Newbie Security Concerns
Mark A. Garcia
mag at hamletinc.com
Tue Feb 8 08:14:39 PST 2005
crzdgns1 at starpower.net wrote:
>Hello,
>
>I am a new user of UNIX and FreeBSD and have never had to do any
>administration or security configuration myself before. I am running
>IP Firewall on FreeBSD-5.3-RELEASE. Last night I was checking my
>logs and discovered that sshd reported many illegal users. Does
>
This seems to be a common thing that occurs all to often on internet
facing systems who have a publicly available ssh port.
But it being common is definately a reason not to ignore it. Here are
some things that I do:
- Don't allow root logins via the sshd_config in /etc/ssh
- Bind ssh to a specific IP or IP's
- Running IP Firewall, block any access to your system with generic
block rules, then open up specific ports with specific from IPs that you
know you will be coming from.
- You can even go really gonzo and install ports/security/doorman which
is a port knocking mechanism that allows you to play
knock-knock-who-is-it. Send a udp sequence to your server. If it
matches a certain type of signature, then issue a firewall rule change
to open the port, i.e. ssh. Very automated and convient. Otherwise,
the port will be closed to all users. If if the port is open, then one
would still have to password crack your accounts. I'm hoping that one
would see a port is open via email, and know it's not them and
immediately do some justice.
- Also, it would be good to block those ips where the password attempts
occur.
Last but not least, you're system probably isn't compromised unless you
actually see a successful login on those accounts.
Cheers,
-.mag
>
>that mean my system i compromised? As configured, there are only
>three accounts on my system, root, toor, and one user account for
>me. I suppose you need more information from me, but am not sure
>what to provide. Any help would be greatly appreciated.
>
>
>
More information about the freebsd-questions
mailing list