basic security setup?

Would a machine with the following setup reasonably safe from intrusion
from a network, or would there still be other ways into the machine from
the network:

A linux machine with no running services except for SSH2 and only an
administrator user. The ssh2 is configured with default settings (latest
kubuntu) and

PermitRootLogin no
AllowUsers tofi

At the moment it does not use certificates and hence is not configured
to disallow passwords. The user password is of course not a simple password.

Is this a decent setup?

(I am not concerned about DDOS yet or system-internal security (such as
bastille etc))

regards

thomas

Am Thu, 04 Sep 2008 12:22:31 +0200 schrieb Tom Forsmo:
[color=blue]
> Would a machine with the following setup reasonably safe from intrusion
> from a network, or would there still be other ways into the machine from
> the network:
>
> A linux machine with no running services except for SSH2 and only an
> administrator user. The ssh2 is configured with default settings (latest
> kubuntu) and
>
> PermitRootLogin no
> AllowUsers tofi
>[/color]

You're never 100% safe, what do you think what would happen if a
brute-force attack to user tofi is successful?

cheers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Burkhard Ott escribió:
[color=blue]
> You're never 100% safe, what do you think what would happen if a
> brute-force attack to user tofi is successful?[/color]

[url]http://denyhosts.sourceforge.net/[/url]


- --
Un saludo
Alo [alo(@)uk2.net]
PGP en [url]http://pgp.eteo.mondragon.edu[/url] [Get "0xF6695A61 "]
Usuario registrado Linux #276144 [[url]http://counter.li.org][/url]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - [url]http://enigmail.mozdev.org[/url]

iEYEARECAAYFAki/0mYACgkQvzPPcPZpWmGlOACfR2VBJO2R0XLAjE7BTd3C3+6g
rPgAoILOHSQUfarOqbhpfCPyi8R9MwFM
=muga
-----END PGP SIGNATURE-----

Am Thu, 04 Sep 2008 14:19:50 +0200 schrieb Alo:

[color=blue]
> [url]http://denyhosts.sourceforge.net/[/url][/color]


OK, what happens if ssh has an stack overflow or similar and you could
place code in the programmstack to start a shell.
As I said, you're never 100% safe.

cheers

Burkhard Ott wrote:[color=blue]
> You're never 100% safe, what do you think what would happen if a
> brute-force attack to user tofi is successful?[/color]

I never asked if it was 100% safe. I am asking if its safe enough to
cover 50%, 90% or 99% of attempts happening.

I am ruling out source code problems in linux and ssh, I am trying to
keep it sane, so I'll apply security updates and hope that is enough.

Thanks for the tip about denyhosts, Alo. I will look into that.

Other than that, I assume its an ok solution, unless there is some other
issues.

Regarding

Am Thu, 04 Sep 2008 15:13:17 +0200 schrieb Tom Forsmo:
[color=blue]
> Other than that, I assume its an ok solution, unless there is some other
> issues.[/color]

yep, you're right.

cheers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Burkhard Ott escribió:
[color=blue]
> OK, what happens if ssh has an stack overflow or similar and you could
> place code in the programmstack to start a shell.
> As I said, you're never 100% safe.[/color]

In security, the perfect solution does not exist, if somebody says it
has that, it is false...


- --
Un saludo
Alo [alo(@)uk2.net]
PGP en [url]http://pgp.eteo.mondragon.edu[/url] [Get "0xF6695A61 "]
Usuario registrado Linux #276144 [[url]http://counter.li.org][/url]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - [url]http://enigmail.mozdev.org[/url]

iEYEARECAAYFAki/6hYACgkQvzPPcPZpWmFSfACgqnYNZTf6WyuIvxq15k8gSI66
rzgAn0nM9tl/h1IVSUGn9UmJ8dEb7ggp
=p5Wt
-----END PGP SIGNATURE-----

Am Thu, 04 Sep 2008 16:00:54 +0200 schrieb Alo:
[color=blue]
> In security, the perfect solution does not exist, if somebody says it
> has that, it is false...[/color]

I totally agree, but who told that?

On Thu, 04 Sep 2008 12:22:31 +0200, Tom Forsmo wrote:
[color=blue]
>
> Would a machine with the following setup reasonably safe from intrusion
> from a network, or would there still be other ways into the machine from
> the network:
>
> A linux machine with no running services except for SSH2 and only an
> administrator user. The ssh2 is configured with default settings (latest
> kubuntu) and
>
> PermitRootLogin no
> AllowUsers tofi
>
> At the moment it does not use certificates and hence is not configured
> to disallow passwords. The user password is of course not a simple password.
>
> Is this a decent setup?
>
> (I am not concerned about DDOS yet or system-internal security (such as
> bastille etc))
>
> regards
>
> thomas[/color]

If you want to use SSH then ensure that only v2 is enabled and use keys to
log in. Without the key you don't get in. no password required.


--

Regards
Robert

It is not just an adventure.
It is my job!!

Linux User #296285
[url]http://counter.li.org[/url]



----== Posted via Pronews.Com - Unlimited-Unrestricted-Secure Usenet News==----
[url]http://www.pronews.com[/url] The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= - Total Privacy via Encryption =---

Robert <noone@noplace.nowhere> writes:[color=blue]
> If you want to use SSH then ensure that only v2 is enabled and use
> keys to log in. Without the key you don't get in. no password
> required.[/color]

Additionally you can hide the ssh access by using a non-standard port
(preferably a very high one so post scanners have to do a full search)
or use port knocking to get rid of 99% of the automatic exploit scans.

Yours
Karsten

Tom Forsmo <spam@nospam.net>:[color=blue]
>
> Would a machine with the following setup reasonably safe from intrusion
> from a network, or would there still be other ways into the machine from
> the network:
>
> A linux machine with no running services except for SSH2 and only an
> administrator user. The ssh2 is configured with default settings (latest
> kubuntu) and
>
> PermitRootLogin no
> AllowUsers tofi
>
> At the moment it does not use certificates and hence is not configured
> to disallow passwords. The user password is of course not a simple password.[/color]

Just suggestions (you read like you may already know stuff like this) ...

Turn off password logins and go with crypto keys, and anything not
coming in with your keys first will be immediately dropped.

Also consider sudo for it's logging abilities, and syslog(ng?) pointed to a
remote host (with different root pword and admin username and pword).
I suggest not using sudo on that one; I prefer su -'s simplicity, and
you don't need sudo's logging internally if you watch the other
machine's sudo logs (until someone gets through the other to the log
server, drat).
[color=blue]
> Is this a decent setup?[/color]

What level of attacker are you worried about? If script-kiddies,
probably. If Bruce Schneier, possibly not. Good thing he (in theory)
doesn't do that sort of thing.
[color=blue]
> (I am not concerned about DDOS yet or system-internal security
> (such as bastille etc))[/color]

I think the average user should just buy a fifty buck router. That'd
provide all the security that 99% of the population needs.

Make sure your backups work, including testing recovery.


--
Any technology distinguishable from magic is insufficiently advanced.
(*) [url]http://blinkynet.net/comp/uip5.html[/url] Linux Counter #80292
- - [url]http://www.faqs.org/rfcs/rfc1855.html[/url] Please, don't Cc: me.

s. keeling wrote:[color=blue]
> What level of attacker are you worried about? If script-kiddies,
> probably. If Bruce Schneier, possibly not. Good thing he (in theory)
> doesn't do that sort of thing.[/color]

At the moment I am not seriously worried about targeted attacks. I run a
private consulting company, which once in a while work with technologies
or other companies that could be seen as interesting from a industrial
espionage point of view. (Right now I am working in the energy sector in
norway which is in direct competition with and possible conflict with
the russians. Norway probably has technology the russians would want.
Additionally, they are trying to claim that a larger sea area containing
gas and oil belongs to the russians. They have already turned off one
gas pipe to europe, for a couple of weeks, to show they mean business.
But I digress....)
Me and my company is too anonymous to be used as a gateway into the
company. So I am not really worried about that kind of attacks. And even
if it would happen all client data I have is stored on a encrypted
partition, using truecrypt.
But being security conscious and prehaps a little paranoid, you never
know who will attack your system. I am a member of EFF Norway, so maybe
my verbal attacks against some industries might be a reason for attack.
You never know, but I digress and overanalyse things again....)

What I am worried about is vandals or bandwidth thiefs and that sort of
things. I dont want my box to be used as part of a botnet nor do I want
it to be used as a file sharing node. I would also appreciate that box
not being vandalised or having data deleted. There are several reasons
for the last part. Firstly, I would have to know if something has
happened to the box. Which I dont have much experience with, so somebody
could break in wihtout me knowing. Secondly when I found out something
is wrong. I would have to spend time setting up the system and restoring
backups. Which I dont want to spend more time than necessary on.

At the same time I am security conscious enough that I would like gain
the knowledge about setting it up better than needed, without going
overboard. I am thinking of simple but pretty effective protection.

So I am thinking, ssh2, certificate, denyhosts, non default port and
specified user login list is simple enough but effective enough to keep
99.5% of the attacks away, barring source code errors in linux and ssh
and a massively targeted attack.

tom