[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security basics



On Wed, 2007-10-03 at 15:40 -0500, Steve Siegfried wrote:
> Lamar Owen wrote:
> > 
> > On Wednesday 03 October 2007, Karl Larsen wrote:
> > >     I have sure heard a LOT about security updates and I have had my own
> > > problems. For years I thought the only thing necessary was a good root
> > > password. This year I found out with ssh around you need a good password
> > > for your own login name. My problem was caused by having a super poor
> > > login password which was my last name. Since the login name was karl it
> > > followed.
> > 
> > Also: run ssh on some port other than 22.  This is accomplished by 
> > editing /etc/ssh/sshd_config and /etc/sysconfig/iptables (to add the port to 
> > iptables, assuming you're running iptables).  If you know the IP addresses 
> > from which you will always be connecting, then set your firewall (both on any 
> > external router as well as in /etc/sysconfig/iptables) to only allow the IP 
> > addresses you want.
> > 
> > Just changing from port 22 to some other port (and 222 or 2222 aren't good 
> > ones; anything above 1024 is fair game) will eliminate 90% or more of your 
> > risk. 
> > 
> > Also, set up RSA key security and eliminate password-based logins.  This is a 
> > fairly lengthy setup; I'm sure there's a HOWTO in the archives (I'm getting 
> > ready to go home for the day, and do't have time to type it in; if you can't 
> > find it anywhere, I can write one up fairly quickly, as I've set this up on 
> > several boxes).  Some might say to just do this and not worry about the 
> > listening port change; I prefer multilayered security (why I run SELinux in 
> > enforcing/targete mode on servers) when possible.
> > 
> > With a nonstandard port you do have to remember to use the -p parameter of ssh 
> > to connect (and the -P parameter of scp) but in my opinion it's worth it.
> 
> Changing ports for ssh isn't actually that hot of an idea.  Most port scanners
> can detect ssh implementations since they normally self-identify.  For example,
> if you're running ssh on the normal port (22), try executing:
> 	/usr/bin/telnet YOUR.HOST.IP.ADDR 22
> and see what pops out.
> 
> Hope this helps'idly,
> 
> -S
> 

You can always fake your banner, to fool an attacker. 


http://projects.vanscherpenseel.nl/documents/howto_banners.html



Calin

=================================================
I still miss Windows, but my aim is getting better.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]