Re: Security basics

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-10-03 at 15:40 -0500, Steve Siegfried wrote:
> Lamar Owen wrote:
> > 
> > On Wednesday 03 October 2007, Karl Larsen wrote:
> > >     I have sure heard a LOT about security updates and I have had my own
> > > problems. For years I thought the only thing necessary was a good root
> > > password. This year I found out with ssh around you need a good password
> > > for your own login name. My problem was caused by having a super poor
> > > login password which was my last name. Since the login name was karl it
> > > followed.
> > 
> > Also: run ssh on some port other than 22.  This is accomplished by 
> > editing /etc/ssh/sshd_config and /etc/sysconfig/iptables (to add the port to 
> > iptables, assuming you're running iptables).  If you know the IP addresses 
> > from which you will always be connecting, then set your firewall (both on any 
> > external router as well as in /etc/sysconfig/iptables) to only allow the IP 
> > addresses you want.
> > 
> > Just changing from port 22 to some other port (and 222 or 2222 aren't good 
> > ones; anything above 1024 is fair game) will eliminate 90% or more of your 
> > risk. 
> > 
> > Also, set up RSA key security and eliminate password-based logins.  This is a 
> > fairly lengthy setup; I'm sure there's a HOWTO in the archives (I'm getting 
> > ready to go home for the day, and do't have time to type it in; if you can't 
> > find it anywhere, I can write one up fairly quickly, as I've set this up on 
> > several boxes).  Some might say to just do this and not worry about the 
> > listening port change; I prefer multilayered security (why I run SELinux in 
> > enforcing/targete mode on servers) when possible.
> > 
> > With a nonstandard port you do have to remember to use the -p parameter of ssh 
> > to connect (and the -P parameter of scp) but in my opinion it's worth it.
> 
> Changing ports for ssh isn't actually that hot of an idea.  Most port scanners
> can detect ssh implementations since they normally self-identify.  For example,
> if you're running ssh on the normal port (22), try executing:
> 	/usr/bin/telnet YOUR.HOST.IP.ADDR 22
> and see what pops out.
> 
> Hope this helps'idly,
> 
> -S
> 

You can always fake your banner, to fool an attacker. 


http://projects.vanscherpenseel.nl/documents/howto_banners.html



Calin

=================================================
I still miss Windows, but my aim is getting better.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux