Quote:
Originally Posted by lucmove
Something "after the fact" (..) is a lot better than nothing after the fact at all.
|
"After the fact" as in prevention is better than cure of course.
Quote:
Originally Posted by lucmove
I have disabled root login,
|
You probably didn't even have to manually. It's the sane OpenSSH default.
Quote:
Originally Posted by lucmove
only one user has access,
|
As in /etc/ssh/sshd_config AllowUsers / AllowGroups directives?
Or as in /etc/security/access.conf?
Or as in static IP range /etc/hosts.allow?
Quote:
Originally Posted by lucmove
the password is pretty good and
|
Use passphrases instead?
Quote:
Originally Posted by lucmove
sshd runs on an unusual port.
|
In the end that only fools "dumb" scanners.
But that's only part of it. Earlier on you said
Quote:
Originally Posted by lucmove
The machine serves a Web site, email and sshd.
|
but "web site" can mean anything from static HTML to homebrewn CGI scripts to an off-the-shelf PHP-based CMS. In any case the machine sees more exposure than SSH alone. Any decent security tutorial should give you a checklist but minimally you would want to:
- remove software you don't run now or need now,
- set an install (review) and an update schedule where possible,
- don't run outdated, stale, vulnerable software,
- review access rights on setXid binaries,
- review mount flags where applicable,
- use a file integrity checker like Aide, Samhain or even tripwire,
- restrict human users (password criteria, account aging, ulimits, sudo, maybe network access restrictions),
- restrict processes (inert shell, run process as unprivileged user),
- restrict network access (sysctls, allowed ranges, blocking bogons, traffic limiting, blocking attempts with say fail2ban)
- make certain the system and all services log enough details,
- rotate logs often and keep enough archives and use a log reader like Logwatch to send you alerts (and read the reports!),
- audit the system regularly with GNU/Tiger and tools like that, and
* do check any changes you make preferably scanning from a remote location.
see the print version of the LQ Security FAQ at
http://rkhunter.wiki.sourceforge.net/SECREF?f=print .