[CentOS] Security advice, please

Tue Dec 23 15:38:17 UTC 2008
Warren Young <warren at etr-usa.com>

Michael Simpson wrote:
>> GRC reports that ports are stealthed
> 
> Try www.auditmypc.com or nmap-online.com rather than grc to look for open ports

What advantages do they have, in your opinion?

>> there a better way than opening port 143?
> 
> ssh tunnelling?

I agree, though the default CentOS sshd configuration requires some 
tightening down to trust it on Internet-facing servers, IMHO:

1. In /etc/ssh/sshd_config, set "PasswordAuthentication no".  No matter 
how good your password, it isn't as good as using keys.  Remember, 
forwarding ssh opens it to pounding 24x7 from any of the millions on 
zombie boxes on the Internet.

2. On the machine(s) that you want to allow logins from, run "ssh-keygen 
-t rsa" to generate a key pair, if you haven't already.  Then copy the 
contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home 
server.  These keys are used to authenticate the remote system, in lieu 
of a password or physical token.  You could put these keys on a USB 
stick instead, if you didn't want to keep them permanently on the remote 
hosts.

3. Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol 2", 
not "Protocol 2,1".  SSHv1 has known weaknesses.  Boggles my mind that 
it's still enabled by default....

4. Same file, set "PermitRootLogin no" if it isn't already.

(Aside: I also like to set up sudo with one account allowed to do 
anything, then lock the root account, so the only way to get root access 
is to log in as a regular user then sudo up, reducing the risk of 
passwordless keys.)

Having done all this, you're ready to allow remote access:

5. In your router, forward a high-numbered port to 22 on the server.  If 
it's not smart enough to use different port numbers on either side, you 
can change the sshd configuration so it listens on a different port 
instead.  I like to use 22022 for this.

This is *not* security through obscurity.  It's simply a way to reduce 
the amount of log spam you have to dig through when monitoring your 
system's behavior.  Everything that appears in your logs should be 
*interesting*.  Constant port knocking from worms and script kiddies is 
not interesting.

In case you've not done ssh tunelling, Anne, the command that does what 
you want, having done all the above is:

	$ ssh -p22022 -L10143:my.server.com:143 anne at my.server.com

This sets up port 10143 on the local system to be redirected through the 
ssh session to the IMAP port on your home server.  You don't want to 
redirect 143 to 143 because that would require you to run ssh as root. 
It also prevents you from using this on a system that itself has an IMAP 
server.

With the tunnel up, you can set up your mail client to connect to port 
10143 on localhost, and you'll be looking at your remote mail server.