Simple Security Set up

Disable ftp and telnet, use ssh instead. This is default on Redhat family. Use iptable and selinux. In addition:
  1. Disable ssh login for root, add the following line to /etc/ssh/sshd_config: 
    PermitRootLogin no
  2. Use protocol 2 in ssh 
    protocol 2
  3. Reduce the number of retries
    MaxAuthTries 1
  4. Slow down sshd brute force attack with iptables (twice/min)
    -A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 2 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -j DROP
  5. Install pam_abl to auto blacklisting hosts.
  6. Create nologin account for emails.
  7. Use AllowUsers in sshd_config
    AllowUsers userid1 userid2
  8. If tried ssh more than 6 times in a second, it is rejected for one hour:
    -N SSH
-N SSH_ABL
-A SSH -m recent --name SSH_ABL --update --seconds 3600 -j REJECT
-A SSH -m recent --name SSH --rcheck --seconds 60 --hitcount 6 -j SSH_ABL
-A SSH_ABL -m recent --name SSH_ABL --set -j LOG --log-level warn --log-prefix "ABL: +SSH: "
-A SSH_ABL -j REJECT
# two second pause enforced between accesses
-A SSH -m recent --name SSH --rcheck --seconds 2 -j LOG --log-level warn --log-prefix "RATE: "
-A SSH -m recent --name SSH --update --seconds 2 -j REJECT
-A SSH -m recent --name SSH_ABL --remove -j LOG --log-level warn --log-prefix "ABL: -SSH: "
-A SSH -m recent --name SSH --set -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j SSH
  9. tcpwrapper hosts.allow and hosts.deny.
Posted by rain at 4:39 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)