SlideShare une entreprise Scribd logo

Linuxserver harden

Télécharger en tant que TXT, PDF
Gregory Hanis
Gregory Hanis
Technologie
1  sur  6
##root account hidden: /usr/sbin/adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M <accountname> Start a firewall The first thing you want to do is to setup the linux iptables firewall. The setup will be a bash script with iptables rules, and you will have to run it as a deamon service (you could write rules line by line in your terminal and then save them as a ruleset, as described here, but the service method below is easier to maintain imo). First, use your favorite console text editor to create a new file in your /etc/rc.d/init.d/ service directory (CentOS should have vim already installed), you can name it firewall. #Create a service owned by root sudo vim /etc/rc.d/init.d/firewall As a bash script service, it will need some mandatory header attributes: shell type, runlevels, priorities and a description. #! /bin/bash #chkconfig: 2345 95 20 #description: iptables rules to prevent communication on unused ports. #Reset all rules (F) and chains (X), necessary if have already defined iptables rules iptables -t filter -F iptables -t filter -X #Start by blocking iptables -t filter iptables -t filter iptables -t filter all traffic, this will allow secured, fine grained filtering -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP #Keep established connexions iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow loopback iptables -t filter iptables -t filter #HTTP iptables -t filter iptables -t filter #HTTPS iptables -t filter iptables -t filter #FTP iptables -t filter iptables -t filter #SMTP iptables -t filter iptables -t filter #POP3 iptables -t filter iptables -t filter #IMAP iptables -t filter iptables -t filter #ICMP iptables -t filter iptables -t filter -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 110 -j ACCEPT -A OUTPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 143 -j ACCEPT -A OUTPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -j ACCEPT
#SSH iptables -t filter iptables -t filter #SSH NEW PORT iptables -t filter iptables -t filter #IRC iptables -t filter iptables -t filter iptables -t filter iptables -t filter #IRC SERVER iptables -t filter iptables -t filter iptables -t filter iptables -t filter #DNS iptables -t filter iptables -t filter iptables -t filter iptables -t filter #NTP iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 60125 -j ACCEPT -A OUTPUT -p tcp --dport 60125 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 6667 -j ACCEPT OUTPUT -p tcp --dport 6697 -j ACCEPT INPUT -p tcp --dport 6667 -j ACCEPT INPUT -p tcp --dport 6697 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 9784 -j ACCEPT INPUT -p tcp --dport 9784 -j ACCEPT OUTPUT -p tcp --dport 7000 -j ACCEPT INPUT -p tcp --dport 7000 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 53 -j ACCEPT OUTPUT -p udp --dport 53 -j ACCEPT INPUT -p tcp --dport 53 -j ACCEPT INPUT -p udp --dport 53 -j ACCEPT -A OUTPUT -p udp --dport 123 -j ACCEPT I made a text file with the lines above available to download here. Save the script file under /etc/rc.d/init.d, make it executable and apply it, so you will be able to launch it as a service. chmod +x /etc/rc.d/init.d/firewall bash /etc/rc.d/init.d/firewall Now, if you used a debian like distro, you would have issue the update-rc.d command to add your script to the list of services starting at boot time, instead on CentOs, RHEL or Fedora, you have to use chkconfig. chkconfig --add /etc/rc.d/init.d/firewall chkconfig /etc/rc.d/init.d/firewall on Just to be sure your firewill service is registered and will start at boot, use the ntsysv command to open a graphical interface and "firewall" should appear in the list of services starting at boot: ntsysv Harden your SSH access In a few simple steps, you will be able to diminish risks of unauthorized ssh accesses Your ssh settings can be found in /etc/ssh/sshd_config, this is where you will have to modify the configuration settings below. sudo vim /etc/ssh/sshd_config 1. Change your ssh port By default, ssh run on port 22. You will need to change this default value to an arbitrary port number (it must be between 1 and 65535, but prefer the unassigned 49152–65535 range, for more information about port numbers, read the wiki). Search for the port setting, and remove the sharp to uncomment it and thus remove default :
# # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value. #This will require ssh connexions to use the 60125 port Port 60125 By changing this setting, you can make a hacker drop an attack by making him think your ssh is disable or at least force him to scan your ports in order to find ssh access. 2. Disable root login If the hacker still gets to connect to your ssh port, he will need authentication. Obvisously he will try the root account which grant maximum priviledge on the server, so you want to disable direct root ssh access. # Authentication: #LoginGraceTime 2m #Find this line in your /etc/ssh/sshd_config and change its value to "no" PermitRootLogin no Once it's done, you will need another account to connect, so add a new password protected user sudo adduser bob sudo passwd bob Changing password for user bob. New password: "enter bob password here" To push this a little further, you want bob to be the only user allowed to connect via ssh, so add the AllowUsers setting : #Multiple users can be specified, separated by spaces. AllowUsers bob 3. Apply new settings Now restart your ssh service so the system will take changes into account. Before restarting ssh, double check and make sure you didn't make any modifications which could prevent you to reconnect ssh after you logout. sudo /etc/rc.d/init.d/sshd restart If you read the first part of this tutorial (setting iptables), you might want to change iptables as follow : #SSH (replace 22 with your custom port number, for instance 60125) iptables -t filter -A INPUT -p tcp --dport 60125 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 60125 -j ACCEPT Check your new settings, first you will try to connect to the new ssh port you configured, using the -p argument ssh -p 60125 bob@server_address 4. Test against unauthorized access If you have successfully harden ssh, you won't be able to connect as root (or any other user than bob for that matter) : ssh -p 60125 root@server_address
root@server_address's password: Permission denied, please try again. Likewise, any connexion on a port other than the one defined in /etc/ssh/sshd_config will be timed out #Connect ssh on default port ssh bob@server_address ssh: connect to host port 22: Connection timed out Prevent bruteforce and DoS Bruteforce and Denial Of Service are both automated attacks that you can prevent by using tools specially made for this purpose. Fail2ban Fail2ban is designed to ban users which fail to login correctly on your server, its main purpose is to prevent malicious users to bruteforce your password. To install fail2ban under CentOS 6, you need to add the EPEL repository : rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-67.noarc... rpm –import https://fedoraproject.org/static/0608B895.txt yum install fail2ban Then edit the configuration file as you wish : vim /etc/fail2ban/jail.conf [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 240 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 240 # "maxretry" is the number of failures before a host get banned. maxretry = 10 Don't forget to start fail2ban service : service fail2ban start DDOS Deflate DDos Deflate automatically detects and blocks denial of service attempts. Switch to a folder where you will download the DDoS Deflate script: wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh chmod 0700 install.sh ./install.sh A ddos.conf configuration file has been created under /usr/local/ddos/ddos.conf, have a look inside, it's commented well. A software cron job is installed and
will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections
will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections

Recommandé

Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dumpAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetdleminhvuong
 
Alta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxAlta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxGuillermo Salas Macias
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Hari
 
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Febi Gelar Ramadhan
 

Recommandé

Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dumpAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetdleminhvuong
 
Alta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxAlta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxGuillermo Salas Macias
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Hari
 
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Febi Gelar Ramadhan
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-partiSehla Loussaief Zayen
 
Computer Security
Computer SecurityComputer Security
Computer SecurityAristotelis Kotsomitopoulos
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
Linux networking
Linux networkingLinux networking
Linux networkingArie Bregman
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-modHarry Potter
 
Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere Casas
 
PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !Cyril Marsaud
 
Javascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachJavascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachGregory Hanis
 
Rollingstone greghanis
Rollingstone greghanisRollingstone greghanis
Rollingstone greghanisGregory Hanis
 
Pm final project
Pm final projectPm final project
Pm final projectGregory Hanis
 

Contenu connexe

Tendances

도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 

Tendances (17)

Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-parti
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Python
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
 
Linux networking
Linux networkingLinux networking
Linux networking
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-mod
 

En vedette

Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere Casas
 
PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !Cyril Marsaud
 
Javascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachJavascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachGregory Hanis
 
Rollingstone greghanis
Rollingstone greghanisRollingstone greghanis
Rollingstone greghanisGregory Hanis
 

En vedette (7)

Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1
 
PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !
 
Javascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachJavascript Deofuscation A manual Approach
Javascript Deofuscation A manual Approach
 
Rollingstone greghanis
Rollingstone greghanisRollingstone greghanis
Rollingstone greghanis
 
Pm final project
Pm final projectPm final project
Pm final project
 
Leadership
LeadershipLeadership
Leadership
 
Jtech Commander Manual Muscle Tester
Jtech Commander Manual Muscle TesterJtech Commander Manual Muscle Tester
Jtech Commander Manual Muscle Tester
 

Similaire à Linuxserver harden

Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Kaan Aslandağ
 
ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions Chanaka Lasantha
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleChanaka Lasantha
 
linux_Commads
linux_Commadslinux_Commads
linux_Commadstastedone
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSSiddharth Ram Dinesh
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oProxiesforrent
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
Installing odoo v8 from github
Installing odoo v8 from githubInstalling odoo v8 from github
Installing odoo v8 from githubAntony Gitomeh
 
Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...wensheng wei
 

Similaire à Linuxserver harden (20)

Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorial
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 ssh
 
Ex200
Ex200Ex200
Ex200
 
ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmaple
 
Ssh cookbook v2
Ssh cookbook v2Ssh cookbook v2
Ssh cookbook v2
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
 
linux_Commads
linux_Commadslinux_Commads
linux_Commads
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OS
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos o
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
Installing odoo v8 from github
Installing odoo v8 from githubInstalling odoo v8 from github
Installing odoo v8 from github
 
Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...
 
Docker practice
Docker practiceDocker practice
Docker practice
 

Plus de Gregory Hanis

To cert or not to cert
To cert or not to certTo cert or not to cert
To cert or not to certGregory Hanis
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverGregory Hanis
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Penetration testing is a field which has experienced rapid growth over the years
Penetration testing is a field which has experienced rapid growth over the yearsPenetration testing is a field which has experienced rapid growth over the years
Penetration testing is a field which has experienced rapid growth over the yearsGregory Hanis
 

Plus de Gregory Hanis (11)

Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
To cert or not to cert
To cert or not to certTo cert or not to cert
To cert or not to cert
 
Windows great again
Windows great againWindows great again
Windows great again
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Anonymizers
AnonymizersAnonymizers
Anonymizers
 
Oop in php_tutorial
Oop in php_tutorialOop in php_tutorial
Oop in php_tutorial
 
Suncoastscam
SuncoastscamSuncoastscam
Suncoastscam
 
Penetration testing is a field which has experienced rapid growth over the years
Penetration testing is a field which has experienced rapid growth over the yearsPenetration testing is a field which has experienced rapid growth over the years
Penetration testing is a field which has experienced rapid growth over the years
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
security IDS
security IDSsecurity IDS
security IDS
 

Dernier

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Dernier (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Linuxserver harden

  • 1. ##root account hidden: /usr/sbin/adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M <accountname> Start a firewall The first thing you want to do is to setup the linux iptables firewall. The setup will be a bash script with iptables rules, and you will have to run it as a deamon service (you could write rules line by line in your terminal and then save them as a ruleset, as described here, but the service method below is easier to maintain imo). First, use your favorite console text editor to create a new file in your /etc/rc.d/init.d/ service directory (CentOS should have vim already installed), you can name it firewall. #Create a service owned by root sudo vim /etc/rc.d/init.d/firewall As a bash script service, it will need some mandatory header attributes: shell type, runlevels, priorities and a description. #! /bin/bash #chkconfig: 2345 95 20 #description: iptables rules to prevent communication on unused ports. #Reset all rules (F) and chains (X), necessary if have already defined iptables rules iptables -t filter -F iptables -t filter -X #Start by blocking iptables -t filter iptables -t filter iptables -t filter all traffic, this will allow secured, fine grained filtering -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP #Keep established connexions iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow loopback iptables -t filter iptables -t filter #HTTP iptables -t filter iptables -t filter #HTTPS iptables -t filter iptables -t filter #FTP iptables -t filter iptables -t filter #SMTP iptables -t filter iptables -t filter #POP3 iptables -t filter iptables -t filter #IMAP iptables -t filter iptables -t filter #ICMP iptables -t filter iptables -t filter -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 110 -j ACCEPT -A OUTPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 143 -j ACCEPT -A OUTPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -j ACCEPT
  • 2. #SSH iptables -t filter iptables -t filter #SSH NEW PORT iptables -t filter iptables -t filter #IRC iptables -t filter iptables -t filter iptables -t filter iptables -t filter #IRC SERVER iptables -t filter iptables -t filter iptables -t filter iptables -t filter #DNS iptables -t filter iptables -t filter iptables -t filter iptables -t filter #NTP iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 60125 -j ACCEPT -A OUTPUT -p tcp --dport 60125 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 6667 -j ACCEPT OUTPUT -p tcp --dport 6697 -j ACCEPT INPUT -p tcp --dport 6667 -j ACCEPT INPUT -p tcp --dport 6697 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 9784 -j ACCEPT INPUT -p tcp --dport 9784 -j ACCEPT OUTPUT -p tcp --dport 7000 -j ACCEPT INPUT -p tcp --dport 7000 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 53 -j ACCEPT OUTPUT -p udp --dport 53 -j ACCEPT INPUT -p tcp --dport 53 -j ACCEPT INPUT -p udp --dport 53 -j ACCEPT -A OUTPUT -p udp --dport 123 -j ACCEPT I made a text file with the lines above available to download here. Save the script file under /etc/rc.d/init.d, make it executable and apply it, so you will be able to launch it as a service. chmod +x /etc/rc.d/init.d/firewall bash /etc/rc.d/init.d/firewall Now, if you used a debian like distro, you would have issue the update-rc.d command to add your script to the list of services starting at boot time, instead on CentOs, RHEL or Fedora, you have to use chkconfig. chkconfig --add /etc/rc.d/init.d/firewall chkconfig /etc/rc.d/init.d/firewall on Just to be sure your firewill service is registered and will start at boot, use the ntsysv command to open a graphical interface and "firewall" should appear in the list of services starting at boot: ntsysv Harden your SSH access In a few simple steps, you will be able to diminish risks of unauthorized ssh accesses Your ssh settings can be found in /etc/ssh/sshd_config, this is where you will have to modify the configuration settings below. sudo vim /etc/ssh/sshd_config 1. Change your ssh port By default, ssh run on port 22. You will need to change this default value to an arbitrary port number (it must be between 1 and 65535, but prefer the unassigned 49152–65535 range, for more information about port numbers, read the wiki). Search for the port setting, and remove the sharp to uncomment it and thus remove default :
  • 3. # # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value. #This will require ssh connexions to use the 60125 port Port 60125 By changing this setting, you can make a hacker drop an attack by making him think your ssh is disable or at least force him to scan your ports in order to find ssh access. 2. Disable root login If the hacker still gets to connect to your ssh port, he will need authentication. Obvisously he will try the root account which grant maximum priviledge on the server, so you want to disable direct root ssh access. # Authentication: #LoginGraceTime 2m #Find this line in your /etc/ssh/sshd_config and change its value to "no" PermitRootLogin no Once it's done, you will need another account to connect, so add a new password protected user sudo adduser bob sudo passwd bob Changing password for user bob. New password: "enter bob password here" To push this a little further, you want bob to be the only user allowed to connect via ssh, so add the AllowUsers setting : #Multiple users can be specified, separated by spaces. AllowUsers bob 3. Apply new settings Now restart your ssh service so the system will take changes into account. Before restarting ssh, double check and make sure you didn't make any modifications which could prevent you to reconnect ssh after you logout. sudo /etc/rc.d/init.d/sshd restart If you read the first part of this tutorial (setting iptables), you might want to change iptables as follow : #SSH (replace 22 with your custom port number, for instance 60125) iptables -t filter -A INPUT -p tcp --dport 60125 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 60125 -j ACCEPT Check your new settings, first you will try to connect to the new ssh port you configured, using the -p argument ssh -p 60125 bob@server_address 4. Test against unauthorized access If you have successfully harden ssh, you won't be able to connect as root (or any other user than bob for that matter) : ssh -p 60125 root@server_address
  • 4. root@server_address's password: Permission denied, please try again. Likewise, any connexion on a port other than the one defined in /etc/ssh/sshd_config will be timed out #Connect ssh on default port ssh bob@server_address ssh: connect to host port 22: Connection timed out Prevent bruteforce and DoS Bruteforce and Denial Of Service are both automated attacks that you can prevent by using tools specially made for this purpose. Fail2ban Fail2ban is designed to ban users which fail to login correctly on your server, its main purpose is to prevent malicious users to bruteforce your password. To install fail2ban under CentOS 6, you need to add the EPEL repository : rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-67.noarc... rpm –import https://fedoraproject.org/static/0608B895.txt yum install fail2ban Then edit the configuration file as you wish : vim /etc/fail2ban/jail.conf [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 240 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 240 # "maxretry" is the number of failures before a host get banned. maxretry = 10 Don't forget to start fail2ban service : service fail2ban start DDOS Deflate DDos Deflate automatically detects and blocks denial of service attempts. Switch to a folder where you will download the DDoS Deflate script: wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh chmod 0700 install.sh ./install.sh A ddos.conf configuration file has been created under /usr/local/ddos/ddos.conf, have a look inside, it's commented well. A software cron job is installed and
  • 5. will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections
  • 6. will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections