Linux Security: Difference between revisions
(→SSH) |
(→SSH) |
||
Line 68: | Line 68: | ||
nc myserver.org ssh |
nc myserver.org ssh |
||
# SSH-2.0-OpenSSH_6.7p1 |
# SSH-2.0-OpenSSH_6.7p1 |
||
</source> |
|||
;rate-limit incoming connections |
|||
Add the following rules to iptables [https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections],[]. Assuming that you have a default <code>DROP</code> rule on the ''INPUT'' chain, you must add these rules before the <code>ACCEPT</code> rule: |
|||
<source lang=bash> |
|||
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set |
|||
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP |
|||
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT |
|||
</source> |
</source> |
Revision as of 09:23, 8 June 2016
Anything about security on linux. When topics are already covered in other pages, give links to them.
Setting umask
Default setting for umask on Ubuntu / Debian is 022, meaning all created files / folders are by default world readable.
To change the defaults (see [1]) to 027:
Add to /etc/sudoers:
Defaults umask = 0027 Defaults umask_override
Edit /etc/login.defs:
UMASK 027
Firewall
With UFW
TBC
With iptables
List the firewall rules
iptables -L
Stop the firewall:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Server hardening
Assume server name is myserver.org.
SSH
- PasswordAuthentication
Disable password authentication since it is prone to brute-force attacks. Edit /etc/ssh/sshd_config:
PasswordAuthentication no
- DebianBanner
Test if sshd sends a banner [2]:
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
# ^C
Edit /etc/ssh/sshd_config, and add the line:
DebianBanner no
Restart and verify the banner:
service sshd restart
nc myserver.org ssh
# SSH-2.0-OpenSSH_6.7p1
- rate-limit incoming connections
Add the following rules to iptables [3],[]. Assuming that you have a default DROP
rule on the INPUT chain, you must add these rules before the ACCEPT
rule:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT