basic security setup? - Security

This is a discussion on basic security setup? - Security ; Would a machine with the following setup reasonably safe from intrusion from a network, or would there still be other ways into the machine from the network: A linux machine with no running services except for SSH2 and only an ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: basic security setup?

  1. basic security setup?


    Would a machine with the following setup reasonably safe from intrusion
    from a network, or would there still be other ways into the machine from
    the network:

    A linux machine with no running services except for SSH2 and only an
    administrator user. The ssh2 is configured with default settings (latest
    kubuntu) and

    PermitRootLogin no
    AllowUsers tofi

    At the moment it does not use certificates and hence is not configured
    to disallow passwords. The user password is of course not a simple password.

    Is this a decent setup?

    (I am not concerned about DDOS yet or system-internal security (such as
    bastille etc))

    regards

    thomas

  2. Re: basic security setup?

    Am Thu, 04 Sep 2008 12:22:31 +0200 schrieb Tom Forsmo:

    > Would a machine with the following setup reasonably safe from intrusion
    > from a network, or would there still be other ways into the machine from
    > the network:
    >
    > A linux machine with no running services except for SSH2 and only an
    > administrator user. The ssh2 is configured with default settings (latest
    > kubuntu) and
    >
    > PermitRootLogin no
    > AllowUsers tofi
    >


    You're never 100% safe, what do you think what would happen if a
    brute-force attack to user tofi is successful?

    cheers

  3. Re: basic security setup?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Burkhard Ott escribió:

    > You're never 100% safe, what do you think what would happen if a
    > brute-force attack to user tofi is successful?


    http://denyhosts.sourceforge.net/


    - --
    Un saludo
    Alo [alo(@)uk2.net]
    PGP en http://pgp.eteo.mondragon.edu [Get "0xF6695A61 "]
    Usuario registrado Linux #276144 [http://counter.li.org]

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAki/0mYACgkQvzPPcPZpWmGlOACfR2VBJO2R0XLAjE7BTd3C3+6g
    rPgAoILOHSQUfarOqbhpfCPyi8R9MwFM
    =muga
    -----END PGP SIGNATURE-----

  4. Re: basic security setup?

    Am Thu, 04 Sep 2008 14:19:50 +0200 schrieb Alo:


    > http://denyhosts.sourceforge.net/



    OK, what happens if ssh has an stack overflow or similar and you could
    place code in the programmstack to start a shell.
    As I said, you're never 100% safe.

    cheers

  5. Re: basic security setup?


    Burkhard Ott wrote:
    > You're never 100% safe, what do you think what would happen if a
    > brute-force attack to user tofi is successful?


    I never asked if it was 100% safe. I am asking if its safe enough to
    cover 50%, 90% or 99% of attempts happening.

    I am ruling out source code problems in linux and ssh, I am trying to
    keep it sane, so I'll apply security updates and hope that is enough.

    Thanks for the tip about denyhosts, Alo. I will look into that.

    Other than that, I assume its an ok solution, unless there is some other
    issues.

    Regarding

  6. Re: basic security setup?

    Am Thu, 04 Sep 2008 15:13:17 +0200 schrieb Tom Forsmo:

    > Other than that, I assume its an ok solution, unless there is some other
    > issues.


    yep, you're right.

    cheers

  7. Re: basic security setup?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Burkhard Ott escribió:

    > OK, what happens if ssh has an stack overflow or similar and you could
    > place code in the programmstack to start a shell.
    > As I said, you're never 100% safe.


    In security, the perfect solution does not exist, if somebody says it
    has that, it is false...


    - --
    Un saludo
    Alo [alo(@)uk2.net]
    PGP en http://pgp.eteo.mondragon.edu [Get "0xF6695A61 "]
    Usuario registrado Linux #276144 [http://counter.li.org]

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAki/6hYACgkQvzPPcPZpWmFSfACgqnYNZTf6WyuIvxq15k8gSI66
    rzgAn0nM9tl/h1IVSUGn9UmJ8dEb7ggp
    =p5Wt
    -----END PGP SIGNATURE-----

  8. Re: basic security setup?

    Am Thu, 04 Sep 2008 16:00:54 +0200 schrieb Alo:

    > In security, the perfect solution does not exist, if somebody says it
    > has that, it is false...


    I totally agree, but who told that?

  9. Re: basic security setup?

    On Thu, 04 Sep 2008 12:22:31 +0200, Tom Forsmo wrote:

    >
    > Would a machine with the following setup reasonably safe from intrusion
    > from a network, or would there still be other ways into the machine from
    > the network:
    >
    > A linux machine with no running services except for SSH2 and only an
    > administrator user. The ssh2 is configured with default settings (latest
    > kubuntu) and
    >
    > PermitRootLogin no
    > AllowUsers tofi
    >
    > At the moment it does not use certificates and hence is not configured
    > to disallow passwords. The user password is of course not a simple password.
    >
    > Is this a decent setup?
    >
    > (I am not concerned about DDOS yet or system-internal security (such as
    > bastille etc))
    >
    > regards
    >
    > thomas


    If you want to use SSH then ensure that only v2 is enabled and use keys to
    log in. Without the key you don't get in. no password required.


    --

    Regards
    Robert

    It is not just an adventure.
    It is my job!!

    Linux User #296285
    http://counter.li.org



    ----== Posted via Pronews.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.pronews.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
    ---= - Total Privacy via Encryption =---

  10. Re: basic security setup?

    Robert writes:
    > If you want to use SSH then ensure that only v2 is enabled and use
    > keys to log in. Without the key you don't get in. no password
    > required.


    Additionally you can hide the ssh access by using a non-standard port
    (preferably a very high one so post scanners have to do a full search)
    or use port knocking to get rid of 99% of the automatic exploit scans.

    Yours
    Karsten

  11. Re: basic security setup?

    Tom Forsmo :
    >
    > Would a machine with the following setup reasonably safe from intrusion
    > from a network, or would there still be other ways into the machine from
    > the network:
    >
    > A linux machine with no running services except for SSH2 and only an
    > administrator user. The ssh2 is configured with default settings (latest
    > kubuntu) and
    >
    > PermitRootLogin no
    > AllowUsers tofi
    >
    > At the moment it does not use certificates and hence is not configured
    > to disallow passwords. The user password is of course not a simple password.


    Just suggestions (you read like you may already know stuff like this) ...

    Turn off password logins and go with crypto keys, and anything not
    coming in with your keys first will be immediately dropped.

    Also consider sudo for it's logging abilities, and syslog(ng?) pointed to a
    remote host (with different root pword and admin username and pword).
    I suggest not using sudo on that one; I prefer su -'s simplicity, and
    you don't need sudo's logging internally if you watch the other
    machine's sudo logs (until someone gets through the other to the log
    server, drat).

    > Is this a decent setup?


    What level of attacker are you worried about? If script-kiddies,
    probably. If Bruce Schneier, possibly not. Good thing he (in theory)
    doesn't do that sort of thing.

    > (I am not concerned about DDOS yet or system-internal security
    > (such as bastille etc))


    I think the average user should just buy a fifty buck router. That'd
    provide all the security that 99% of the population needs.

    Make sure your backups work, including testing recovery.


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

  12. Re: basic security setup?


    s. keeling wrote:
    > What level of attacker are you worried about? If script-kiddies,
    > probably. If Bruce Schneier, possibly not. Good thing he (in theory)
    > doesn't do that sort of thing.


    At the moment I am not seriously worried about targeted attacks. I run a
    private consulting company, which once in a while work with technologies
    or other companies that could be seen as interesting from a industrial
    espionage point of view. (Right now I am working in the energy sector in
    norway which is in direct competition with and possible conflict with
    the russians. Norway probably has technology the russians would want.
    Additionally, they are trying to claim that a larger sea area containing
    gas and oil belongs to the russians. They have already turned off one
    gas pipe to europe, for a couple of weeks, to show they mean business.
    But I digress....)
    Me and my company is too anonymous to be used as a gateway into the
    company. So I am not really worried about that kind of attacks. And even
    if it would happen all client data I have is stored on a encrypted
    partition, using truecrypt.
    But being security conscious and prehaps a little paranoid, you never
    know who will attack your system. I am a member of EFF Norway, so maybe
    my verbal attacks against some industries might be a reason for attack.
    You never know, but I digress and overanalyse things again....)

    What I am worried about is vandals or bandwidth thiefs and that sort of
    things. I dont want my box to be used as part of a botnet nor do I want
    it to be used as a file sharing node. I would also appreciate that box
    not being vandalised or having data deleted. There are several reasons
    for the last part. Firstly, I would have to know if something has
    happened to the box. Which I dont have much experience with, so somebody
    could break in wihtout me knowing. Secondly when I found out something
    is wrong. I would have to spend time setting up the system and restoring
    backups. Which I dont want to spend more time than necessary on.

    At the same time I am security conscious enough that I would like gain
    the knowledge about setting it up better than needed, without going
    overboard. I am thinking of simple but pretty effective protection.

    So I am thinking, ssh2, certificate, denyhosts, non default port and
    specified user login list is simple enough but effective enough to keep
    99.5% of the attacks away, barring source code errors in linux and ssh
    and a massively targeted attack.

    tom

+ Reply to Thread