GNHLUG
>
Org Web
>
InternetServer
>
ServerSecurity
(revision 10) (raw view)
Edit
Attach
Our InternetServer will need to be protected against all the Internet nasties (which are legion). ---++ Account Restrictions * All admins have their own account on the system. * Disallow root access, except via sudo. * Disallow sudo <shell> access. Yes, this make things more difficult, but traceability is needed when there are multiple admins. Note: I could be coaxed off this requirement if sudo would fire up a capture program (like script) when 'sudo <shell>' is used. -- Main.BenScott - 08 Feb 2006 * I much prefer autostarting script if 'sudo shell' is run - flexible and easy. Creating time/original user named logfile in standard location would be ideal. (e.g. 2006_02_10_11_53_billm.log) -- Main.DrewVanZandt - 10 Feb 2006 * Some things that require shell redirection don't work without this - however those can be put into a script and run 'sudo script'. But then the script is fungable after the run, so what's been gained is worth debating. -- Main.BillMcGonigle - 08 Feb 2006 * OTP (OPIE or some other S/Key) for sudo access. -- Main.MikeLedoux - 13 Feb 2006 Are there any links for those who aren't familar with these? -- Main.BruceDawson - 13 Feb 2006 Both implement your standard challenge/response one time password, and plug in to sudo fairly easily. A quick search didn't find any information that doesn't presume familiarity, I'll see if I can come up with something better tonight. -- Main.MikeLedoux - 13 Feb 2006 ---++ Firewall * iptables - unless there is some other level of firewalling available to us. * even if there is a hardware firewall, don't trust it. To expound, only allow incoming access on the minimum number of ports to get us going. We should restrict ssh access to a limited number of IP's to avoid being DDOS'ed with ssh scans. -- Main.BillMcGonigle - 09 Feb 2006 * Allowed Ports From Anywhere * 25/tcp * 80/tcp * 443/tcp * 53/udp * Allowed IP's for port 22 ssh * 217.160.248.65 -- Main.BillMcGonigle - 09 Feb 2006 * Recommend moving SSH to nonstandard port. Scripted attacks only hit 22. -- Main.DrewVanZandt - 10 Feb 2006 * I've been port-scanned for ssh running on non-standard ports. -- Main.BillMcGonigle - 11 Feb 2006 * All except non-routable IP's. But run ssh on a non-standard, non-privileged port. * I postulate that restricting ssh access to a small set of IP's is more secure than having it open to the world. It avoids all the script-kiddie issues, for instance. So, there should be arguments here for why we'd want to accept a less-secure method in the face of known attacks. -- Main.BillMcGonigle - 11 Feb 2006 * Suggest running SSH on a nonstandard port -- Main.ColeTuininga - 10 Feb 2006 * Allowed Ports for our backup DNS, currenly LINUX.CODEMETA.COM (199.125.76.10) * 53/tcp ---++ Remote Access * SSH - Require public key authentication, require entries in !AllowedUsers in sshd_config. Inconvenient for adding new accounts, but the number of accounts will be very low and we don't have time to deal with getting cracked. -- Main.BillMcGonigle - 11 Feb 2006 * Opinion - I am aware this could cause flames, sorry. Cracking will probably not be from password guessing etc. (especially if on nonstandard port, and we stick to decent passwords e.g. gpw or whatever) - it will be a vulnerability in a service we run. Minimal exposure to the outside world would be good. :-)
Edit
|
Attach
|
Watch
|
P
rint version
|
H
istory
:
r21
|
r12
<
r11
<
r10
<
r9
|
B
acklinks
|
V
iew topic
|
Raw edit
|
More topic actions...
Topic revision: r10 - 2006-02-13
-
MikeLedoux
Org
Log In
or
Register
Org Web
Create New Topic
Index (Page List)
Search this Web
Recent Changes
RSS Feed
Site Tools
Search site
Site changes
Webs
GNHLUG
Main
Org
TWiki
Contact GNHLUG
All content is Copyright © 1999-2024 by, and the property of, the contributing authors.
Questions, comments, or concerns?
Contact GNHLUG
.
All use of this site subject to our
Legal Notice
(includes Terms of Service).