On Tuesday 23 December 2008 15:38:17 Warren Young wrote: > Michael Simpson wrote: First, thanks to all who replied. I'll try to remember and consider all that has been said. > >> GRC reports that ports are stealthed > > > > Try www.auditmypc.com or nmap-online.com rather than grc to look for open > > ports > > What advantages do they have, in your opinion? > > >> there a better way than opening port 143? > > > > ssh tunnelling? > > I agree, though the default CentOS sshd configuration requires some > tightening down to trust it on Internet-facing servers, IMHO: > > 1. In /etc/ssh/sshd_config, set "PasswordAuthentication no". No matter > how good your password, it isn't as good as using keys. Remember, > forwarding ssh opens it to pounding 24x7 from any of the millions on > zombie boxes on the Internet. > I use ssh with keys from this laptop over the LAN for updates etc. :-) > 2. On the machine(s) that you want to allow logins from, run "ssh-keygen > -t rsa" to generate a key pair, if you haven't already. Then copy the > contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home > server. These keys are used to authenticate the remote system, in lieu > of a password or physical token. You could put these keys on a USB > stick instead, if you didn't want to keep them permanently on the remote > hosts. > This is done for this laptop, but I'll set the netbook up the same way before taking it on holiday. > 3. Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol 2", > not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind that > it's still enabled by default.... > I think that's done, but I'll check > 4. Same file, set "PermitRootLogin no" if it isn't already. > It is > (Aside: I also like to set up sudo with one account allowed to do > anything, then lock the root account, so the only way to get root access > is to log in as a regular user then sudo up, reducing the risk of > passwordless keys.) > > Having done all this, you're ready to allow remote access: > > 5. In your router, forward a high-numbered port to 22 on the server. If > it's not smart enough to use different port numbers on either side, you > can change the sshd configuration so it listens on a different port > instead. I like to use 22022 for this. > > This is *not* security through obscurity. It's simply a way to reduce > the amount of log spam you have to dig through when monitoring your > system's behavior. Everything that appears in your logs should be > *interesting*. Constant port knocking from worms and script kiddies is > not interesting. > > In case you've not done ssh tunelling, Anne, the command that does what > you want, having done all the above is: > > $ ssh -p22022 -L10143:my.server.com:143 anne at my.server.com > > This sets up port 10143 on the local system to be redirected through the > ssh session to the IMAP port on your home server. You don't want to > redirect 143 to 143 because that would require you to run ssh as root. > It also prevents you from using this on a system that itself has an IMAP > server. > > With the tunnel up, you can set up your mail client to connect to port > 10143 on localhost, and you'll be looking at your remote mail server. > Thanks for the detailed how-to. I was feeling somewhat nervous of yet another system to learn, but I should be fine with this. I'll set it up over Christmas, all being well, though I may end up having to ask more questions. Providing I can persuade my son-in-law to add the netbook's MAC to his router I should be able to test from his network. Thanks again Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20081223/f2a1f68d/attachment-0005.sig>