[CentOS] Security advice, please

Tue Dec 23 16:32:34 UTC 2008
Anne Wilson <cannewilson at googlemail.com>

On Tuesday 23 December 2008 15:38:17 Warren Young wrote:
> Michael Simpson wrote:
First, thanks to all who replied.  I'll try to remember and consider all that 
has been said.

> >> GRC reports that ports are stealthed
> >
> > Try www.auditmypc.com or nmap-online.com rather than grc to look for open
> > ports
>
> What advantages do they have, in your opinion?
>
> >> there a better way than opening port 143?
> >
> > ssh tunnelling?
>
> I agree, though the default CentOS sshd configuration requires some
> tightening down to trust it on Internet-facing servers, IMHO:
>
> 1. In /etc/ssh/sshd_config, set "PasswordAuthentication no".  No matter
> how good your password, it isn't as good as using keys.  Remember,
> forwarding ssh opens it to pounding 24x7 from any of the millions on
> zombie boxes on the Internet.
>
I use ssh with keys from this laptop over the LAN for updates etc. :-)

> 2. On the machine(s) that you want to allow logins from, run "ssh-keygen
> -t rsa" to generate a key pair, if you haven't already.  Then copy the
> contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home
> server.  These keys are used to authenticate the remote system, in lieu
> of a password or physical token.  You could put these keys on a USB
> stick instead, if you didn't want to keep them permanently on the remote
> hosts.
>
This is done for this laptop, but I'll set the netbook up the same way before 
taking it on holiday.

> 3. Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol 2",
> not "Protocol 2,1".  SSHv1 has known weaknesses.  Boggles my mind that
> it's still enabled by default....
>
I think that's done, but I'll check

> 4. Same file, set "PermitRootLogin no" if it isn't already.
>
It is

> (Aside: I also like to set up sudo with one account allowed to do
> anything, then lock the root account, so the only way to get root access
> is to log in as a regular user then sudo up, reducing the risk of
> passwordless keys.)
>
> Having done all this, you're ready to allow remote access:
>
> 5. In your router, forward a high-numbered port to 22 on the server.  If
> it's not smart enough to use different port numbers on either side, you
> can change the sshd configuration so it listens on a different port
> instead.  I like to use 22022 for this.
>
> This is *not* security through obscurity.  It's simply a way to reduce
> the amount of log spam you have to dig through when monitoring your
> system's behavior.  Everything that appears in your logs should be
> *interesting*.  Constant port knocking from worms and script kiddies is
> not interesting.
>
> In case you've not done ssh tunelling, Anne, the command that does what
> you want, having done all the above is:
>
> 	$ ssh -p22022 -L10143:my.server.com:143 anne at my.server.com
>
> This sets up port 10143 on the local system to be redirected through the
> ssh session to the IMAP port on your home server.  You don't want to
> redirect 143 to 143 because that would require you to run ssh as root.
> It also prevents you from using this on a system that itself has an IMAP
> server.
>
> With the tunnel up, you can set up your mail client to connect to port
> 10143 on localhost, and you'll be looking at your remote mail server.
> 
Thanks for the detailed how-to.  I was feeling somewhat nervous of yet another 
system to learn, but I should be fine with this.  I'll set it up over 
Christmas, all being well, though I may end up having to ask more questions.  
Providing I can persuade my son-in-law to add the netbook's MAC to his router 
I should be able to test from his network.

Thanks again

Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20081223/f2a1f68d/attachment-0005.sig>