LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-10-2007, 02:25 PM   #1
thegoofeedude
Member
 
Registered: Aug 2004
Distribution: Slackware 13.37, 14.1
Posts: 75

Rep: Reputation: 17
Question Hardening for Public Availability


I have an older server that I've been using in my house to sync computers, keep backups on, etc. It is running Slackware 11.0 with all the security updates applied. I would like to expose this server to the internet at large so I can access it while on other networks. The router it is behind will allow me to put it into a "DMZ" or alternatively I can open just a few select ports in the router's firewall to access this box. All I want to do is have SSH and SCP; I don't need apache running or any other services.

What is the best way to ensure security? The obvious to me is to disable root logins in SSH, but other than that, how can I ensure I don't have other services running which I either don't need or have not configured and are thus insecure?

Any help greatly appreciated, thanks for reading!
 
Old 01-10-2007, 02:53 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,138

Rep: Reputation: 167Reputation: 167
The box has some protection by being behind the router. If the only access you provide is to forward port 22 from your router to the box for SSH access then you don't have any ports exposed apart from this. There are a few things I'd look at doing:

- As well as PermitRootLogin no, use the AllowUsers or AllowGroups options to limit who can access the box;
- Use PasswordAuthentication no and only allow access via keys - in combination with the previous step, that stops almost all of the script attacks;
- Use nmap and netstat so that you know what is happening on the box. Even though you're only exposing SSH, it makes sense to know what the box is doing;
- Check your logs regularly. Use tools like logwatch to summarise them and cut down on the boredom factor.
 
Old 01-10-2007, 03:11 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
To lock down sshd, in sshd_config:
1. Use the PermitRootLogin no directive.
2. Use the Protocol 2 directive.
3. Disable all forms of authentication except for pubkey. You may need to keep the private key on a usb jump drive if you use different client computers. (And if that's the case, use a strong passphrase and delete the private key when you're done with it.)
4. Use iptables or tcp_wrappers to open the sshd service to only the subnets that really need access. Deny everything else.
5. Keep your OpenSSH software up to date.

Some people suggest moving the sshd service to listen on a different port. To each his own, I guess. There are ways to harden sshd further, which get more complicated.

To check for any other running / listening services, try:
Code:
netstat -atun
 
Old 01-10-2007, 03:16 PM   #4
thegoofeedude
Member
 
Registered: Aug 2004
Distribution: Slackware 13.37, 14.1
Posts: 75

Original Poster
Rep: Reputation: 17
Thanks for the tips!

Although I have heard of nmap and netstat before, I am unfamiliar with their common usages. Is the idea to run them at regular intervals in order to see any unwanted attention/activity on the network?

And as far as the logs go, which logs should I watch, and what kind of things should I be on the lookout for? I found the man page for logwatch, but it's a tad short on the details.

Thank you for your reply!

Edit: Replies come quickly! Thanks anomie for the tips :-)

Last edited by thegoofeedude; 01-10-2007 at 03:17 PM.
 
Old 01-10-2007, 03:18 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
The netstat command I mentioned will show you all tcp / udp services running on that machine. You'll want to review the nmap manpages. Its use will be to determine which services are open to the network you're scanning from. Lots of info here: http://insecure.org/nmap/

You're going to want to keep an eye on /var/log/secure for failed ssh logins.
 
Old 01-10-2007, 03:43 PM   #6
pnellesen
Member
 
Registered: Oct 2004
Location: Missouri, USA
Distribution: Slackware 12.2, Xubuntu 9.10
Posts: 371

Rep: Reputation: 31
Quote:
Originally Posted by anomie
Some people suggest moving the sshd service to listen on a different port.
My 1/2 cent: all the "script kiddie" login attempts I was seeing every day stopped when I did this. Won't say it's any more "secure" this way, but ALOT fewer messages to slog through in my log files...
 
Old 01-11-2007, 01:31 PM   #7
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,897

Rep: Reputation: 576Reputation: 576Reputation: 576Reputation: 576Reputation: 576Reputation: 576
For other tips try searching for 'harden slack'. There used to be a tutorial and/or script for general hardening.
 
Old 01-11-2007, 03:41 PM   #8
pdw_hu
Member
 
Registered: Nov 2005
Location: Budapest, Hungary
Distribution: Slackware, Gentoo
Posts: 346

Rep: Reputation: Disabled
+1 for using another port than the default.
 
Old 01-12-2007, 08:35 AM   #9
onebuck
Moderator
 
Registered: Jan 2005
Location: Summer Midwest USA, Central Illinois, Winter Central Florida
Distribution: SlackwareŽ
Posts: 13,295
Blog Entries: 29

Rep: Reputation: 2507Reputation: 2507Reputation: 2507Reputation: 2507Reputation: 2507Reputation: 2507Reputation: 2507Reputation: 2507Reputation: 2507Reputation: 2507Reputation: 2507
Quote:
Originally Posted by gnashley
For other tips try searching for 'harden slack'. There used to be a tutorial and/or script for general hardening.
Hi,

This one seems to be ok!
 
Old 01-12-2007, 01:02 PM   #10
Crashbox
Member
 
Registered: Jun 2004
Location: USA
Distribution: Slackware
Posts: 137

Rep: Reputation: 22
Quote:
Originally Posted by gilead
The box has some protection by being behind the router. If the only access you provide is to forward port 22 from your router to the box for SSH access then you don't have any ports exposed apart from this. There are a few things I'd look at doing:

- As well as PermitRootLogin no, use the AllowUsers or AllowGroups options to limit who can access the box;
- Use PasswordAuthentication no and only allow access via keys - in combination with the previous step, that stops almost all of the script attacks;
- Use nmap and netstat so that you know what is happening on the box. Even though you're only exposing SSH, it makes sense to know what the box is doing;
- Check your logs regularly. Use tools like logwatch to summarise them and cut down on the boredom factor.

Excellent advice but I would run ssh on some port other than 22. Most of the automated ssh attack scanners are written to hit port 22, so I would (and in fact I do) use some other port. I suggest you pick a high number and one that isn't used for other popular services.

Also, the 'Shields Up' web utility from GRC will show you exactly what ports on your router are open.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Public Venture, Public Content LXer Syndicated Linux News 0 06-22-2006 09:54 PM
hardening Fedora GraemeK Linux - Security 2 05-17-2005 09:38 AM
Linux OS Hardening sachinh Linux - Security 9 09-29-2004 11:47 AM
Hardening RH 9 velan Red Hat 4 06-16-2004 08:40 AM
Public Terminal Availability prasad Linux - General 0 10-27-2001 02:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 11:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration