| 1 |
Hey Colin, |
| 2 |
|
| 3 |
I was looking at the /etc/ssh/sshd_config file and found these: |
| 4 |
|
| 5 |
LoginGraceTime 600 |
| 6 |
MaxAuthTries 6 |
| 7 |
|
| 8 |
Is the first one what you meant? |
| 9 |
|
| 10 |
The second seems like an attempt to avoid brute force login. |
| 11 |
|
| 12 |
Also, does Grub need any kind of password protection? I don't know if |
| 13 |
it was Grub or Lilo that allowed root access unless password |
| 14 |
protected. Am I mistaken? |
| 15 |
|
| 16 |
As you can see, I still have a lot to learn. ;) |
| 17 |
|
| 18 |
2005/8/3, Colin <signofzeta@×××××.com>: |
| 19 |
> |
| 20 |
> On Aug 2, 2005, at 7:50 PM, Raphael Melo de Oliveira Bastos Sales wrote: |
| 21 |
> |
| 22 |
> > Hi there, |
| 23 |
> > |
| 24 |
> > I was wondering what tools should I use to detect security flaws to |
| 25 |
> > my server and a few tips on how to use them. What are the most common |
| 26 |
> > forms of attack and how do I avoid being attacked by one of them? |
| 27 |
> > |
| 28 |
> > The services avaliable are only Apache - SSL and SSH. I've |
| 29 |
> > installed an firewall, iptables and firestarter to control it, and |
| 30 |
> > blocked all ports except 443 and 8080, where the SSH is listening. |
| 31 |
> > Apache has PHP installed as a module. |
| 32 |
> > |
| 33 |
> |
| 34 |
> Want to know how secure your server is? Try and hack it! |
| 35 |
> |
| 36 |
> A good port scanner like nmap should be a basic check of your |
| 37 |
> firewall. I would also set nmap (if it can do this) to perform a SYN |
| 38 |
> flood as it scans, to see if your server can withstand that basic DoS |
| 39 |
> attack. (Adding --syn to your TCP rules in iptables can prevent SYN |
| 40 |
> flooding when used with SYN cookies.) When you break in, find out |
| 41 |
> why it worked and how it can be patched. |
| 42 |
> |
| 43 |
> Some things I would advise (I'm currently working on a server at the |
| 44 |
> moment as well): |
| 45 |
> - If the server is really important (or if you're paranoid), use |
| 46 |
> the hardened-sources with PIE/SSP to prevent badly-written programs |
| 47 |
> from arbitrarily executing code. |
| 48 |
> - Enable SYN flood protection. There's a kernel option somewhere |
| 49 |
> about IPv4 SYN cookies, enable that, and couple it with --syn |
| 50 |
> attached to your TCP rules in iptables. It's a very popular denial- |
| 51 |
> of-service attack. |
| 52 |
> - Whenever you need to login or authenticate yourself, make the |
| 53 |
> system delay five seconds after a bad password is entered. This will |
| 54 |
> make a brute-force attack much much slower (0.2 passwords/sec as |
| 55 |
> opposed to millions passwords/sec without a delay, depending on your |
| 56 |
> server's speed). |
| 57 |
> - Make sure iptables is set to deny all traffic that isn't |
| 58 |
> explicitly allowed. |
| 59 |
> - Turn off any services you don't need. |
| 60 |
> - Read through your logs every now and then. I highly advise |
| 61 |
> having the server burn them to a CD/floppy every now and then for an |
| 62 |
> instant backup. Get a log reader/parser, too. |
| 63 |
> |
| 64 |
> Naturally, hide the server in the attic or basement. Chain it to |
| 65 |
> something, or if it has a security slot, use a security cable. Put a |
| 66 |
> lock on the case door. Unplug your floppy/CD drives if you're not |
| 67 |
> using them. As of this writing, there is no kernel option to keep |
| 68 |
> your computer or its innards from walking away. :-) |
| 69 |
> -- |
| 70 |
> Colin |
| 71 |
> -- |
| 72 |
> gentoo-user@g.o mailing list |
| 73 |
> |
| 74 |
> |
| 75 |
|
| 76 |
-- |
| 77 |
gentoo-user@g.o mailing list |
Archives