[CentOS] Security advice, please
cannewilson at googlemail.com
Tue Dec 23 16:32:34 UTC 2008
On Tuesday 23 December 2008 15:38:17 Warren Young wrote:
> Michael Simpson wrote:
First, thanks to all who replied. I'll try to remember and consider all that
has been said.
> >> GRC reports that ports are stealthed
> > Try www.auditmypc.com or nmap-online.com rather than grc to look for open
> > ports
> What advantages do they have, in your opinion?
> >> there a better way than opening port 143?
> > ssh tunnelling?
> I agree, though the default CentOS sshd configuration requires some
> tightening down to trust it on Internet-facing servers, IMHO:
> 1. In /etc/ssh/sshd_config, set "PasswordAuthentication no". No matter
> how good your password, it isn't as good as using keys. Remember,
> forwarding ssh opens it to pounding 24x7 from any of the millions on
> zombie boxes on the Internet.
I use ssh with keys from this laptop over the LAN for updates etc. :-)
> 2. On the machine(s) that you want to allow logins from, run "ssh-keygen
> -t rsa" to generate a key pair, if you haven't already. Then copy the
> contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home
> server. These keys are used to authenticate the remote system, in lieu
> of a password or physical token. You could put these keys on a USB
> stick instead, if you didn't want to keep them permanently on the remote
This is done for this laptop, but I'll set the netbook up the same way before
taking it on holiday.
> 3. Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol 2",
> not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind that
> it's still enabled by default....
I think that's done, but I'll check
> 4. Same file, set "PermitRootLogin no" if it isn't already.
> (Aside: I also like to set up sudo with one account allowed to do
> anything, then lock the root account, so the only way to get root access
> is to log in as a regular user then sudo up, reducing the risk of
> passwordless keys.)
> Having done all this, you're ready to allow remote access:
> 5. In your router, forward a high-numbered port to 22 on the server. If
> it's not smart enough to use different port numbers on either side, you
> can change the sshd configuration so it listens on a different port
> instead. I like to use 22022 for this.
> This is *not* security through obscurity. It's simply a way to reduce
> the amount of log spam you have to dig through when monitoring your
> system's behavior. Everything that appears in your logs should be
> *interesting*. Constant port knocking from worms and script kiddies is
> not interesting.
> In case you've not done ssh tunelling, Anne, the command that does what
> you want, having done all the above is:
> $ ssh -p22022 -L10143:my.server.com:143 anne at my.server.com
> This sets up port 10143 on the local system to be redirected through the
> ssh session to the IMAP port on your home server. You don't want to
> redirect 143 to 143 because that would require you to run ssh as root.
> It also prevents you from using this on a system that itself has an IMAP
> With the tunnel up, you can set up your mail client to connect to port
> 10143 on localhost, and you'll be looking at your remote mail server.
Thanks for the detailed how-to. I was feeling somewhat nervous of yet another
system to learn, but I should be fine with this. I'll set it up over
Christmas, all being well, though I may end up having to ask more questions.
Providing I can persuade my son-in-law to add the netbook's MAC to his router
I should be able to test from his network.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.centos.org/pipermail/centos/attachments/20081223/f2a1f68d/attachment.bin
More information about the CentOS