LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Need advise on Security , SSH , security policies (https://www.linuxquestions.org/questions/linux-security-4/need-advise-on-security-ssh-security-policies-786029/)

inara72 01-31-2010 02:31 PM
Need advise on Security , SSH , security policies
 
We have a 30 Computer Network , one small business Server and 29
Workstations , we have 10 Servers hosted in a Data Center (running on Red Hat Enterprise Servers)
Communication normally take place between SBS server and 29 clients
(internal) , between 29 Clients and 10 Data Center Servers through SSH ,
Between external Clients accessing 10 Servers at Data Center ,
Between External Clients accessing SBS server and 29 Workstations
we are also running Apache Web Server , QMail , Mysql Server
on our Data Center Servers
i need advise that what will be the best practice to secure all these
communications between internal/external clients and Data Center Servers , between external clients and SBS server/internal clients ,
within our office network
currently all of our communication within network is not secure
we access Red Hat servers in data center through simple ssh
external clients access data centers and our office through remote logins and ssh
so how can security be implemented internally as well as remotely
(accessing data center servers & external clients)
please be as brief as possible ,

tronayne 01-31-2010 05:33 PM
First off, unless you're absolutely certain that your SBS installation is secure; i.e., it's running with SSL and SSH, I'd give serious consideration to replacing it with a Linux server -- there just isn't all that much that SBS can do that cannot be done at least as well (and probably more securely) with Linux, SSL and SSH. If that's not practical, you may want to consider a VPN setup although that may be more expense and trouble than it's worth unless it's done at your router(s) with RSA security tokens or the like for any external; i.e., outside the building, employee or not, authorized users.

One simple thing you can do is make sure your site does not respond to ping; if the bad actors don't know you're there, they're not going to bother you quite as much. That doesn't mean that you're not going to be probed, however, so make certain that your system logs are scanned at least weekly to identify sshd and other probes; add any site that has done that to your /etc/hosts.deny file and/or your IPTABLES data base -- identify the domain the probe is coming from (with whois and simply deny access to the entire domain. Here's a few that I block because I've had multiple probes and break-in attempts from them:
Code:
iptables -A INPUT -s 74.6.0.0/16 -j DROP
iptables -A INPUT -s 200.169.98/24 -j DROP
iptables -A INPUT -s 149.20.0.0/16 -j DROP
iptables -A INPUT -s 208.53.128.0/18 -j DROP
I also completely bock China and Korea based simply on experience with attempts from those countries and I do not do business with either.

You should be running any web-based applications with Apache security; i.e., the web address is https-something, not -- internal or external -- http. Your MySQL server(s) should be locked down with individual passwords (not internal or external site-wide passwords); make sure that administration has at least executed mysql-secure-installation on every one of your MySQL servers (and that the test data base has been removed from MySQL). There should be zero access to any MySQL data base without a user id and password. Use individual accounts and passwords for all employees, administrators or not (although that is somewhat impractical for those absolutely required root access).

You should already be aware than Microsoft products are to be assumed insecure no matter what -- given a long, long history of intrusion along with extensive and expensive damage, it may be better to be safe than sorry and simply migrate everything to Linux. I'm not being prejudiced here, I've been burned and I didn't much like it. I also got real tired of spending hundreds if not thousands of dollars to protect computers from things that should never have existed in the first place had the vendor done a professional job. Essentially, Microsoft products have never been and I don't expect them ever to be secure -- it's your money and it's your data, you decide.

Never, under any circumstance, allow a vendor or client to plug a computer into your network, particularly a Microsoft computer. Do not allow anyone -- internal or external -- to plug in a flash drive, floppy disk, CD-ROM or DVD unless it has first been scanned by your system administrators. Don't allow people to tote floppies, CD's, DVD's and especially flash drives back and forth. If you're using wi-fi, it must be password-protected; better yet, hard-wired is always more secure than wi-fi.

The combination of SSL and SSH is about as secure as you can practically get if you insist that all access to any computer in your facility is done only with SSH. When you use Apache securely, you're using SSL and SSH and you simply insist that all outside access is done with proper user identification and password. That means that any new user be stopped at the front page and either enters a known user id and password or requests a new account in which case you go through establishing the account with human review before replying with a validation (one of those "click here to validate your account" e-mails). It's worth setting up account numbers and it's really worth having password expire periodically (monthly is good, quarterly is less annoying but remember that it's your system and act accordingly). You should use PAM or some other utility to insist on "good" password and don't let anybody re-use previous passwords. If an employee is discharged or leaves voluntarily, lock every account they use during the exit interview.

If you insist on permitting Microsoft products internally, make sure they're as secure as you can get them -- every box must be updated when Microsoft issues security patches, every box must be running McAfee, Norton or some other favorite security software (and kept up-to-date, no excuses). No user should have administrative privileges; i.e., no user can install software on the box. In any event, schedule runs of the security software an audit periodically to assure that there isn't "foreign," user- or bad-guy-installed software on your Microsoft systems.

Bottom line is that you can pretty much trust SSH -- but you have to actually use it; establish standards and stick to them, no exceptions.

Hope this helps some.

inara72 01-31-2010 07:23 PM
Thanks . That was a great advise , hope this will help a lot for our network

nimnull22 01-31-2010 07:56 PM
Actually, another good idea, if it possible to use MAC filtering in your network, and I would suggest to put linux firewall/filter before your network. I always think that stand-alone firewall/filter much better.

tronayne 02-01-2010 06:49 AM
Quote:
Originally Posted by nimnull22 (Post 3847728)
Actually, another good idea, if it possible to use MAC filtering in your network, and I would suggest to put linux firewall/filter before your network. I always think that stand-alone firewall/filter much better.
Second that.

Another thing I forgot to mention is that you should consider shutting down (or do not enable) every port on your routers that is not necessary. With routers I'm familiar with, you have to enable ports individually and that's good. Routers that are wide-open by default, that's bad; shut 'em all down except the ones needed for your communications. Your routers are the front end to the world and you don't want to have people probing away through unnecessarily-open ports in them.


All times are GMT -5. The time now is 07:45 PM.