[CentOS] duqu

Wed Dec 7 01:06:55 UTC 2011
James A. Peltier <jpeltier at sfu.ca>

----- Original Message -----
| On Tue, 2011-12-06 at 18:12 -0600, Les Mikesell wrote:
| > I'd expect it to be at least typical to firewall direct ssh access
| > from the internet.
| A Linux newcomer, untrained and a self-learner, I made an abrupt
| immersion into Linux on 1 June 2010. It was a steep learning-curve.
| The first thing I did was to make a 20-odd character password for Root
| with lowercase, uppercase and digits (using my former address in
| Germany).

Great!  I'll do a little Google'ing and see if I can find out what that might be.  While this is great advice, I have a long password too, most users are completely incapable of remembering their 6-8 character passwords without righting them down.

| The next thing I did was to change the default SSH port number AND
| restrict access to 3 approved IP addresses only.

This is good.  I mean the restricting part at least.  Changing the port is a joke.

| Anyone who leaves SSH on a default port open to any IP address is
| stupid.

This is completely and utterly retarded.  You have done *NOTHING* to secure SSH by doing this.  You have instead made it only slightly, and I mean ever so slightly, more secure.  A simple port scan of your network would find it within seconds and start to utilize it.

| Anyone not wanting to allow SSH access into their machine should
| consider:-
| chkconfig --list|grep ssh
| chkconfig sshd off
| service sshd stop
| Long, not easy to guess and totally beyond the reach of dictionary
| attacks, passwords for Root are absolutely essential. Security begins
| with a minimum password length of 12 characters for ALL users.

Good advice for sure, but not allowing password log in through SSH at all, instead relying on Public/Private keys (preferably those with passwords), would be much better.

| Rootkits are another essential.

Yes.  I love it when my machines have rootkits!  I think you meant rootkit detectors. LOL.

| There is a real war on. No sensible person lays down and lets the
| enemy
| walk all over them. Constant and widespread defence is vitally
| important. Every day I see evidence of many hacked computers all
| around
| the world. It persuades me to think many admins are simply incompetent
| -
| they seem to use Windoze.

Admins are not the incompetent ones.  The users are!  Any decent admin is going to ensure that there are the most layers and defensive systems in place to ensure a level of security that doesn't require the *USERS* to be rocket scientists.  Security is all about balance not magic bullets.  Having systems in place that protect the systems while not getting terribly in the way.  This BS about Windows (Windoze, Window$, etc) is just that BS.  I know many *VERY GOOD* Windows admins.  A bad admin is a bad admin no matter what platform you put them in front of.

| A professional qualification in basic server security would be a
| useful
| attribute.

A basic qualification to operate a computer would also be nice.  Sad thing is, there is no such thing.

James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpeltier at sfu.ca
Website : http://www.sfu.ca/itservices
I will do the best I can with the talent I have