i have a gentoo box that i ssh into in order to run bittorrent over screen. i use smb or sftp to get files off of it. i don't allow root to log in to ssh. while looking through my logs yesterday, i noticed someone attempting to log in via ssh. it wasn't me, and i'm the only one who should be logging in. i keep the system pretty much up to date. i have only ports forwarded from my router for ssh and bittorrent. can anyone think of other things i should do to lock down my machine from intruders?
suggestions for locking down linux
- Thread starter oog
- Start date
You are definitely not alone in regards to ssh automated intrusion attempts. I seem to get them in spurts every few days. The scripts always try to login via semi-standard usernames like root, test, mysql, apache, a blank username, and a few others.
You can restrict iptables to only allow ssh connections from certain IP blocks but if you travel a lot or roam on various wireless networks that can quickly get cumbersome.
Not that it's necessarily a true increase in security but you could look into a port knocking solution.
Really, strong passwords and non-standard usernames and restricting IP blocks if possible is probably the best thing you can do against this. For a possible DOS against you you could run a script to automatically drop routes to any IP that gets a failed login attempt...
Gaidin
You can restrict iptables to only allow ssh connections from certain IP blocks but if you travel a lot or roam on various wireless networks that can quickly get cumbersome.
Not that it's necessarily a true increase in security but you could look into a port knocking solution.
Really, strong passwords and non-standard usernames and restricting IP blocks if possible is probably the best thing you can do against this. For a possible DOS against you you could run a script to automatically drop routes to any IP that gets a failed login attempt...
Gaidin
For openssh you can set it up to use encrypted keypairs and a keyword... Set it up to only use protocol version 2. that sort of thing. See www.openssh.com
Maybe setup a chroot jail for bittorrent. I don't know if that is warrented though. Depends on how bittorrent works, I am not aware of any issues.
lots of places to go:
http://www.linuxsecurity.com/docs/Security-HOWTO
http://www.linuxsecurity.com/
http://www.linuxsecurity.com/advisories/
And this one is very interesting:
http://www.osvdb.org/
That's the open source vunerability database. It's not a vunerability of open source software, the idea is that you have a community run database that you can access over the internet. Literally access a database over the internernet for things like corporate security, security auditing tools, settting up studies. etc etc etc. No bias like those databases created by security companies...
Also has a RSS feed you can setup thru a rss reader to automaticly notify you of any recent exploits and their solutions. That sort of thing.
Maybe setup a chroot jail for bittorrent. I don't know if that is warrented though. Depends on how bittorrent works, I am not aware of any issues.
lots of places to go:
http://www.linuxsecurity.com/docs/Security-HOWTO
http://www.linuxsecurity.com/
http://www.linuxsecurity.com/advisories/
And this one is very interesting:
http://www.osvdb.org/
That's the open source vunerability database. It's not a vunerability of open source software, the idea is that you have a community run database that you can access over the internet. Literally access a database over the internernet for things like corporate security, security auditing tools, settting up studies. etc etc etc. No bias like those databases created by security companies...
Also has a RSS feed you can setup thru a rss reader to automaticly notify you of any recent exploits and their solutions. That sort of thing.
thanks for the suggestion. i had not heard of chroot jails before. i suppose that it's not a good idea to try to use the python-based bittornado since i imagine i would have to include python in the jail. i guess i can take a look at ctorrent instead to see if it has fewer dependencies. it may be overkill though.
thanks for the linuxsecurity.com links.
thanks for the linuxsecurity.com links.
If you want Debian has on it's install media the default minimal system tarball that you can use to build a chroot-based OS from. It'll use apt-get and all that.
something to play around with. Chroot is often used in stuff like ftp servers or webservers. Especially for know iffy programs like bind (dns server).
There are limits to chroot. Once I was doing a Gentoo install and I setup a ssh server on the install section so I could go to work and on break I was going to finish installing and setting up the OS. Well I forgot a step during early on in the install (like forgot to mount the /proc), and as you know your operating in a chroot'd enviroment. So basicly I needed to access the parent OS, but since sshd was running out of the chroot'd enviroement I could just exit out of chroot or it would log me out of the server.
So I looked up chroot exploits and found a C program. Once I fixed the built-in bug in the exploit and successfully compiled it and installed it I used it to break out of the chroot jail and redo the step that I missed during the install. Then once that was finished I was able to finish the rest of the install successfully.
(lesson is that you should make sure never to allow any access to developement tools on a server)
something to play around with. Chroot is often used in stuff like ftp servers or webservers. Especially for know iffy programs like bind (dns server).
There are limits to chroot. Once I was doing a Gentoo install and I setup a ssh server on the install section so I could go to work and on break I was going to finish installing and setting up the OS. Well I forgot a step during early on in the install (like forgot to mount the /proc), and as you know your operating in a chroot'd enviroment. So basicly I needed to access the parent OS, but since sshd was running out of the chroot'd enviroement I could just exit out of chroot or it would log me out of the server.
So I looked up chroot exploits and found a C program. Once I fixed the built-in bug in the exploit and successfully compiled it and installed it I used it to break out of the chroot jail and redo the step that I missed during the install. Then once that was finished I was able to finish the rest of the install successfully.
(lesson is that you should make sure never to allow any access to developement tools on a server)
use pub/private key pairs with passphrase and move the default ssh port from 22 to something else, at least for non-local connections, ie use one machine as a SSH gateway to log into from the outside world whose port is something like 6891. from there you can log into anymachine on the lan on port 22 (still use keypairs)
there is a way to use opie with ssh, but its pretty much worthless since it only will protect you against keyloggers.
there is a way to use opie with ssh, but its pretty much worthless since it only will protect you against keyloggers.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter