Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#358348 - 21/04/2013 22:02 online security for linux?
pca
old hand

Registered: 20/07/1999
Posts: 1102
Loc: UK
Hi.

I have a requirement to expose a linux development machine (fairly briefly) to the internet at large, so a remote colleague can log into it to do some work. It is running the latest version of Mint. Can someone with more practical experience than I have about linux security suggest how I configure it for minimum risk of someone unwanted violating the poor thing?

pca
_________________________
Experience is what you get just after it would have helped...

Top
#358349 - 22/04/2013 00:33 Re: online security for linux? [Re: pca]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Keep it behind the firewall and only forward the required port(s) for a start.

Are you looking to give just SSH access? If so you can basically tunnel anything/everything else over that SSH - so just make sure that's secure and up to date and you should be fine.


Edited by Shonky (22/04/2013 00:33)
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#358350 - 22/04/2013 00:53 Re: online security for linux? [Re: Shonky]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
A brief expose should be fine since the machine is up to date. As Shonky indicated, make sure SSH is configured well. Ensure /etc/sshd_config has root logins off (most distros do this, can't speak for Mint). You can go further and require keys only. Or change the port from the default 22 to something else for a little security via obscurity.

My VPS sees a number of SSH attempts daily. It's set up to block the IP with the firewall if a few bad attempts are seen. Outside that, most attempts to get in are via Apache and various known insecure PHP scripts.

Top
#358353 - 22/04/2013 08:43 Re: online security for linux? [Re: drakino]
LittleBlueThing
addict

Registered: 11/01/2002
Posts: 612
Loc: Reading, UK
Run:
netstat -lnutp
as root.

It shows you what processes are listening on what ports and you need to ensure odd things like NFS aren't setup/listening.

Feel free to paste here if you like

Assuming you have easy console access or reliable user/sudo access:

Also - you should ensure /etc/ssh/sshd_config has
PermitRootLogin No

Ideally as drakino says, also set:
PasswordAuthentication No
and make sure your colleague uses an ssh key to get in.
(reboot or restart sshd to make them take effect)


Edited by LittleBlueThing (22/04/2013 08:45)
Edit Reason: add u option to netstat
_________________________
LittleBlueThing Running twin 30's

Top
#358354 - 22/04/2013 11:02 Re: online security for linux? [Re: LittleBlueThing]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14496
Loc: Canada
Too complex. In Real Life, PCA/friend will use a password for login.

So here's what you do:
1. Ensure all userid's on the to-be-exposed-box (TBEB) have passwords, with a mix of letters/numbers at a minimum.

2. Ensure the openssh-server package is installed.

3. Open a terminal window on the TBEB and try to ssh to itself, to prove it works locally.

4. Visit the router/firewall web gui, and set it to port-forward external port number xxxx to internal port 22 on the TBEB. Use a different port for xxxx (not 22, it gets attacked routinely).

Eg. try 555 instead (I just banged my fingers on the keyboard for that one.. pick an ugly number that doesn't appear in the /etc/services file.

If you want to leave it open longer than just a few days, then email me for help setting up a "door knocker" to conceal the port even better.

Cheers

Top