Newbie Security Concerns

[Mark A. Garcia]

crzdgns1 at starpower.net wrote:

>Hello,
>
>I am a new user of UNIX and FreeBSD and have never had to do any 
>administration or security configuration myself before.  I am running 
>IP Firewall on FreeBSD-5.3-RELEASE.  Last night I was checking my 
>logs and discovered  that sshd reported many illegal users.  Does
>
This seems to be a common thing that occurs all to often on internet 
facing systems who have a publicly available ssh port.

But it being common is definately a reason not to ignore it.  Here are 
some things that I do:

-  Don't allow root logins via the sshd_config in /etc/ssh
-  Bind ssh to a specific IP or IP's
-  Running IP Firewall, block any access to your system with generic 
block rules, then open up specific ports with specific from IPs that you 
know you will be coming from.
-  You can even go really gonzo and install ports/security/doorman which 
is a port knocking mechanism that allows you to play 
knock-knock-who-is-it.  Send a udp sequence to your server.  If it 
matches a certain type of signature, then issue a firewall rule change 
to open the port, i.e. ssh.  Very automated and convient.  Otherwise, 
the port will be closed to all users.  If if the port is open, then one 
would still have to password crack your accounts.  I'm hoping that one 
would see a port is open via email, and know it's not them and 
immediately do some justice.
-  Also, it would be good to block those ips where the password attempts 
occur.

Last but not least, you're system probably isn't compromised unless you 
actually see a successful login on those accounts.

Cheers,
-.mag

> 
>that mean my system i compromised?  As configured, there are only 
>three accounts on my system, root, toor, and one user account for 
>me.  I suppose you need more information from me, but am not sure 
>what to provide.  Any help would be greatly appreciated.
>
>  
>