Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have setup a good iptable firewall script on my GATEWAY machine (Linux 2.6xx) and rules for my internet NIC is:
ipt -A INPUT -i $INET_IFACE -m state --state NEW -j LOG --log-prefix "INPUT_IFACE_NEW: "
ipt -A INPUT -i $INET_IFACE -m state --state NEW -j DROP
ipt -A INPUT -i $INET_IFACE -m state --state INVALID,NEW -j LOG --log-prefix "INPUT_IFACE_NEW_INVALID: "
ipt -A INPUT -i $INET_IFACE -m state --state INVALID,NEW -j DROP
I use this nice open source product which alerts me of port scans:
I'm continuously recieving alerts for this IP Address from chinese source:
221.203.145.54
I have also added this IP in /ets/hosts.deny
what else can i do to stop this nuisance atleast from this IP. earlier i was under dictionary attack on my SSH port from chinese and i fixed by changing the port for SSH and using open source solution like DenyHosts.
what else can i do to stop this nuisance atleast from this IP.
Support for tcpwrappers (HostsDeny) isn't used by all applications, but you can completely ban all traffic with iptables using:
iptables -I INPUT -s 221.203.145.54 -j DROP
earlier i was under dictionary attack on my SSH port from chinese and i fixed by changing the port for SSH and using open source solution like DenyHosts.
Changing the port is effective in cutting the number of attacks, but you might want to switch to using key-based authentication rather than passwords. There also are a number of alternate solutions you may want to checkout in the thread on "Failed SSH Logins" at the top of the forum.
It seems to have a significant history of abuse.
Support for tcpwrappers (HostsDeny) isn't used by all applications, but you can completely ban all traffic with iptables using:
iptables -I INPUT -s 221.203.145.54 -j DROP
I have only ssh running on 0.0.0.0 other services are binded to local LAN thats why i used 2nd level of security like tcp wrappers. maybe i'm too paranoid
Changing the port is effective in cutting the number of attacks, but you might want to switch to using key-based authentication rather than passwords. There also are a number of alternate solutions you may want to checkout in the thread on "Failed SSH Logins" at the top of the forum.
actually i have some variable clients who use WinSCP to connect to my SSH to download my application builds. it's easier form me to jus give them user/pass rather than breaking my head to show them how to generate public private pair and hand over the public key to me and give them my public key.
You could probably benefit from using scponly, which is essentially an ssh wrapper that allows only scp transfers. Here's the website: http://www.sublimation.org/scponly/. You can enable it by specifying it as the remote user's login shell. Keeping with defense in depth, this wouldn't give out a remote shell for the clients who only need scp, making a successful dictionary attack essentially futile (as long as the compromised user doesn't have write capability). It would still leave any administrative accounts vulnerable, though, without switching over completely to public/private keypair auth.
You could probably benefit from using scponly, which is essentially an ssh wrapper that allows only scp transfers. Here's the website: http://www.sublimation.org/scponly/. You can enable it by specifying it as the remote user's login shell. Keeping with defense in depth, this wouldn't give out a remote shell for the clients who only need scp, making a successful dictionary attack essentially futile (as long as the compromised user doesn't have write capability). It would still leave any administrative accounts vulnerable, though, without switching over completely to public/private keypair auth.
I give only SFTP access to my SSH server with chrooted environment. The shell for allusers is set to /usr/local/libexec/sftp-server
anywayz thnks for replies. maybe i'm too much paranoid.
just wanted to know any new things security experts here use. You see i'm just a young Linux admin in his 20's, single handedly configured & now managing my company's Gateway squid proxy ,Qmail server and one Linux Samab PDC. so wanna learn lot of new stuff and open source rox
In that case I recommend that you disable direct root access by setting PermitRootLogin to "no' (make sure it's uncommented as well). Make sure that you are using a decent password policy (not dictionary words). You can even reduce the number of MaxAuthTries which will bog down a brute force attempt.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.