SlideShare una empresa de Scribd logo

Linuxserver harden

Descargar como TXT, PDF
Gregory Hanis
Gregory Hanis
Tecnología
1 de 6
##root account hidden: /usr/sbin/adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M <accountname> Start a firewall The first thing you want to do is to setup the linux iptables firewall. The setup will be a bash script with iptables rules, and you will have to run it as a deamon service (you could write rules line by line in your terminal and then save them as a ruleset, as described here, but the service method below is easier to maintain imo). First, use your favorite console text editor to create a new file in your /etc/rc.d/init.d/ service directory (CentOS should have vim already installed), you can name it firewall. #Create a service owned by root sudo vim /etc/rc.d/init.d/firewall As a bash script service, it will need some mandatory header attributes: shell type, runlevels, priorities and a description. #! /bin/bash #chkconfig: 2345 95 20 #description: iptables rules to prevent communication on unused ports. #Reset all rules (F) and chains (X), necessary if have already defined iptables rules iptables -t filter -F iptables -t filter -X #Start by blocking iptables -t filter iptables -t filter iptables -t filter all traffic, this will allow secured, fine grained filtering -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP #Keep established connexions iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow loopback iptables -t filter iptables -t filter #HTTP iptables -t filter iptables -t filter #HTTPS iptables -t filter iptables -t filter #FTP iptables -t filter iptables -t filter #SMTP iptables -t filter iptables -t filter #POP3 iptables -t filter iptables -t filter #IMAP iptables -t filter iptables -t filter #ICMP iptables -t filter iptables -t filter -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 110 -j ACCEPT -A OUTPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 143 -j ACCEPT -A OUTPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -j ACCEPT
#SSH iptables -t filter iptables -t filter #SSH NEW PORT iptables -t filter iptables -t filter #IRC iptables -t filter iptables -t filter iptables -t filter iptables -t filter #IRC SERVER iptables -t filter iptables -t filter iptables -t filter iptables -t filter #DNS iptables -t filter iptables -t filter iptables -t filter iptables -t filter #NTP iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 60125 -j ACCEPT -A OUTPUT -p tcp --dport 60125 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 6667 -j ACCEPT OUTPUT -p tcp --dport 6697 -j ACCEPT INPUT -p tcp --dport 6667 -j ACCEPT INPUT -p tcp --dport 6697 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 9784 -j ACCEPT INPUT -p tcp --dport 9784 -j ACCEPT OUTPUT -p tcp --dport 7000 -j ACCEPT INPUT -p tcp --dport 7000 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 53 -j ACCEPT OUTPUT -p udp --dport 53 -j ACCEPT INPUT -p tcp --dport 53 -j ACCEPT INPUT -p udp --dport 53 -j ACCEPT -A OUTPUT -p udp --dport 123 -j ACCEPT I made a text file with the lines above available to download here. Save the script file under /etc/rc.d/init.d, make it executable and apply it, so you will be able to launch it as a service. chmod +x /etc/rc.d/init.d/firewall bash /etc/rc.d/init.d/firewall Now, if you used a debian like distro, you would have issue the update-rc.d command to add your script to the list of services starting at boot time, instead on CentOs, RHEL or Fedora, you have to use chkconfig. chkconfig --add /etc/rc.d/init.d/firewall chkconfig /etc/rc.d/init.d/firewall on Just to be sure your firewill service is registered and will start at boot, use the ntsysv command to open a graphical interface and "firewall" should appear in the list of services starting at boot: ntsysv Harden your SSH access In a few simple steps, you will be able to diminish risks of unauthorized ssh accesses Your ssh settings can be found in /etc/ssh/sshd_config, this is where you will have to modify the configuration settings below. sudo vim /etc/ssh/sshd_config 1. Change your ssh port By default, ssh run on port 22. You will need to change this default value to an arbitrary port number (it must be between 1 and 65535, but prefer the unassigned 49152–65535 range, for more information about port numbers, read the wiki). Search for the port setting, and remove the sharp to uncomment it and thus remove default :
# # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value. #This will require ssh connexions to use the 60125 port Port 60125 By changing this setting, you can make a hacker drop an attack by making him think your ssh is disable or at least force him to scan your ports in order to find ssh access. 2. Disable root login If the hacker still gets to connect to your ssh port, he will need authentication. Obvisously he will try the root account which grant maximum priviledge on the server, so you want to disable direct root ssh access. # Authentication: #LoginGraceTime 2m #Find this line in your /etc/ssh/sshd_config and change its value to "no" PermitRootLogin no Once it's done, you will need another account to connect, so add a new password protected user sudo adduser bob sudo passwd bob Changing password for user bob. New password: "enter bob password here" To push this a little further, you want bob to be the only user allowed to connect via ssh, so add the AllowUsers setting : #Multiple users can be specified, separated by spaces. AllowUsers bob 3. Apply new settings Now restart your ssh service so the system will take changes into account. Before restarting ssh, double check and make sure you didn't make any modifications which could prevent you to reconnect ssh after you logout. sudo /etc/rc.d/init.d/sshd restart If you read the first part of this tutorial (setting iptables), you might want to change iptables as follow : #SSH (replace 22 with your custom port number, for instance 60125) iptables -t filter -A INPUT -p tcp --dport 60125 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 60125 -j ACCEPT Check your new settings, first you will try to connect to the new ssh port you configured, using the -p argument ssh -p 60125 bob@server_address 4. Test against unauthorized access If you have successfully harden ssh, you won't be able to connect as root (or any other user than bob for that matter) : ssh -p 60125 root@server_address
root@server_address's password: Permission denied, please try again. Likewise, any connexion on a port other than the one defined in /etc/ssh/sshd_config will be timed out #Connect ssh on default port ssh bob@server_address ssh: connect to host port 22: Connection timed out Prevent bruteforce and DoS Bruteforce and Denial Of Service are both automated attacks that you can prevent by using tools specially made for this purpose. Fail2ban Fail2ban is designed to ban users which fail to login correctly on your server, its main purpose is to prevent malicious users to bruteforce your password. To install fail2ban under CentOS 6, you need to add the EPEL repository : rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-67.noarc... rpm –import https://fedoraproject.org/static/0608B895.txt yum install fail2ban Then edit the configuration file as you wish : vim /etc/fail2ban/jail.conf [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 240 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 240 # "maxretry" is the number of failures before a host get banned. maxretry = 10 Don't forget to start fail2ban service : service fail2ban start DDOS Deflate DDos Deflate automatically detects and blocks denial of service attempts. Switch to a folder where you will download the DDoS Deflate script: wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh chmod 0700 install.sh ./install.sh A ddos.conf configuration file has been created under /usr/local/ddos/ddos.conf, have a look inside, it's commented well. A software cron job is installed and
will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections
will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections

Recomendados

Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dumpAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetdleminhvuong
 
Alta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxAlta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxGuillermo Salas Macias
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Hari
 
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Febi Gelar Ramadhan
 

Recomendados

Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dumpAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Lession2 Xinetd
Lession2 XinetdLession2 Xinetd
Lession2 Xinetdleminhvuong
 
Alta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxAlta disponibilidad en GNU/Linux
Alta disponibilidad en GNU/LinuxGuillermo Salas Macias
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Hari
 
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Febi Gelar Ramadhan
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-partiSehla Loussaief Zayen
 
Computer Security
Computer SecurityComputer Security
Computer SecurityAristotelis Kotsomitopoulos
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflowAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
Linux networking
Linux networkingLinux networking
Linux networkingArie Bregman
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-modHarry Potter
 
Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere Casas
 
PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !Cyril Marsaud
 
Javascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachJavascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachGregory Hanis
 
Rollingstone greghanis
Rollingstone greghanisRollingstone greghanis
Rollingstone greghanisGregory Hanis
 
Pm final project
Pm final projectPm final project
Pm final projectGregory Hanis
 

Más contenido relacionado

La actualidad más candente

도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Pythondelimitry
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 

La actualidad más candente (17)

Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-parti
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Python
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
 
Linux networking
Linux networkingLinux networking
Linux networking
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-mod
 

Destacado

Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere Casas
 
PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !Cyril Marsaud
 
Javascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachJavascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachGregory Hanis
 
Rollingstone greghanis
Rollingstone greghanisRollingstone greghanis
Rollingstone greghanisGregory Hanis
 

Destacado (7)

Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1Pere proposta per defensa projecte v.1
Pere proposta per defensa projecte v.1
 
PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !PLATO : partagez plus qu'un réseau !
PLATO : partagez plus qu'un réseau !
 
Javascript Deofuscation A manual Approach
Javascript Deofuscation A manual ApproachJavascript Deofuscation A manual Approach
Javascript Deofuscation A manual Approach
 
Rollingstone greghanis
Rollingstone greghanisRollingstone greghanis
Rollingstone greghanis
 
Pm final project
Pm final projectPm final project
Pm final project
 
Leadership
LeadershipLeadership
Leadership
 
Jtech Commander Manual Muscle Tester
Jtech Commander Manual Muscle TesterJtech Commander Manual Muscle Tester
Jtech Commander Manual Muscle Tester
 

Similar a Linuxserver harden

Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Kaan Aslandağ
 
ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions Chanaka Lasantha
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleChanaka Lasantha
 
linux_Commads
linux_Commadslinux_Commads
linux_Commadstastedone
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSSiddharth Ram Dinesh
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oProxiesforrent
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
Installing odoo v8 from github
Installing odoo v8 from githubInstalling odoo v8 from github
Installing odoo v8 from githubAntony Gitomeh
 
Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...wensheng wei
 

Similar a Linuxserver harden (20)

Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorial
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 ssh
 
Ex200
Ex200Ex200
Ex200
 
ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions ERP System Implementation Kubernetes Cluster with Sticky Sessions
ERP System Implementation Kubernetes Cluster with Sticky Sessions
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmaple
 
Ssh cookbook v2
Ssh cookbook v2Ssh cookbook v2
Ssh cookbook v2
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
 
linux_Commads
linux_Commadslinux_Commads
linux_Commads
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OS
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos o
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
Installing odoo v8 from github
Installing odoo v8 from githubInstalling odoo v8 from github
Installing odoo v8 from github
 
Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...
 
Docker practice
Docker practiceDocker practice
Docker practice
 

Más de Gregory Hanis

To cert or not to cert
To cert or not to certTo cert or not to cert
To cert or not to certGregory Hanis
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverGregory Hanis
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Penetration testing is a field which has experienced rapid growth over the years
Penetration testing is a field which has experienced rapid growth over the yearsPenetration testing is a field which has experienced rapid growth over the years
Penetration testing is a field which has experienced rapid growth over the yearsGregory Hanis
 

Más de Gregory Hanis (11)

Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
To cert or not to cert
To cert or not to certTo cert or not to cert
To cert or not to cert
 
Windows great again
Windows great againWindows great again
Windows great again
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Anonymizers
AnonymizersAnonymizers
Anonymizers
 
Oop in php_tutorial
Oop in php_tutorialOop in php_tutorial
Oop in php_tutorial
 
Suncoastscam
SuncoastscamSuncoastscam
Suncoastscam
 
Penetration testing is a field which has experienced rapid growth over the years
Penetration testing is a field which has experienced rapid growth over the yearsPenetration testing is a field which has experienced rapid growth over the years
Penetration testing is a field which has experienced rapid growth over the years
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
security IDS
security IDSsecurity IDS
security IDS
 

Último

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Último (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Linuxserver harden

  • 1. ##root account hidden: /usr/sbin/adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M <accountname> Start a firewall The first thing you want to do is to setup the linux iptables firewall. The setup will be a bash script with iptables rules, and you will have to run it as a deamon service (you could write rules line by line in your terminal and then save them as a ruleset, as described here, but the service method below is easier to maintain imo). First, use your favorite console text editor to create a new file in your /etc/rc.d/init.d/ service directory (CentOS should have vim already installed), you can name it firewall. #Create a service owned by root sudo vim /etc/rc.d/init.d/firewall As a bash script service, it will need some mandatory header attributes: shell type, runlevels, priorities and a description. #! /bin/bash #chkconfig: 2345 95 20 #description: iptables rules to prevent communication on unused ports. #Reset all rules (F) and chains (X), necessary if have already defined iptables rules iptables -t filter -F iptables -t filter -X #Start by blocking iptables -t filter iptables -t filter iptables -t filter all traffic, this will allow secured, fine grained filtering -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP #Keep established connexions iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow loopback iptables -t filter iptables -t filter #HTTP iptables -t filter iptables -t filter #HTTPS iptables -t filter iptables -t filter #FTP iptables -t filter iptables -t filter #SMTP iptables -t filter iptables -t filter #POP3 iptables -t filter iptables -t filter #IMAP iptables -t filter iptables -t filter #ICMP iptables -t filter iptables -t filter -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 110 -j ACCEPT -A OUTPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 143 -j ACCEPT -A OUTPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -j ACCEPT
  • 2. #SSH iptables -t filter iptables -t filter #SSH NEW PORT iptables -t filter iptables -t filter #IRC iptables -t filter iptables -t filter iptables -t filter iptables -t filter #IRC SERVER iptables -t filter iptables -t filter iptables -t filter iptables -t filter #DNS iptables -t filter iptables -t filter iptables -t filter iptables -t filter #NTP iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 60125 -j ACCEPT -A OUTPUT -p tcp --dport 60125 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 6667 -j ACCEPT OUTPUT -p tcp --dport 6697 -j ACCEPT INPUT -p tcp --dport 6667 -j ACCEPT INPUT -p tcp --dport 6697 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 9784 -j ACCEPT INPUT -p tcp --dport 9784 -j ACCEPT OUTPUT -p tcp --dport 7000 -j ACCEPT INPUT -p tcp --dport 7000 -j ACCEPT -A -A -A -A OUTPUT -p tcp --dport 53 -j ACCEPT OUTPUT -p udp --dport 53 -j ACCEPT INPUT -p tcp --dport 53 -j ACCEPT INPUT -p udp --dport 53 -j ACCEPT -A OUTPUT -p udp --dport 123 -j ACCEPT I made a text file with the lines above available to download here. Save the script file under /etc/rc.d/init.d, make it executable and apply it, so you will be able to launch it as a service. chmod +x /etc/rc.d/init.d/firewall bash /etc/rc.d/init.d/firewall Now, if you used a debian like distro, you would have issue the update-rc.d command to add your script to the list of services starting at boot time, instead on CentOs, RHEL or Fedora, you have to use chkconfig. chkconfig --add /etc/rc.d/init.d/firewall chkconfig /etc/rc.d/init.d/firewall on Just to be sure your firewill service is registered and will start at boot, use the ntsysv command to open a graphical interface and "firewall" should appear in the list of services starting at boot: ntsysv Harden your SSH access In a few simple steps, you will be able to diminish risks of unauthorized ssh accesses Your ssh settings can be found in /etc/ssh/sshd_config, this is where you will have to modify the configuration settings below. sudo vim /etc/ssh/sshd_config 1. Change your ssh port By default, ssh run on port 22. You will need to change this default value to an arbitrary port number (it must be between 1 and 65535, but prefer the unassigned 49152–65535 range, for more information about port numbers, read the wiki). Search for the port setting, and remove the sharp to uncomment it and thus remove default :
  • 3. # # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value. #This will require ssh connexions to use the 60125 port Port 60125 By changing this setting, you can make a hacker drop an attack by making him think your ssh is disable or at least force him to scan your ports in order to find ssh access. 2. Disable root login If the hacker still gets to connect to your ssh port, he will need authentication. Obvisously he will try the root account which grant maximum priviledge on the server, so you want to disable direct root ssh access. # Authentication: #LoginGraceTime 2m #Find this line in your /etc/ssh/sshd_config and change its value to "no" PermitRootLogin no Once it's done, you will need another account to connect, so add a new password protected user sudo adduser bob sudo passwd bob Changing password for user bob. New password: "enter bob password here" To push this a little further, you want bob to be the only user allowed to connect via ssh, so add the AllowUsers setting : #Multiple users can be specified, separated by spaces. AllowUsers bob 3. Apply new settings Now restart your ssh service so the system will take changes into account. Before restarting ssh, double check and make sure you didn't make any modifications which could prevent you to reconnect ssh after you logout. sudo /etc/rc.d/init.d/sshd restart If you read the first part of this tutorial (setting iptables), you might want to change iptables as follow : #SSH (replace 22 with your custom port number, for instance 60125) iptables -t filter -A INPUT -p tcp --dport 60125 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 60125 -j ACCEPT Check your new settings, first you will try to connect to the new ssh port you configured, using the -p argument ssh -p 60125 bob@server_address 4. Test against unauthorized access If you have successfully harden ssh, you won't be able to connect as root (or any other user than bob for that matter) : ssh -p 60125 root@server_address
  • 4. root@server_address's password: Permission denied, please try again. Likewise, any connexion on a port other than the one defined in /etc/ssh/sshd_config will be timed out #Connect ssh on default port ssh bob@server_address ssh: connect to host port 22: Connection timed out Prevent bruteforce and DoS Bruteforce and Denial Of Service are both automated attacks that you can prevent by using tools specially made for this purpose. Fail2ban Fail2ban is designed to ban users which fail to login correctly on your server, its main purpose is to prevent malicious users to bruteforce your password. To install fail2ban under CentOS 6, you need to add the EPEL repository : rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-67.noarc... rpm –import https://fedoraproject.org/static/0608B895.txt yum install fail2ban Then edit the configuration file as you wish : vim /etc/fail2ban/jail.conf [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 240 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 240 # "maxretry" is the number of failures before a host get banned. maxretry = 10 Don't forget to start fail2ban service : service fail2ban start DDOS Deflate DDos Deflate automatically detects and blocks denial of service attempts. Switch to a folder where you will download the DDoS Deflate script: wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh chmod 0700 install.sh ./install.sh A ddos.conf configuration file has been created under /usr/local/ddos/ddos.conf, have a look inside, it's commented well. A software cron job is installed and
  • 5. will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections
  • 6. will regurlarly to the DoS checking. ls -l /etc/cron.d -rw-r--r-- 1 root root 74 Jun 20 00:15 ddos.cron # /usr/local/ddos/ddos.sh --help DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> Usage: ddos.sh [OPTIONS] [N] N : number of tcp/udp connections (default 150) OPTIONS: -h | --help: Show this help screen -c | --cron: Create cron job to run this script regularly (default 1 mins) -k | --kill: Block the offending ip making more than N connections