With any new system, do this
/etc/hosts.deny
ALL: ALL
That takes precedence, so only people you want in, or services
you wnat offered, can actually get through.
Edit the hosts.allow file to let people in. I typically put my own IP in there, plus some services I like, such as ssh. The 129.237. line refers to the KU internet numbers, so nobody from another place can use my stuff.
/etc/hosts.allow
ALL: 127.0.0.1 ALL: my.ip.number.here sshd, sshdfwd-X11: localhost sshd, sshdfwd-X11: 129.237.Make sure the firewall is turned on. Newish RedHat? /Fedora systems have a program lokkit that's not too bad (/usr/sbin/lokkit). See also SambaThruFirewall. Make sure telnet and finger services are not running, or remove them. Turn off/remove nfs server Turn off/remove anonymous ftp. In fact, turn off any ftp server. Turn off (don't uninstall) sendmail service. You still need the sendmail program to send emails sometimes, but you don't need to run the service. On this page: http://fedoranews.org/contributors/richard_flude/ssh/ I found advice about securing the ssh server. For my systems, I use autorpm to be sure I'm up to date, and the configuration advice here seems good:
5. Set the following options in the /etc/ssh/sshd_config configuration file. Protocol 2 Unless you require protocol 1, disable it. If you don't know whether you require it, you probably don't. PermitRootLogin no Over half of the intrusion attempts for SSH on my servers are lame password guesses for root, simply because they know the account exists. Better to login with your restricted account and use the sudo or su commands to elevate your permissions. AllowUsers <theusername> By default, login is allowed for all users. Unfortunately this will also apply to daemon accounts if incorrectly configured, and to the user who changed his password to 'hello'. Better to restrict access to trusted users like yourself. For multiple usernames separate with spaces, or alternatively add the usernames to a group and use AllowGroups <thegroupname>.There have been "brute force" attacks reported against ssh servers and many pages have appeared to suggest solutions. One solution is to be conservative in granting any access by carefully tailoring hosts.allow. If you can't do that, I'd suggest you consult some web pages about it: Wolfgang Rupprecht made recommendations: http://www.wsrcc.com/wolfgang/sshd-config.txt The key there is to tighten up the /etc/ssh/sshd_config file to have (at least) these safeguards
Protocol 2
PermitRootLogin without-password
PasswordAuthentication no
ChallengeResponseAuthentication no
ClientAliveInterval 60
ClientAliveCountMax 30
There are separate proggrams that can be run to detect brute force attacks (repeated guessing of passwords). I've not tried them yet, but this one on freshmeat called "sshdfilter" seemed interesting to me. Go to http://www.freshmeat.net and search for "ssh brute" and you find it right away.
On fedora-list, saw more info in using iptables to tigten up ssh access. Rick Stevens posted this message:
http://www.redhat.com/archives/fedora-list/2007-August/msg01222.html
Excerpt
I have iptables rules that only allow ssh tries from our networks or
machines I know of. To wit:
# Accept SSH from our networks... -A INPUT -s aaa.bbb.ccc.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s ddd.eee.fff.0/24 -p tcp -m tcp --dport 22 -j ACCEPT # Accept SSH from my machine at home... -A INPUT -s ggg.hhh.iii.jjj/32 -p tcp -m tcp --dport 22 -j ACCEPT (more rules...)At the end, put in a blanket "don't allow SSH from anywhere else" rule:
# Block any ssh attempts from outside our network... -A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachableIf you must leave ssh open to the outside world, use a simple iptables ruleset to limit attempts:
# This rejects ssh attempts more than twice in 180 seconds... # First, mark attempts as part of the "sshattack" group... -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set # Optional: Include this line if you want to log these attacks... -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: " # Finally, reject the connection if more than one attempt is made in 180 seconds... -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-resetIf more than one ssh attempt is made in 180 seconds (three minutes) from a given IP address, this blocks that IP address for that duration. You get one try. If you fail, you must wait 3 minutes before you can try again. Note that even a successful login is counted. If you log in and immediately log out, you still have to wait 3 minutes to get in again. Change the "--hitcount 2" bits to "--hitcount 3" if you want to give yourself two tries to get in. You can also change the "--seconds 180" to "--seconds 300" to make the delay 5 minutes. The values I give above are enough to discourage most script kiddie attempts to get into your box. Another person points out an rpm that helps with this $ yum install denyhosts -- PaulJohnson - 11 Aug 2007
Linuxtips
Linuxtips Web
Create New Topic
Index
Search
Linuxtips|