I have disabled root login in my remote shell and I have a pretty strong password. I am not happy though. I want to increase security. I've been thinking about installing some basic tripwire rig, like say, send myself an email every time I (or anyone) log in. My questions:

- What kind of data would be useful to be sent in that email? Anything else besides "user so-and-so logged in at {date and time}"?

- How would I achieve that? Is it enough to include it in .tcshrc (because my shell is tcsh)? Should I add it to other shells as well (.bashrc, .csh etc.) even though nobody uses the other shells? Is it better placed in some other file, like .login? What is the optimal place?

- Would that be enough? Can I make that whole idea more secure in any way?

My .bash_profile has this
It's worth putting a copy of that in roots profile too.

I just realized... I can't put that tripwire thing in my .tcshrc (or .bash_profile). That would trigger the mechanism for EVERY NEW shell window, e.g. multiple windows in GNU Screen. I have to put that in some file that only triggers when I log in via SSH. What file would that be?

Can you explain how you think that would actually make a system more secure?


What services does the machine provide? What have you done in terms of host hardening? Particularly access restrictions and "early warning" auditing?

A warning email is useful to me because I get instant notification on my BlackBerry. Since I am sitting before the computer most of the time, I can check what's going on immediately.

The machine serves a Web site, email and sshd. I haven't done anything in terms of host hardening. I haven't done any auditing either.

I don't get emails all the time, just when I log in. .bash_profile only gets executed at login.

Try running GNU Screen and creating windows in it...

Exactly what I mean: after the fact.


Then you're doing things in reverse: the "must haves" (security basics and hardening) first. "Nice to haves" can be added at any time afterwards as they don't strengthen security posture like the first category.

Nope, still no emails. Probably because I'm already logged in !

What do you call "hardening"? I have disabled root login, only one user has access, the password is pretty good and sshd runs on an unusual port. What else do you suggest?

Something "after the fact" (but quite instantly) is a lot better than nothing after the fact at all.

"After the fact" as in prevention is better than cure of course.


You probably didn't even have to manually. It's the sane OpenSSH default.


As in /etc/ssh/sshd_config AllowUsers / AllowGroups directives?
Or as in /etc/security/access.conf?
Or as in static IP range /etc/hosts.allow?


Use passphrases instead?


In the end that only fools "dumb" scanners.


But that's only part of it. Earlier on you said
but "web site" can mean anything from static HTML to homebrewn CGI scripts to an off-the-shelf PHP-based CMS. In any case the machine sees more exposure than SSH alone. Any decent security tutorial should give you a checklist but minimally you would want to:
- remove software you don't run now or need now,
- set an install (review) and an update schedule where possible,
- don't run outdated, stale, vulnerable software,
- review access rights on setXid binaries,
- review mount flags where applicable,
- use a file integrity checker like Aide, Samhain or even tripwire,
- restrict human users (password criteria, account aging, ulimits, sudo, maybe network access restrictions),
- restrict processes (inert shell, run process as unprivileged user),
- restrict network access (sysctls, allowed ranges, blocking bogons, traffic limiting, blocking attempts with say fail2ban)
- make certain the system and all services log enough details,
- rotate logs often and keep enough archives and use a log reader like Logwatch to send you alerts (and read the reports!),
- audit the system regularly with GNU/Tiger and tools like that, and
* do check any changes you make preferably scanning from a remote location.
see the print version of the LQ Security FAQ at http://rkhunter.wiki.sourceforge.net/SECREF?f=print .

2 members found this post helpful.

Not in Slackware, FYI. Slackware enables root login by default. Slackware rules.

I took note of your security checklist. Thank you.

0 members found this post helpful.