[clug] Linux Security
David Tulloh
david at tulloh.id.au
Wed Jun 11 13:34:44 GMT 2008
Ian Bardsley wrote:
> As I'm sure that at some point they are going to break something with
> this system, I have been researching how to set this box up to allow
> SSH over the internet through which I plan to tunnel VNC (I hope) in
> the hope that I may be able to fix up damage if it occurs without
> driving to Wagga.
>
> My research has revealed that for all this to happen, Port 22 needs
> Port Forwarding enabled. Fine...I now know how to set this up within
> their router but the process is not a simple one and ideally should be
> left open for the Wagga family's sake ( not strong on the finer points
> of computing at this stage). So now I am thinking how do I make this
> system as secure as possible. Will a software firewall close the
> gap? What happens if they manage to break the system to the point
> where it may be impossible to operate a software firewall and a host
> of other points that I haven't thought through yet.
>
> So any comments, advise, guidance would be most welcome as I am on a
> fairly steep learning curve with this.
>
I tend to look at online security as setting up walls. You never really
have any guarantee but so long as you have a few more walls than the guy
next to you they aren't going to bother.
For starters I'd second Daniel's suggestion on moving ssh off port 22.
My understanding is that most of the ssh scans just look for default
ports so you can side step a lot of attacks this way.
Don't allow root logins via ssh. A lot of the attacks target root
because it's a common user name across all systems and it's skips the
whole privilege escalation mess. I'm actually a big fan of removing the
password to root and always using sudo, but that's not really on topic.
If the router allows it, set up filtering to only allow connections to
ssh from your computer. If you have a fixed IP you can just use that,
if you don't have a fixed IP just use your ISP's whole block. Doing
this narrows the field of the attackers considerably.
I also liked Daniel's suggestion to create a dedicated admin user and
only allowing that user ssh login access. Doing this also means that if
they cripple the box they aren't likely to cripple your admin user so
you can go in and fix stuff.
I've recently become a fan of public key authentication where you sign
in using pgp keys rather than passwords. I would advise setting this up
and then disabling password access to ssh entirely (config:
PasswordAuthentication no, RSAAuthentication no). You can also restrict
the key to only allow access from certain IP addresses in case you can't
filter at the firewall or just like doing things twice.
It's a good idea to set up automated security updates in case of
something like the recent ssh vulnerability debacle. It would also help
close of firefox vulnerabilities and the like.
There's a lot you can do it just becomes a question of what's
worthwhile. You are most likely safe with the stock configuration of
simply forwarding ssh through. I would consider the above list as
ranked roughly in order, I only do the first two on my home network.
There's a lot of options out there, port knocking is kinda cool and the
automated blocking Daniel mentioned looks handy but I haven't used them
before, I'm sure someone could tell you exactly how to set them up if
you wanted though.
David
More information about the linux
mailing list