[clug] Linux Security

[Craig Small]

On Wed, Jun 11, 2008 at 11:34:44PM +1000, David Tulloh wrote:
> For starters I'd second Daniel's suggestion on moving ssh off port 22.   
> My understanding is that most of the ssh scans just look for default  
> ports so you can side step a lot of attacks this way.
I shifted mine, for other reasons and yes it basically stopped the
random scans dead in their tracks.  The reason is its rare for someone
to go after your computer, most attackers won't care if they get access
to your's mine or the guy across the world, its just something they can
use.

To scan another port for ssh exploits means to double the number of
scans and of course there is no rule to say which port that should be,
so why bother and not just scan double the hosts for whatever it is
you're looking for.

> Don't allow root logins via ssh.  A lot of the attacks target root  
I think most distributions ship that way, Debian certainly does.
Again, they could try some sort of brute force technique but why would
they bother.  

> If the router allows it, set up filtering to only allow connections to  
> ssh from your computer.  If you have a fixed IP you can just use that,  
> if you don't have a fixed IP just use your ISP's whole block.  Doing  
> this narrows the field of the attackers considerably.
You can also have an iptables filter on the host, the trick is that if
you cannot accurately work out what ranges your isp is using you can
have trouble.  The other way is to just block out large blocks you know
your ISP doesn't use, like /6s.

For Debian distributions, the following url has some good advice.
http://www.debian.org/doc/manuals/securing-debian-howto/

 - Craig
-- 
Craig Small      GnuPG:1C1B D893 1418 2AF4 45EE  95CB C76C E5AC 12CA DFA5
http://www.enc.com.au/                             csmall at : enc.com.au
http://www.debian.org/          Debian GNU/Linux, software should be Free