[clug] Linux Security

[David Tulloh]

Ian Bardsley wrote:
> As I'm sure that at some point they are going to break something with 
> this system, I have been researching how to set this box up to allow 
> SSH over the internet through which I plan to tunnel VNC (I hope) in 
> the hope that I may be able to fix up damage if it occurs without 
> driving to Wagga.
>
> My research has revealed that for all this to happen, Port 22 needs 
> Port Forwarding enabled.  Fine...I now know how to set this up within 
> their router but the process is not a simple one and ideally should be 
> left open for the Wagga family's sake ( not strong on the finer points 
> of computing at this stage).  So now I am thinking how do I make this 
> system as secure as possible.  Will a software firewall close the 
> gap?  What happens if they manage to break the system to the point 
> where it may be impossible to operate a software firewall  and a host 
> of other points that I haven't thought through yet.
>
> So  any comments, advise, guidance would be most welcome as I am on a 
> fairly steep learning curve with this.
>
I tend to look at online security as setting up walls.  You never really 
have any guarantee but so long as you have a few more walls than the guy 
next to you they aren't going to bother.

For starters I'd second Daniel's suggestion on moving ssh off port 22.  
My understanding is that most of the ssh scans just look for default 
ports so you can side step a lot of attacks this way.

Don't allow root logins via ssh.  A lot of the attacks target root 
because it's a common user name across all systems and it's skips the 
whole privilege escalation mess.  I'm actually a big fan of removing the 
password to root and always using sudo, but that's not really on topic.

If the router allows it, set up filtering to only allow connections to 
ssh from your computer.  If you have a fixed IP you can just use that, 
if you don't have a fixed IP just use your ISP's whole block.  Doing 
this narrows the field of the attackers considerably.

I also liked Daniel's suggestion to create a dedicated admin user and 
only allowing that user ssh login access.  Doing this also means that if 
they cripple the box they aren't likely to cripple your admin user so 
you can go in and fix stuff.

I've recently become a fan of public key authentication where you sign 
in using pgp keys rather than passwords.  I would advise setting this up 
and then disabling password access to ssh entirely (config: 
PasswordAuthentication no, RSAAuthentication no).  You can also restrict 
the key to only allow access from certain IP addresses in case you can't 
filter at the firewall or just like doing things twice.

It's a good idea to set up automated security updates in case of 
something like the recent ssh vulnerability debacle.  It would also help 
close of firefox vulnerabilities and the like.


There's a lot you can do it just becomes a question of what's 
worthwhile.  You are most likely safe with the stock configuration of 
simply forwarding ssh through.  I would consider the above list as 
ranked roughly in order, I only do the first two on my home network.  
There's a lot of options out there, port knocking is kinda cool and the 
automated blocking Daniel mentioned looks handy but I haven't used them 
before, I'm sure someone could tell you exactly how to set them up if 
you wanted though. 


David