Security basics

[Lamar Owen]

On Wednesday 03 October 2007, Karl Larsen wrote:
>     I have sure heard a LOT about security updates and I have had my own
> problems. For years I thought the only thing necessary was a good root
> password. This year I found out with ssh around you need a good password
> for your own login name. My problem was caused by having a super poor
> login password which was my last name. Since the login name was karl it
> followed.

Also: run ssh on some port other than 22.  This is accomplished by 
editing /etc/ssh/sshd_config and /etc/sysconfig/iptables (to add the port to 
iptables, assuming you're running iptables).  If you know the IP addresses 
from which you will always be connecting, then set your firewall (both on any 
external router as well as in /etc/sysconfig/iptables) to only allow the IP 
addresses you want.

Just changing from port 22 to some other port (and 222 or 2222 aren't good 
ones; anything above 1024 is fair game) will eliminate 90% or more of your 
risk. 

Also, set up RSA key security and eliminate password-based logins.  This is a 
fairly lengthy setup; I'm sure there's a HOWTO in the archives (I'm getting 
ready to go home for the day, and do't have time to type it in; if you can't 
find it anywhere, I can write one up fairly quickly, as I've set this up on 
several boxes).  Some might say to just do this and not worry about the 
listening port change; I prefer multilayered security (why I run SELinux in 
enforcing/targete mode on servers) when possible.

With a nonstandard port you do have to remember to use the -p parameter of ssh 
to connect (and the -P parameter of scp) but in my opinion it's worth it.
-- 
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu