Here's few tips how to improve your SSHD security on your Fedora Core box. With these easy steps you can make sure no-one's gonna hack into your box.
1) Install fail2ban
Fail2ban is a script, that actively tracks the connections against sshd. If someone tries to scan your sshd using many different account names and passwords, fail2ban denies connections from that IP for 15 minutes.
You can install fail2ban easily with yum:
[root@machine ssh]# yum install -y fail2ban.noarch
You can start using fail2ban straight after installation is complete:
[root@machine ssh]# /etc/init.d/fail2ban start
The log file is found at /var/log. Fail2ban can also send email with information about banned IP-addresses.
2) Restricted ssh connections
You can allow ssh connections only for specified accounts.
Emacs your /etc/ssh/sshd_config and add following line:
AllowUsers username1 username2
You should allso make sure Root cannot access your ssh:
PermitRootLogin no
After this, restart your sshd.
3) Change your SSHD port
By default, SSHD is located at port 22. Many port scanners try to locate ssh servers running at that address. If you change your sshd to a high port (above 1024), you get rid of many port scanning attempts. For example, nmap cannot scan ports above 1024.
In sshd_config, change:
#Port 22 >> Port 1100
Restart your sshd.
4) Allow only specific hosts to connect using TCP wrappers
You should allow SSH connections to your machine only from wanted IP addresses. Anything else is unwanted, and possibly hazadrous. For this you can use two files: /etc/hosts.deny and /etc/hosts.allow
Hosts.deny controls which traffic you want to deny, and /etc/hosts.allow which traffic you want to allow.
Here's an example how to deny all ssh access. Simply type the following to your hosts.deny:
sshd: ALL
Now, after you restart your sshd, all sshd traffic is blocked.
If you want to have access from your IP-addresses 192.168.1.1 and some public address, simply type the following to your hosts.allow:
sshd: 192.168.1 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
If you want to allow all traffic from .se -domains, simply type this to your hosts.allow:
sshd: .se
This can be done allso with hosts.deny:
sshd : ALL EXCEPT .se
And if you want to block traffic from some countries but allow everything else, you can type this to hosts.allow
# Allow SSH (http://en.wikipedia.org/wiki/Country_code_top-level_domain)
sshd : ALL EXCEPT .br .cl .cn .hk .in .kr .mx .my .ro .ru .tw .ua
# Allow everything else
ALL : ALL
Monday, February 25, 2008
Tightening SSHD security on Fedora Core
Tunnisteet:
fail2ban,
hosts.allow,
hosts.deny,
ssh,
sshd,
tcp wrappers
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment