scientificlinuxforum.org QR code
Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Secure and acces one directory remotely
Track This Topic | Email This Topic | Print This Topic
elliotsagan
 Posted: May 21 2011, 03:27 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 17
Member No.: 185
Joined: 16-May 11
QUOTE (redman @ May 9 2011, 08:04 AM)
Securing SSH (or OpenSSH) is important since it provides the key to remote managament of your webserver, workstation or other Linux computer. Since OpenSSH has become the standard in remote access, it is also the first place where burglars will try to break in. By default an SSH configuration is good but not perfect. With the following six steps you can harden the security.

Step 1: Use strong usernames
This sounds silly, but isn't. You do not want to know how many admins use simple usernames and passwords. If you want to amaze yourself how simple they think, check out this page. So, what should you use? Well, think as a burglar first. They will randomly scan the internet for systems that have port 22 open (the default portnumber user by SSH, see also step 3. And when they have a hit (an IP address where they detect port 22), they will try to force their way in by pounding on the door with all frequently used usernames and passwords. Checking out your logfiles will give you some idea.

So, what is a good username to use on your server? Well, lets look at usernames not to use. Do not use usernames that are obvious. Not: root, admin, administrator, r00t, etc. But also do not use names from famous people, movies, etc. Also bad: britney, osama, obama, etc. The best username is one that is creative. Use something from your native language (unless it is English). Or something that isn't IT related. You can make it more difficult by mixing lower case letters and CAPITAL letters: like "DonaldDuck" for example.

Step 2: Use strong passwords
Just like strong usernames, the passwords should be even stronger. It goes without saying that passwords shouldn't contain bits and pieces that can be related to you. So names from your kids, husband/wife, pets should be avoided, obviously. Neither is any date related to you. A list of bad passwords can be found here.

Again, be creative. You could use:
- minimal 8 characters (the bigger the better)
- mix lower case and capital case letters (DuCkSaUcE instead of ducksauce)
- mix letters, numbers and special characters (such as #, %, !, etc.)
- replace letters with something special (for example, replace "a" by "@")

Step 3: Change the default firewall port used by SSH
By default, SSH uses port 22 as door to the outside world. And that is exactly the reason you should change it 'cause burglars know it too. Take a look at this page for a free port. Anything above 1024 is good and won't require you to disable SElinux. Of course do not use 222 and 2222 as they are too obvious. Be creative (did I mention that before?).

Changing this is simple. Use your favorite editor and as root open the file /etc/ssh/sshd_config and locate/add this info:
CODE
# Run ssh on a non-standard port:
Port 22

Change 22 to anything you like.
Restart the sshd service:
CODE
service sshd restart


Important: before you change this, you need to configure your firewall first!
Allow the new port to be open otherwise you will not be able to login.
Afterwards you need to close port 22 to fool burglars.

Step 4: Limit the number of users to login
Another way of securing your system is to limit the number of users that are allowed to use SSH. The reason for limiting is simple, the more people have a password, the bigger the chance one of them could be compromised. Limiting the users is, again, a simple thing to do. Use your favorite editor and as root open the file /etc/ssh/sshd_config and add this info at the end of the file:
CODE
AllowUsers george troy

Restart the sshd service and only George and Troy can login.

Step 5: Disable Root login
I do not think the reasons why root shouldn't be able to login need to be explained.
Disabling is easy. As root open the file /etc/ssh/sshd_config and locate/add this info:
CODE
# Prevent root logins:
PermitRootLogin no

Change this to yes and restart the sshd service.

Step 6: Disable SSH protocol 1
From the past there are two SSH protocols in use, 1 and 2.
By default, especially with newer distros, only protocol 2 is in use.
Protocol 1 is an older one and less secured. Make sure it is disabled.
Open the file /etc/ssh/sshd_config and check if the following is set:
CODE
# Protocol 2,1
Protocol 2

If you had to change this restart the sshd service.


Remark: you might have noticed that I used the word "burglar" instead of "hacker" (as most news agencies do). This is simply because a hacker is something else than a script-kiddie who tries to force his way into someones computer. If you want to know the difference, read here.

Hi redman!

Thank you very much for your very useful tips. Neat and straightforward. IMO, we are able to recognize real intelligence not in the obscure but in the light, clear and concise arguments.
How could I access only and only one directory on my other home networked pc?
Would you kindly help me to get to this next step?
Needless to say I am a linux newbie
TIA
PMEmail Poster
^
redman
 Posted: May 23 2011, 05:38 PM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1660
Member No.: 2
Joined: 8-April 11
First you need to think about HOW you want to access the directory remotely. Via FTP (using an FTP program to upload/download files), NFS (connect a directory like others on a Linux system) or simply through SSH? That answer determines what you need to setup wink.gif


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos - How to post images - How to post large text / config files

Desktop: Asus P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, Asus GeForce GT 430 1GB, SL6.4 x86_64
Test box: Intel S5000PSL, 2x Intel Xeon E5310, 8GB ECC DDR2 FB-Dimm, Asus GeForce GT 220 1GB, SL6.4 x86_64
PMEmail Poster
^
helikaon
 Posted: May 26 2011, 09:32 AM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 514
Member No.: 4
Joined: 8-April 11
"samba" possible too :-)
or all the combinations together :-))






--------------------
What is SL? - Forum Rules - Repository configuration - Howto post images - Howto post long text and config files - TUV docs
PMEmail Poster
^
elliotsagan
 Posted: May 27 2011, 10:34 AM
Quote Post


SLF Rookie
*

Group: Members
Posts: 17
Member No.: 185
Joined: 16-May 11
QUOTE (redman @ May 23 2011, 02:38 PM)
First you need to think about HOW you want to access the directory remotely. Via FTP (using an FTP program to upload/download files), NFS (connect a directory like others on a Linux system) or simply through SSH? That answer determines what you need to setup  wink.gif

Ok. Thank you very much for your reply.
I am guessing need to read a lot more about how a Linux system works.
But, only to clarify my question: I am "bulding up" a little home network. Two workstations with fedora 14, another one with SL6 and one more with Win7.
I was able to share my disks in each computer using sshd. But it would be a better way if I could mount the shared directories cause my needs are LAN oriented.
I do not want to bother you with this situation, sorry.
Regards
PMEmail Poster
^
redman
 Posted: May 27 2011, 10:46 AM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1660
Member No.: 2
Joined: 8-April 11
QUOTE (elliotsagan @ May 27 2011, 12:34 PM)
I do not want to bother you with this situation, sorry.

You aren't bothering cool.gif

If you want to mount a network share on all systems, you could go for a NFS server. Setting it up is not very hard, you might want to have a look here.

Info on how to mount a NFS share on a Windows system can be read here (by Microsoft).
Windows7 related info can be found here wink.gif


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos - How to post images - How to post large text / config files

Desktop: Asus P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, Asus GeForce GT 430 1GB, SL6.4 x86_64
Test box: Intel S5000PSL, 2x Intel Xeon E5310, 8GB ECC DDR2 FB-Dimm, Asus GeForce GT 220 1GB, SL6.4 x86_64
PMEmail Poster
^
elliotsagan
 Posted: May 30 2011, 12:04 AM
Quote Post


SLF Rookie
*

Group: Members
Posts: 17
Member No.: 185
Joined: 16-May 11
QUOTE (redman @ May 27 2011, 07:46 AM)
QUOTE (elliotsagan @ May 27 2011, 12:34 PM)
I do not want to bother you with this situation, sorry.

You aren't bothering cool.gif

If you want to mount a network share on all systems, you could go for a NFS server. Setting it up is not very hard, you might want to have a look here.

Info on how to mount a NFS share on a Windows system can be read here (by Microsoft).
Windows7 related info can be found here wink.gif

Hi Redman!
Thank you for open up a new knowledge door. This is what NFS means to me.
PMEmail Poster
^
elliotsagan
 Posted: May 30 2011, 12:07 AM
Quote Post


SLF Rookie
*

Group: Members
Posts: 17
Member No.: 185
Joined: 16-May 11
QUOTE (helikaon @ May 26 2011, 06:32 AM)
"samba" possible too :-)
or all the combinations together :-))

Hi helikaon!

I was trying Samba also, of course. It was an easy way... but only in the Linux-to-Windows direction.
Thank you for your tip.
Regards.
PMEmail Poster
^
AndrewSerk
 Posted: May 30 2011, 02:10 PM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 524
Member No.: 54
Joined: 14-April 11
There is also sftp for a encrypted more secure than nfs or samba way to mount remote file systems. SFTP helps keep those that like to explore local networks from gaining access to your fs. You can use sftp with a GUI or with CLI.
PM
^
adebened
 Posted: May 30 2011, 10:57 PM
Quote Post


SLF Member
***

Group: Members
Posts: 93
Member No.: 21
Joined: 11-April 11
Hello,

Fuse is built in to the kernel so one could also use fuse-sshfs (available from rpmforge) to mount a directory. It just requires sshd to be running on the server and nothing more. You can access just the mounted directory and its sub-directories. Also, by default it does not follow symbolic links but it can with the follow_symlinks option. Basically, if you can ssh into it, you can mount it.
PM
^
MD11Fanboy
 Posted: May 31 2011, 06:29 PM
Quote Post


SLF Newbie


Group: Members
Posts: 10
Member No.: 172
Joined: 13-May 11
Personally I use Samba (on AD auth) to authenticate all of my users logging in to EL6/F15 based boxes. Works quite well and any accounts subject to hammering can be auto-locked out without too much trouble
PM
^
elliotsagan
 Posted: Jun 5 2011, 11:04 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 17
Member No.: 185
Joined: 16-May 11
QUOTE (elliotsagan @ May 29 2011, 09:04 PM)
QUOTE (redman @ May 27 2011, 07:46 AM)
QUOTE (elliotsagan @ May 27 2011, 12:34 PM)
I do not want to bother you with this situation, sorry.

You aren't bothering cool.gif

If you want to mount a network share on all systems, you could go for a NFS server. Setting it up is not very hard, you might want to have a look here.

Info on how to mount a NFS share on a Windows system can be read here (by Microsoft).
Windows7 related info can be found here wink.gif

Hi Redman!
Thank you for open up a new knowledge door. This is what NFS means to me.


Hi!
NFS Server setup: one step up.... I read the article at sourceforge.net but I am now needing a script to fire those demons... I was not able to find such script nor to build it.... Some suggestions? smile.gif
Thank you in advance.
PMEmail Poster
^
redman
 Posted: Jun 6 2011, 05:51 AM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1660
Member No.: 2
Joined: 8-April 11
QUOTE (elliotsagan @ Jun 6 2011, 01:04 AM)
... but I am now needing a script to fire those demons...

Script? What script?

You enable the deamons on the server by using the graphical tool or by using the terminal as root ("chkconfig [daemon] on").

On the client(s) you automount the shares by editing /etc/fstab.


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos - How to post images - How to post large text / config files

Desktop: Asus P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, Asus GeForce GT 430 1GB, SL6.4 x86_64
Test box: Intel S5000PSL, 2x Intel Xeon E5310, 8GB ECC DDR2 FB-Dimm, Asus GeForce GT 220 1GB, SL6.4 x86_64
PMEmail Poster
^
elliotsagan
 Posted: Jun 6 2011, 02:31 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 17
Member No.: 185
Joined: 16-May 11
QUOTE (redman @ Jun 6 2011, 02:51 AM)
QUOTE (elliotsagan @ Jun 6 2011, 01:04 AM)
... but I am now needing a script to fire those demons...

Script? What script?

You enable the deamons on the server by using the graphical tool or by using the terminal as root ("chkconfig [daemon] on").

On the client(s) you automount the shares by editing /etc/fstab.


Hi Redman,

Finaly I've got it. I am able to share my directories using NFS. It wasn't that hard, really. Thank you Redman for those kicks biggrin.gif
Regards
PMEmail Poster
^
redman
 Posted: Jun 6 2011, 02:39 PM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1660
Member No.: 2
Joined: 8-April 11
QUOTE (elliotsagan @ Jun 6 2011, 04:31 PM)
Thank you

Good work, glad I could help you wink.gif


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos - How to post images - How to post large text / config files

Desktop: Asus P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, Asus GeForce GT 430 1GB, SL6.4 x86_64
Test box: Intel S5000PSL, 2x Intel Xeon E5310, 8GB ECC DDR2 FB-Dimm, Asus GeForce GT 220 1GB, SL6.4 x86_64
PMEmail Poster
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:
« Next Oldest | Networking and wireless | Next Newest »

Topic Options Reply to this topicStart new topicStart Poll


 


 

Powered by Invision Power Board (Jcink.com Free Forum Hosting) © 2012  IPS, Inc.
Page creation time: 0.0545 · Mobile | Lo-Fi