Linuxathome.net - Linux news and help for home broadband internet users
 Home | Files | Case Mods | Reviews | Forum | Search | Links | RDF | Contact | Uptime | Server Info | Tracker
Sections

Installation Guide
Setting Up
Internet Sharing
Port Forwarding
Services Config
Installing Programs
Game Servers
Using IPTables
Useful Commands
Kernel Upgrading
System Recovery
Red Hat 7.2 Setup
OpenBSD Setup
BPA Login Setup
PPPoE Setup
Add New Hardware
Using PPTP VPN
VMware ESX Cmds
Our RC5 Team
Folding@Home
Help Support Us

 
Articles
Linux Security
NetStats FAQ
Linux KIS Trojan
CAT5/LAN Cables
Domain Names
Presario RH Install APC Debian DVD
 
Slashdot.org
  • The Silicon Valley Paradox: One In Four People Are At Risk of Hunger
  • Trump Signs Law Forcing Drone Users To Register With Government
  • Instagram Will Now Let You Follow Hashtags In Your Main Feed
  • Trump Signs Into Law US Government Ban on Kaspersky Lab Software
  • Twitter Officially Launches 'Threads,' a New Feature For Easily Posting Tweetstorms
  • Former Uber Employees Have Gone Into Debt To Hang Onto Shares They Can't Sell
  • Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web
  • SEC Shuts Down Munchee ICO
  • Ajit Pai Offers No Data For Latest Claim That Net Neutrality Hurt Small ISPs
  • Tech Support Scammers Invade Spotify Forums To Rank in Search Engines
  • Nintendo Switch Sales Hit 10 Million Units, Could Outdo the Wii
  • Paris Summit Finds New Money, Tech To Fight Climate Change
  • Why Is Anime Obsessed With Power Lines?
  • We've Toned Down the 'Destroying Society' Shtick, Facebook Insists
  • SEC Warns 'Extreme Caution' Over Cryptocurrency Investments As Many People Take Out Mortgages To Buy Bitcoin
  •  
    Affiliates

    TweakTown.com
    ZGeek.com
    pebkac-consulting.com.au

     
    Webmail
      E-mail Address:

    Password:


     

      Securing You Machine

      Due to a few requests we have compiled this page to help you better secure your Linux box from those devious 'hackers' and general 'attackers' that may pray upon you. Since this site deals with setting up Linux for broadband Internet there is always the risk of people trying to gain access to your machine since it is on 24/7, this guide is meant to be a starting point for making your server more secure and in the attempt to prevent the above mention people from causing problems for you.
     

      Security Guide

     

    These details cover only a few ways of securing your machine, there are countless ways and some are just too complex and are just not necessary. It is up to you to establish if you want to secure you box and to what level your willing to put your security upto, remember with security also comes complexity, but don't let this stop you.

    User Passwords
    The first step of securing anything that has users and passwords is to make sure that the passwords themselves are hard to find. You all know the banks usual pitch "don't keep your PIN on or near your KeyCard, blah blah blah", but they are right aren't they? You should never carry a password around with you (except in your head).

    One way of making sure you passwords are hard to guess or crack is to periodically change them. On top of this its always a good concept to use that your passwords have a combination of UPPERCASE, lowercase and special characters (such as @, $, & etc.), this just makes it alot harder for someone to work out the password as there are just more options to choose from.

    Another way that I would definitely recommend is the use of a random password generator, it provides a method of creating passwords of varying length that are completely secure (well to a level, nothing is 100% unfortunately). Random password generators or Random text generators are readily available as cgi scripts or binary programs, they are also useful for when you create certain accounts and you want the person who will use the account to select a password, just generate one and then allow them to change it to what they want.

    If you are running Red Hat on your machine then there is a random password generator that is provided, this can be used by typing in mkpasswd, "mkpasswd - generate new password, optionally apply it to a user". This can be used in scripts to create a random password generator for your website or assign one to a new user on your machine. If you would like to see an example then you can find my cgi script here.

    If you allow friends or other people to have certain access your machine then you want to make sure that there passwords are secure, you can help them by providing them access to the above mention generator. Another way of verifying that they actually have a secure password is to regularly run a program that tries to "hack" the password of the user accounts, this is a good idea as many wannabe hackers use scripts such as these.

    Securing Your Login (Encrypted Connection)
    If you want to have a more secure login to your Linux box then you should try using a SSH daemon rather than using the standard telnet server or rlogin. SSH provides a compressed and encrypted connection to your machine and thus makes it harder for someone to 'sniffer' your telnet connection and work our your password or any other sensitive information you don't want anyone to see (just think how bad it would be if someone worked out your root password by sniffing your connection as you run the su command).

    The first thing you will need to do is download a SSH daemon (server), the first one that we used for this was found at www.ssh.com and downloaded from the Aarnet mirror here. The RPM is probably the easiest to download, but the source in .tar.gz format is also available. Once you have downloaded the daemon then you will need to install it, we used the file ssh-2.4.0-1.i386.rpm, and you can install this simply by typing rpm -ivh ssh-2.4.0-1.i386.rpm at the console prompt. Once it has finished installing, it will generate itself a key for the server (unless you previously had a SSHd on your system). Now you can run this, there are two ways, you can either make it run on port 23 instead of telnet on another port such as 22 and you can use telnet for your LAN (secure already) and SSH for your WAN (more vulnerable). Its recommended that you run them together, if you worried about the telnet server being open to the outside world then you can block the port from external interface (see instructions below). If you would like to read the manual before getting started then you should type man sshd, otherwise to start the server just type /usr/local/sbin/sshd -p <port> (this example selected port 22 as its similar to the telnet 23 and therefore easier to remember).

    One good idea is to make your SSHd NOT permit users to log in as root, this is what telnet does by default. In order to set this up you must edit your sshd_config file (usually /etc/sshd_config), and change the PermitRootLogin yes line to PermitRootLogin no. While your editing this file you can also do a number of things, you can restrict login to a certain specific IP address by modifying the ListenAddress 0.0.0.0 line and a whole lot more, so have a look around while your already there.

    Another SSHd that is defiantly worth trying is openSSH, this is apparently one of the best SSH daemons there is, with many configuration options. OpenSSH can be freely downloaded from www.openssh.com, (as always it is in our files section also) was highly recommended, it can be installed similarly to the above.

    Since SSH uses a more secure encrypted connection you will also need to install a client on your personal machine or any machine you want to use to connect to the server. Once again there are many different client available but we used SecureCRT, this was only available as a 30 day trial, but there are probably free SSH1&2 client programs available. Once you have downloaded your client you just need to install it (scrt33.exe).

    To install SecureCRT just follow the regular Windows GUI installation procedure, when you get to the dialog "Select Profile Options" you can either select a Common Profile or a Personal Profile, your selection of these depends on whether your on a shared computer and whether or not you trust the people that have access to you PC. When you get to the "Select Protocols", you want as a minimum, SSH1, SSH2, telnet, rlogin, that way you can use the program to access your box via any connection method. When the installation is complete then its time to test it all out, On your first run of the program it will ask you where you want to store you profile, just select the appropriate directory or leave it and click OK. Once loaded click the "Quick Connect" icon (second along from the left). You want to select SSH2 form the drop down (as this is what we installed earlier), then type in the hostname (or IP address) of the machine you want to connect to. Enter the appropriate port number in and then your username for the connection (this is the same as your account you would use for telnet etc.). Unless you want to save the session then uncheck the box and click "Connect". If all goes well you should be prompted for your password (you can choose to save it) and then be able to use your machine as if connected form telnet.

    Another more portable SSH Client is called Putty, this is a single executable binary file for Win9x/ME/NT/2k and can be downloaded from here. I personally prefer this program as it doesn't require installation of any kind and you can take it with you (i.e. when your on a computer that you need to log into your machine at home you can just download the 220k file and your away). The version used in this document is PuTTY Release 0.51.

    In order to use Putty just double click on the downloaded executable and then enter your machine details, such as the IP address of the machine and the port that SSH is on (should default to port 22 used in the SSHd setup above), you can save your settings by specifying a name and clicking save, and the great thing is you can use Putty for Telnet access also. Your settings should look something like this:

    Now you have configured the program you can click the "Open" button and it will connect to the specified machine. Please note that the first time you run Putty (or any SSH client for that matter) you will be asked to save the security key, which is used to encode and decode the SSH session.

    Once connected you can use this just as you would your normal Telnet session, also a good feature of SSH is that it will display the different colours that Linux distros use to tell you which is a directory and which is a file. (This is not possible in Win98/NT Telnet, but is in Win2k as some of you may already know)

    To make your SSHd start when your box is booting (an especially good idea if your not using Telnet anymore) you will need to add the the above used command in one of your initialisation scripts, e.g. edit your /etc/rc.d/rc.local file and add something like the following line (at the end of the file):

    echo "Starting SSHd Service..."; /usr/local/sbin/sshd -p 22

    Next step setting up your firewall... CONTINUE

    Proudly Hosted By:
    Hosted by PEBKAC Consulting

    Please read our Legal Notice for information concerning our site and its content.
    All logos and trademarks in this site are property of their respective owner. All the rest © 2000 - 2016 by Linuxathome.net

    Reviews

    D-Link DI-704P
    VIA EPIA-M 9000
    Tux Applique
    Ricoh MP5125A
    AMD XP 2600+
    3DProphet 9000Pro
    Radeon 9700 Pro
    XTNDAccess IrDA
    Netgear FS-524s
    DSR2161 KVM
    Game TheaterXP & XPS-510 Speakers
    3D Prophet 4000XT
    AutoView 400
    Back-UPS CS 350
    Dual Neon Kit
    SwitchView KVM
    20x4 LCD Kit
    Window Kit

     
    Kuro5hin.org
    XML error: Mismatched tag at line 27.
     
    Google (Linux)
    Enter Keywords:

     
    Bash Jokes

    % ^What is saccharine?

    Bad substitute.

     
    Virtualization, Virtual Machine & Virtual Server Consolidation - VMware

    The Community ENTerprise Operating System

    Get Slackware Linux

    Use OpenOffice.org

    Use Asterisk