[lug] Firewall / Lockdown questions

[Nate Duehr]

On Jul 31, 2007, at 6:57 PM, dio2002 at indra.com wrote:

> I'm doing that as well.  Trying to find the best method to lock  
> that down
> as well.  I've seen a variety of solutions for this.  any  
> suggestions more
> than welcome for sshd_config options and or methods.

A whole article in and of itself.  X Forwarding yes/no?  So called  
"passwordless" SSH with keys pre-exchanged, yes/no.  Allow root  
logins, yes/no?  (that one can almost always be a no, and probably  
should be the default, but rarely is)  Etc etc etc.  Lots of articles  
(and whole books) published on the topic of SSH configuration.

> Also, what would be the best way to monitor brute force or other
> suspicious attempts against ssh?  i think /var/log/secure is the  
> main log
> file. I could manually inspect that periodically but it would be  
> better if
> i was automatically alerted in some way via email?  should i set a  
> cron
> script to grep for a key phrase in this file and mail periodically?  
> any
> other ideas?

There are various kinds of brute-force attacks.  You'd have to be  
more specific for folks to recommend tools for each type.  You can  
also go overboard installing such things, and create other attack  
vectors (denial-of-service) by installing them.  Example... if you  
install a program that "locks out" IP addresses port-scanning you and  
somehow your ISP allows spoofed addresses to reach your box... and  
someone figured that out... they could effectively lock you out from  
any IP they knew you'd come in from... cat and mouse.

(Of course, the ultimate DoS attacks just come from bots on multiple  
networks and simply eat up all of your bandwidth to the point where  
you can't get a "word in edgewise" remotely, anyway... and if someone  
hates you that much, you probably have a really big budget to spend  
on a back-door way in.  GRIN...)

--
Nate Duehr
nate at natetech.com