[CentOS] Security advice, please
Warren Young
warren at etr-usa.com
Tue Dec 23 15:38:17 UTC 2008
Michael Simpson wrote:
>> GRC reports that ports are stealthed
>
> Try www.auditmypc.com or nmap-online.com rather than grc to look for open ports
What advantages do they have, in your opinion?
>> there a better way than opening port 143?
>
> ssh tunnelling?
I agree, though the default CentOS sshd configuration requires some
tightening down to trust it on Internet-facing servers, IMHO:
1. In /etc/ssh/sshd_config, set "PasswordAuthentication no". No matter
how good your password, it isn't as good as using keys. Remember,
forwarding ssh opens it to pounding 24x7 from any of the millions on
zombie boxes on the Internet.
2. On the machine(s) that you want to allow logins from, run "ssh-keygen
-t rsa" to generate a key pair, if you haven't already. Then copy the
contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home
server. These keys are used to authenticate the remote system, in lieu
of a password or physical token. You could put these keys on a USB
stick instead, if you didn't want to keep them permanently on the remote
hosts.
3. Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol 2",
not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind that
it's still enabled by default....
4. Same file, set "PermitRootLogin no" if it isn't already.
(Aside: I also like to set up sudo with one account allowed to do
anything, then lock the root account, so the only way to get root access
is to log in as a regular user then sudo up, reducing the risk of
passwordless keys.)
Having done all this, you're ready to allow remote access:
5. In your router, forward a high-numbered port to 22 on the server. If
it's not smart enough to use different port numbers on either side, you
can change the sshd configuration so it listens on a different port
instead. I like to use 22022 for this.
This is *not* security through obscurity. It's simply a way to reduce
the amount of log spam you have to dig through when monitoring your
system's behavior. Everything that appears in your logs should be
*interesting*. Constant port knocking from worms and script kiddies is
not interesting.
In case you've not done ssh tunelling, Anne, the command that does what
you want, having done all the above is:
$ ssh -p22022 -L10143:my.server.com:143 anne at my.server.com
This sets up port 10143 on the local system to be redirected through the
ssh session to the IMAP port on your home server. You don't want to
redirect 143 to 143 because that would require you to run ssh as root.
It also prevents you from using this on a system that itself has an IMAP
server.
With the tunnel up, you can set up your mail client to connect to port
10143 on localhost, and you'll be looking at your remote mail server.
More information about the CentOS
mailing list