[ILUG] Help with web site security

[kevin]

If you are looking at securing ssh we found that people tried to brute
force guess passwords on the ssh port about 2-3 times week. Not really a
risk if you have a good password policy but fills the logs up. We looked
at various options and ended up using a few lines in iptables to monitor
connections and drop ones obviously from automated brute force crackers.
There are plenty of references on the internet - search for "ssh
iptables brute force" some examples are:

http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/

http://www.go2linux.org/linux/2010/04/stop-brute-force-attacks-these-iptables-examples-732

You can use it to block brute force attacks on any port.

I preferred it to log scanners like fail2ban because it works
immediately and is very simple to set up.

Kevin.


-----Original Message-----
From: Niall O Broin <niall at magicgoeshere.com>
To: Kevin Brennan <kevin.brennan at redsquared.com>
Cc: ilug at linux.ie
Subject: Re: [ILUG] Help with web site security
Date: Thu, 5 Jan 2012 09:50:04 +0000

On 5 Jan 2012, at 08:21, Kevin Brennan wrote:

> - make sure root access via ssh is disabled

I see this touted now and then. What is the rationale? What I hear offered is "Well, you first have to get access to an account, and then you have to have the root password" i.e. you're forcing one extra layer of security . Well, why not then force 2 extra, with e.g. hardware tokens. Or 3 extra, with IP address restrictions too.

> - move ssh from port 22

If moving ssh from port 22 enhances your security, then you're doing it wrongly. All that does is keep your log files less cluttered by getting rid of (most of) the script kiddies. The only way they can get in is by guessing passwords, and you absolutely should not allow password authenticated access via ssh for that very reason - key based access is the way to go.

> - install denyhosts

Or fail2ban, which can secure more than just ssh.


Niall