Find the answer to your Linux question:
Results 1 to 3 of 3
All, We have a group of servers that sit behind a firewall, if you can call it that, and are only accessed after a port knock to a firewall server. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    10

    Securing a server


    All,

    We have a group of servers that sit behind a firewall, if you can call it that, and are only accessed after a port knock to a firewall server. These servers are also accessible from two servers in a remote dc without portknocking.

    In our hosts.allow file we have an entry for sshd to be accessed by all. sshd: ALL. I have read in a few places that even behind a firewall, this is not safe, that this entry should be in the hosts.deny file to deny all by default and then in the hosts.allow file have an entry sshd: xxx.xxx.xxx.0/nm to allow access to any service in a particular IP block.

    Is this something that can be considered as a "best practice" step, is it un-nesessary,etc... Im hoping someone can give me some good advice on whether this should be done.

    Thanks!

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,904
    Yes, it is the sort of thing you want to do. The general process with firewalling or service denial for security is that you deny everything first, then allow specifically the access you want, and keep the range of what you allow it to as narrow as you can.
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46
    I would switch to ssh-key _ONLY_ logins (disable PasswordAuthentication completely) and install fail2ban (or some other ssh blacklister.)

    ssh-keys do take a little bit more time and effort to set up and require that your users have half a clue, but they're more secure (and I think easier to use in the long run.)

    fail2ban just scans your logs for failed login attempts and uses iptables to ban anyone that fails 3-5 times in quick succession (like a minute or something.) its configurable, but I've had no problems with the Debian default settings. its actually pretty fun to browse my logs. 5 failed auths... 10 minutes... 5 failed auths... then nothing.

    doing both these things will make almost every SSH attack just bounce off you. of course, using ALLOW rules is _definitely_ a better idea, but I think its impractical for most situations.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •