SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have an older server that I've been using in my house to sync computers, keep backups on, etc. It is running Slackware 11.0 with all the security updates applied. I would like to expose this server to the internet at large so I can access it while on other networks. The router it is behind will allow me to put it into a "DMZ" or alternatively I can open just a few select ports in the router's firewall to access this box. All I want to do is have SSH and SCP; I don't need apache running or any other services.
What is the best way to ensure security? The obvious to me is to disable root logins in SSH, but other than that, how can I ensure I don't have other services running which I either don't need or have not configured and are thus insecure?
The box has some protection by being behind the router. If the only access you provide is to forward port 22 from your router to the box for SSH access then you don't have any ports exposed apart from this. There are a few things I'd look at doing:
- As well as PermitRootLogin no, use the AllowUsers or AllowGroups options to limit who can access the box;
- Use PasswordAuthentication no and only allow access via keys - in combination with the previous step, that stops almost all of the script attacks;
- Use nmap and netstat so that you know what is happening on the box. Even though you're only exposing SSH, it makes sense to know what the box is doing;
- Check your logs regularly. Use tools like logwatch to summarise them and cut down on the boredom factor.
To lock down sshd, in sshd_config:
1. Use the PermitRootLogin no directive.
2. Use the Protocol 2 directive.
3. Disable all forms of authentication except for pubkey. You may need to keep the private key on a usb jump drive if you use different client computers. (And if that's the case, use a strong passphrase and delete the private key when you're done with it.)
4. Use iptables or tcp_wrappers to open the sshd service to only the subnets that really need access. Deny everything else.
5. Keep your OpenSSH software up to date.
Some people suggest moving the sshd service to listen on a different port. To each his own, I guess. There are ways to harden sshd further, which get more complicated.
To check for any other running / listening services, try:
Although I have heard of nmap and netstat before, I am unfamiliar with their common usages. Is the idea to run them at regular intervals in order to see any unwanted attention/activity on the network?
And as far as the logs go, which logs should I watch, and what kind of things should I be on the lookout for? I found the man page for logwatch, but it's a tad short on the details.
Thank you for your reply!
Edit: Replies come quickly! Thanks anomie for the tips :-)
Last edited by thegoofeedude; 01-10-2007 at 03:17 PM.
The netstat command I mentioned will show you all tcp / udp services running on that machine. You'll want to review the nmap manpages. Its use will be to determine which services are open to the network you're scanning from. Lots of info here: http://insecure.org/nmap/
You're going to want to keep an eye on /var/log/secure for failed ssh logins.
Some people suggest moving the sshd service to listen on a different port.
My 1/2 cent: all the "script kiddie" login attempts I was seeing every day stopped when I did this. Won't say it's any more "secure" this way, but ALOT fewer messages to slog through in my log files...
The box has some protection by being behind the router. If the only access you provide is to forward port 22 from your router to the box for SSH access then you don't have any ports exposed apart from this. There are a few things I'd look at doing:
- As well as PermitRootLogin no, use the AllowUsers or AllowGroups options to limit who can access the box;
- Use PasswordAuthentication no and only allow access via keys - in combination with the previous step, that stops almost all of the script attacks;
- Use nmap and netstat so that you know what is happening on the box. Even though you're only exposing SSH, it makes sense to know what the box is doing;
- Check your logs regularly. Use tools like logwatch to summarise them and cut down on the boredom factor.
Excellent advice but I would run ssh on some port other than 22. Most of the automated ssh attack scanners are written to hit port 22, so I would (and in fact I do) use some other port. I suggest you pick a high number and one that isn't used for other popular services.
Also, the 'Shields Up' web utility from GRC will show you exactly what ports on your router are open.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.