[lug] Firewall / Lockdown questions

Brad Crotchett brad at bradandkim.net
Tue Jul 31 20:53:39 MDT 2007


On Tue, 2007-07-31 at 18:57 -0600, dio2002 at indra.com wrote:
> > Unless you need mysql to talk to outside systems, I would lock that down
> > to lo/127.0.0.1 as well.
> 
> mysql only needs local access.  what's the best way to do that?  i've seen
> a variety of things online including the following params in my.cnf:
> 
> bind-address
> skip-networking
> > You may want to allow in ssh so that you can manage it.
> 
> I'm doing that as well.  Trying to find the best method to lock that down
> as well.  I've seen a variety of solutions for this.  any suggestions more
> than welcome for sshd_config options and or methods.
> 
> Also, what would be the best way to monitor brute force or other
> suspicious attempts against ssh?  i think /var/log/secure is the main log
> file. I could manually inspect that periodically but it would be better if
> i was automatically alerted in some way via email?  should i set a cron
> script to grep for a key phrase in this file and mail periodically? any
> other ideas?
> 
> thanks

Look in /etc/rc.d/init.d/mysqld.  If you are using CentOS then that
script should call up '/usr/bin/mysqld_safe' which by default should
just listen on '127.0.0.1'.  However, the init script should also parse
'/etc/my.cnf' for options, which could override this.  My guess is that
if you run 'netstat -an' locally you will see that mysql is only
listening on '127.0.0.1'.  I believe that 'bind-address=127.0.0.1' in
'/etc/my.cnf will override this if not.

I would suggest running ssh on a different port than the default.  This
will not fool the savvy attacker but will eliminate scripted brute force
attacks.  You might also want to lock down ssh to certain IP addresses
and not the world.  If you do that, make sure that you have more than
one allowed IP so that you can always come from an allowed address even
when there are outages.

IMO most brute force attempts are scripted and are not very
sophisticated.  A good password policy should take care of them.  You
can also run pam_tally to lock out users after n attempts.  You would
want some kind of back door though because odds are every user account
on the box  is going to get locked out at some point.  A script every
hour or 4 hours or so to reset the locks helps, but is not sufficient in
an emergency.  I think pam_tally is probably only needed if you run ssh
on the default port anyway (though again, the sophisticated attacker
won't be fooled for long by the port change).

As for stopping brute force attacks you could try:
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
or
http://hexten.net/wiki/index.php/Pam_abl
though I have not used either and cannot make any recommendations.

Thanks,

Brad Crotchett
brad at bradandkim.net




More information about the LUG mailing list