I have an older server that I've been using in my house to sync computers, keep backups on, etc. It is running Slackware 11.0 with all the security updates applied. I would like to expose this server to the internet at large so I can access it while on other networks. The router it is behind will allow me to put it into a "DMZ" or alternatively I can open just a few select ports in the router's firewall to access this box. All I want to do is have SSH and SCP; I don't need apache running or any other services.

What is the best way to ensure security? The obvious to me is to disable root logins in SSH, but other than that, how can I ensure I don't have other services running which I either don't need or have not configured and are thus insecure?

Any help greatly appreciated, thanks for reading!

The box has some protection by being behind the router. If the only access you provide is to forward port 22 from your router to the box for SSH access then you don't have any ports exposed apart from this. There are a few things I'd look at doing:

- As well as PermitRootLogin no, use the AllowUsers or AllowGroups options to limit who can access the box;
- Use PasswordAuthentication no and only allow access via keys - in combination with the previous step, that stops almost all of the script attacks;
- Use nmap and netstat so that you know what is happening on the box. Even though you're only exposing SSH, it makes sense to know what the box is doing;
- Check your logs regularly. Use tools like logwatch to summarise them and cut down on the boredom factor.

To lock down sshd, in sshd_config:
1. Use the PermitRootLogin no directive.
2. Use the Protocol 2 directive.
3. Disable all forms of authentication except for pubkey. You may need to keep the private key on a usb jump drive if you use different client computers. (And if that's the case, use a strong passphrase and delete the private key when you're done with it.)
4. Use iptables or tcp_wrappers to open the sshd service to only the subnets that really need access. Deny everything else.
5. Keep your OpenSSH software up to date.

Some people suggest moving the sshd service to listen on a different port. To each his own, I guess. There are ways to harden sshd further, which get more complicated.

To check for any other running / listening services, try:

Thanks for the tips!

Although I have heard of nmap and netstat before, I am unfamiliar with their common usages. Is the idea to run them at regular intervals in order to see any unwanted attention/activity on the network?

And as far as the logs go, which logs should I watch, and what kind of things should I be on the lookout for? I found the man page for logwatch, but it's a tad short on the details.

Thank you for your reply!

Edit: Replies come quickly! Thanks anomie for the tips :-)

The netstat command I mentioned will show you all tcp / udp services running on that machine. You'll want to review the nmap manpages. Its use will be to determine which services are open to the network you're scanning from. Lots of info here: http://insecure.org/nmap/

You're going to want to keep an eye on /var/log/secure for failed ssh logins.

My 1/2 cent: all the "script kiddie" login attempts I was seeing every day stopped when I did this. Won't say it's any more "secure" this way, but ALOT fewer messages to slog through in my log files...

For other tips try searching for 'harden slack'. There used to be a tutorial and/or script for general hardening.

+1 for using another port than the default.

Hi,

This one seems to be ok!

Excellent advice but I would run ssh on some port other than 22. Most of the automated ssh attack scanners are written to hit port 22, so I would (and in fact I do) use some other port. I suggest you pick a high number and one that isn't used for other popular services.

Also, the 'Shields Up' web utility from GRC will show you exactly what ports on your router are open.