2004, 04:42 PM

Quote:

Originally posted by garett
Well see above .. if the employees have physical access then your security is dead. You have none. Even if it's on a local network.

As for FreeBSD .. I wouldn't count on your OS choice for protection. Especially because FreeBSD and Linux run mostly the same software. For example, if you're using Apache then apache is apache .. it doesn't matter what operating system you're using.

It mostly comes down to two things.. 1) how the machine was configured and 2) are there any exploitable bugs in the code for any of the software that you're running.

The only exception to the above is OpenBSD. It has a reputation for security because every single piece of software in the default install is audited to try and weed out exploitable bugs .. and the guys behind it know their shit when it comes to security so the default install is automatically configured to be lock-tight. However, if you install 3rd party software then that paradigm goes down the drain.

They still have to get through to the webservers (to attack something like Apache)...which means they must break through the load-balancer (F5) first.

Varius · 08-31-2004, 04:43 PM

Quote:

Originally posted by ytcracker
securid is old school

i even rap about it in some old songs

my dad used to have to use it to log on to lockheeds ip network

How much longer before I can see a rap about IwantU ?

Crypt · 08-31-2004, 04:44 PM

Quote:

Originally posted by Varius
We're also a hosting company, so servers are in their own cage up in Montreal datacenter (Peer1). All our devel team is here in Costa Rica though

I saw your cage when i made a visit to peer1 office ;) how the fuck someone can work in a litle place like this? the cage is totally full ;) you hired a midget?

lol

Varius · 08-31-2004, 04:48 PM

Quote:

Originally posted by Crypt
I saw your cage when i made a visit to peer1 office ;) how the fuck someone can work in a litle place like this? the cage is totally full ;) you hired a midget?

lol

hehe yeah they had to get a bigger cage and merge two cages into one for us.

We got our man Jeff to fit in there though.....we only feed him once a week

Fukeneh · 08-31-2004, 04:50 PM

yes there are indeed ways around that.

and its not new. that is basically the same method AOL has been using for thier Internal employees and everyone else on their lan for many years now. there are a number of other businesses using PIN based logins that are calculated on pager like devices.

Crypt · 08-31-2004, 04:51 PM

Quote:

Originally posted by Varius
hehe yeah they had to get a bigger cage and merge two cages into one for us.

We got our man Jeff to fit in there though.....we only feed him once a week

haha

bringer · 08-31-2004, 04:52 PM

who cares? if i beat the 4digit code out of you and steal your pager, im in
but why does burgerking really need all that security anyways?

garett · 08-31-2004, 04:53 PM

Quote:

Originally posted by Varius
They still have to get through to the webservers (to attack something like Apache)...which means they must break through the load-balancer (F5) first.

Huh? Why ?

Let's say you've got 5 web servers behind one load balancer... and they're all running the same version of apache, configured the same way (that's a safe assumption in most cases) and I happen to know of an exploit that just might work on that version of apache.

I run my exploit, it goes through your load balancer, to one of the 5 webservers, exploits the bug and
bam I have a shell running as the httpd user (or whatever user apache is running as) on that webserver.

Sure I've only cracked one of the 5 servers .. but who cares ? Now I poke around and see that the dumbass sysadmin that installed this box left an exploitable version of sendmail running even though it's not being used (it happens quite often) .. I exploit it and I have root.

Now I own your webserver. Sure if I log out I lose the exploited one .. but I can still grab sensitive information while I'm there .. and I can always re-run the exploit later on and get another server. The load balancer is not an issue here at all.. it passes everything through port 80 to one of the 5 servers .. it doesn't care what's being passed through.

Unless I'm missing something.

picpile · 08-31-2004, 04:54 PM

Quote:

Originally posted by garett
Huh? Why ?

Let's say you've got 5 web servers behind one load balancer... and they're all running the same version of apache, configured the same way (that's a safe assumption in most cases) and I happen to know of an exploit that just might work on that version of apache.

I run my exploit, it goes through your load balancer, to one of the 5 webservers, exploits the bug and
bam I have a shell running as the httpd user (or whatever user apache is running as) on that webserver.

Sure I've only cracked one of the 5 servers .. but who cares ? Now I poke around and see that the dumbass sysadmin that installed this box left an exploitable version of sendmail running even though it's not being used (it happens quite often) .. I exploit it and I have root.

Now I own your webserver. Sure if I log out I lose the exploited one .. but I can still grab sensitive information while I'm there .. and I can always re-run the exploit later on and get another server. The load balancer is not an issue here at all.. it passes everything through port 80 to one of the 5 servers .. it doesn't care what's being passed through.

Unless I'm missing something.

good post, people don;t hack servers by cracking passwords, thats so 1990

JohnnyUtah · 08-31-2004, 04:55 PM

Yep, this key thing is good if your a newbie and wanna get root access to a box. Trust me...no real Ha0ker will ever use the normal port 22 to get in.

The real deal is a tcp wrapper who only allows your own ip in or only allows physical onsite access to the server. Close all fucking useless ports. Thats way more secure than any other rotating beeper crap....

my 2 cents

Fukeneh · 08-31-2004, 04:56 PM

basically no network is bulletproof from breakins. if there is a will there IS a way.

SID;s are bullshit. not really a big help as there are many ways around it. its kind of like when MS or someone released the new keyboards with fingerprint identification, within the day at the same convention someone showed a very easy way to exploit it.... dust, tape, and a clean drinking glass.

sumphatpimp · 08-31-2004, 04:58 PM

pagers listen to a radio signal and so can anyone else

Varius · 08-31-2004, 05:00 PM

Quote:

Originally posted by garett
Huh? Why ?

Let's say you've got 5 web servers behind one load balancer... and they're all running the same version of apache, configured the same way (that's a safe assumption in most cases) and I happen to know of an exploit that just might work on that version of apache.

I run my exploit, it goes through your load balancer, to one of the 5 webservers, exploits the bug and
bam I have a shell running as the httpd user (or whatever user apache is running as) on that webserver.

Sure I've only cracked one of the 5 servers .. but who cares ? Now I poke around and see that the dumbass sysadmin that installed this box left an exploitable version of sendmail running even though it's not being used (it happens quite often) .. I exploit it and I have root.

Now I own your webserver. Sure if I log out I lose the exploited one .. but I can still grab sensitive information while I'm there .. and I can always re-run the exploit later on and get another server. The load balancer is not an issue here at all.. it passes everything through port 80 to one of the 5 servers .. it doesn't care what's being passed through.

Unless I'm missing something.

Hrmm good point. I'm not familar with any exploits and such as I haven't done any network amdinistration for years.....I leave that upto our SysAdmin now.

The only system I still work with is our NetApps.

Maybe I should stop replying now since you guys know more about the security/exploits stuff than I

Varius · 08-31-2004, 05:02 PM

Quote:

Originally posted by bringer
who cares? if i beat the 4digit code out of you and steal your pager, im in
but why does burgerking really need all that security anyways?

People get stabbed and shot all the time in Burger King in Montreal

toddler · 08-31-2004, 05:04 PM

Quote:

Originally posted by sumphatpimp
pagers listen to a radio signal and so can anyone else

its not a pager

toddler · 08-31-2004, 05:06 PM

Quote:

Originally posted by Fukeneh
basically no network is bulletproof from breakins. if there is a will there IS a way.

SID;s are bullshit. not really a big help as there are many ways around it. its kind of like when MS or someone released the new keyboards with fingerprint identification, within the day at the same convention someone showed a very easy way to exploit it.... dust, tape, and a clean drinking glass.

so, if you have 1 port open on 1 box with ssh listening and tcpwrappers locking sshd down to 1 IP to login, SID is worthless? Uh huh.

rounders · 08-31-2004, 05:06 PM

its called a keyfob

ytcracker · 08-31-2004, 05:07 PM

Quote:

Originally posted by Varius
How much longer before I can see a rap about IwantU ?

hahahhaa no idea

adultentertainment · 08-31-2004, 05:11 PM

i'm secure in who i am.

Varius · 08-31-2004, 05:12 PM

Quote:

Originally posted by ytcracker
hahahhaa no idea

I'll make you profile of the week

You'll get mad honeys that way hehe

sumphatpimp · 08-31-2004, 05:14 PM

I got to wonder, how often do the "pager like device" and the system you are protecting have to be "synced" so that they are using the same numbers?

toddler · 08-31-2004, 05:22 PM

Quote:

Originally posted by sumphatpimp
I got to wonder, how often do the "pager like device" and the system you are protecting have to be "synced" so that they are using the same numbers?

i've had the same fob for 4 years now, haven't had to resync.

Note that you can set it up such that if you fat finger the pass code a certain number of times, it gets locked. Ours is set to 3...

sumphatpimp · 08-31-2004, 05:26 PM

I figured it would have batteries or something
thus a need for a resync

fris · 08-31-2004, 05:29 PM

Quote:

Originally posted by Varius
Well, first we run FreeBSD which is less exploited than Windows/Linux to my knowledge.

Second, none of our servers have external IP addresses, so they cannot be reached. He would have to exploit our BigIP F5s, which is quite difficult to do.

our company does paysite risk assement, security audits, we have secured a bunch of people on gfy, because most of the servers arent secure. affils getting hacked, downtime. etc.

its just lazy admins not doing there job right. even if you have a managed server, sometimes they dont know what they are doing.

08-31-2004, 04:15 PM	#1
Varius Confirmed User Industry Role: Join Date: Jun 2004 Location: New York, NY Posts: 6,890	How secure are your servers? Check this out... We have installed a new verification system on our gateway server (the sole point of entry on our network). Check this out: Each person who needs access is given a pager-like device. This device displays a 6-digit random sequence that changes EVERY 10 SECONDS. When you login to the server, through SSH or SCP, you are prompted for your name as usual. Then instead of password, you get: PASSCODE: which is a 4 digit PIN you choose + the 6 digits you see on the pager-thing. Then it asks you to wait until the numbers change (so max 10 seconds) and enter that sequence. If all is good, yo get in. If not, you're stuck outside. This is awesome to me, as even if someone broke your code and the sequence (which is already next-to-impossible), they would then only have 10 seconds to get the next sequence. How secure are you ?? __________________ Skype variuscr - Email varius AT gmail

08-31-2004, 04:17 PM	#3
piker Confirmed User Join Date: Feb 2004 Posts: 597	Yes, but does that secure you from a pissed off employee? or someone he doesnt enter that way? __________________ IcooCash - DVD Content for your TGP Cheap FreeBSD Virtual Hosting ICQ me at 605104 for Custom PHP/MySQL Programming

08-31-2004, 04:20 PM	#5
liquidmoe Confirmed User Join Date: Mar 2002 Location: NY Posts: 4,994	That prevents people from entering by guessing common passwords or otherwise discovering a password since the passes would change every 10 seconds. However, most servers are broken into through imporperly configured system daemons or taking advantage of holes in software or the OS itself. Which doesnt have anything to do with knowing or entering the password, so for those kind of breakins that system you implemented doesnt do anything to protect your servers. __________________ Take Luck!

08-31-2004, 04:22 PM	#8
toddler Confirmed User Join Date: Jun 2002 Location: austin, tx Posts: 1,911	Its called a SecureID. I've been using one for 8 years now. Course, mine is an 8 char alpha passcode + 6 digit rotating PIN that changes every 60 seconds. VERY handy...course, you all should be using ssh anyway, or scp at the least. ssh+secureID is teh shit. __________________ http://www.flickr.com/photos/zoddler/

08-31-2004, 04:23 PM	#11
AlienQ - BANNED FOR LIFE best designer on GFY Join Date: Mar 2003 Location: IALIEN.COM - High Definition Video and Photographic Productions -ICQ 78943384 Posts: 30,307	Thats pretty fucken solid. __________________ NAKED HOSTING FTW!11 I'm On The INSANE PLAN $9.95/mo! \| The Alien Blog Adult News Worth Reading Updated Daily \| Content For Sale! 641 PICS 216 MINUTES OF VIDEO $350.00 \|ICQ: 78943384 \|

08-31-2004, 04:16 PM	#2
JSA Matt So Fucking Banned Join Date: Aug 2003 Location: San Diego, CA Posts: 5,464	what are you hiding?

08-31-2004, 04:22 PM	#10
sirrobin Confirmed User Join Date: Jun 2003 Posts: 453	my bank uses this for online banking - very cool system until you loose the fucking device and have to wait a month to get a new one.

08-31-2004, 04:29 PM	#15
wdsguy Ryde or Die Industry Role: Join Date: Dec 2002 Location: California-Shanghai Posts: 19,568	how much is this thing costing u?

08-31-2004, 04:36 PM	#18
ytcracker stc is the greatest Join Date: Dec 2002 Location: rip sean murray Posts: 12,403	securid is old school i even rap about it in some old songs my dad used to have to use it to log on to lockheeds ip network __________________ www.ytcracker.com \| www.digitalgangster.com i love you

08-31-2004, 04:38 PM	#19
Volantt Confirmed User Join Date: Nov 2003 Location: Penguin vs Devil Posts: 745	Over kill Hackers = holes, exploits, and poor configurations. __________________ "Only the dead have seen the end of war." - Plato "In the abscence of orders, go find something and kill it." - Erwin Rommel "A man's worth is no greater then the worth of his ambitions." - Marcus Aurelius

08-31-2004, 04:50 PM	#27
Fukeneh Confirmed User Industry Role: Join Date: Mar 2004 Location: Location: Location: Posts: 1,245	yes there are indeed ways around that. and its not new. that is basically the same method AOL has been using for thier Internal employees and everyone else on their lan for many years now. there are a number of other businesses using PIN based logins that are calculated on pager like devices.

08-31-2004, 04:52 PM	#29
bringer i have man boobies Join Date: Jul 2003 Location: van down by the river Posts: 13,082	who cares? if i beat the 4digit code out of you and steal your pager, im in but why does burgerking really need all that security anyways? __________________ 333-765-551

08-31-2004, 04:55 PM	#32
JohnnyUtah Confirmed User Join Date: Oct 2002 Posts: 826	Yep, this key thing is good if your a newbie and wanna get root access to a box. Trust me...no real Ha0ker will ever use the normal port 22 to get in. The real deal is a tcp wrapper who only allows your own ip in or only allows physical onsite access to the server. Close all fucking useless ports. Thats way more secure than any other rotating beeper crap.... my 2 cents Last edited by JohnnyUtah; 08-31-2004 at 04:57 PM..

08-31-2004, 04:56 PM	#33
Fukeneh Confirmed User Industry Role: Join Date: Mar 2004 Location: Location: Location: Posts: 1,245	basically no network is bulletproof from breakins. if there is a will there IS a way. SID;s are bullshit. not really a big help as there are many ways around it. its kind of like when MS or someone released the new keyboards with fingerprint identification, within the day at the same convention someone showed a very easy way to exploit it.... dust, tape, and a clean drinking glass.

08-31-2004, 04:58 PM	#34
sumphatpimp Confirmed User Join Date: Aug 2002 Posts: 5,235	pagers listen to a radio signal and so can anyone else

08-31-2004, 05:06 PM	#39
rounders Confirmed User Join Date: Sep 2003 Location: p0rn0stars & h0es Posts: 2,931	its called a keyfob __________________ ICQ#: 153923840

08-31-2004, 05:11 PM	#41
adultentertainment Confirmed User Join Date: Dec 2003 Location: canada Posts: 170	i'm secure in who i am. __________________ love da biz

08-31-2004, 05:14 PM	#43
sumphatpimp Confirmed User Join Date: Aug 2002 Posts: 5,235	I got to wonder, how often do the "pager like device" and the system you are protecting have to be "synced" so that they are using the same numbers?

08-31-2004, 05:26 PM	#45
sumphatpimp Confirmed User Join Date: Aug 2002 Posts: 5,235	I figured it would have batteries or something thus a need for a resync