[clug] Linux Security
kim.holburn at gmail.com
Wed Jun 11 13:31:12 GMT 2008
Very good advice, just an additional suggestion.
Better to only allow only allow public-key authentication on ssh.
Also better to only allow a non-root sudo capable account in via ssh
rather than root, hmmm maybe Daniel said that already but it wasn't
completely clear to me.
The port forward is only activated when an incoming connection is
initiated on that port. It doesn't (or shouldn't) affect any other
connections ie it won't affect outgoing connections on any port.
On 2008/Jun/11, at 2:26 PM, Daniel Pittman wrote:
> Ian Bardsley <ifb777 at tpg.com.au> writes:
>> The current topic "My Windows Box got rooted" has prompted me to
>> consider the potential risks associated with a project I am currently
>> researching. Naturally, I call upon the collective wisdom of these
>> hallowed pages for advise, guidance and comment.
>> The scenario:
>> I have recently given my grand children who live in the Wagga area a
>> PC of their own. This PC is a linux only box (cos I didn't have a
>> copy of windows to give them and I figure exposing them to
>> alternatives is a healthy approach). It sits as part of a small home
>> network sharing with Windows XP and a Printer connected to to the
>> Windows box. All this works well and both file and printer sharing
>> are working.
>> As I'm sure that at some point they are going to break something with
>> this system, I have been researching how to set this box up to allow
>> SSH over the internet through which I plan to tunnel VNC (I hope) in
>> the hope that I may be able to fix up damage if it occurs without
>> driving to Wagga.
>> My research has revealed that for all this to happen, Port 22 needs
>> Port Forwarding enabled. Fine...I now know how to set this up within
>> their router but the process is not a simple one and ideally should
>> left open for the Wagga family's sake ( not strong on the finer
>> of computing at this stage). So now I am thinking how do I make this
>> system as secure as possible.
> I suggest four things:
> 1. Forward a port other than 22, on the basis that obscurity can't
> your case. Don't count on this to provide *any* security though.
> 2. Edit /etc/ssh/sshd_config to allow *only* your one "admin" user to
> log in remotely. *Don't* give that password to the family.
> That helps make it quite unlikely that they will be able to make it
> weak, and allows you to keep the system reasonably secure against
> password guessing.
> 3. Install something like fail2ban(.sf.net) that will watch for failed
> password guesses and blacklist the source automatically. This will
> help defeat brute force attacks.
>> Will a software firewall close the gap?
> 4. Yes, since you should deploy it in a "block anything outside the
> local network" mode on the Linux box, with the one exception for the
> SSH service.
>> What happens if they manage to break the system to the point where it
>> may be impossible to operate a software firewall and a host of other
>> points that I haven't thought through yet.
> Unless you want to set up a scripted install, not much, I fear.
>> So any comments, advise, guidance would be most welcome as I am on a
>> fairly steep learning curve with this.
> The biggest part of my advice is defence in *depth* -- even if they
> out how to open up ports on the router they are still protected by the
> If they set weak passwords on user accounts the ssh login restrictions
> mean that user account can't be accessed anyhow.
> This all helps add to the security, by preventing them shooting
> themselves in the foot, without incurring *too* much trouble for you.
> linux mailing list
> linux at lists.samba.org
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux