These have kept me pretty safe. Install denyhosts, sshd is usually compiled to take advantage of the tcp wrapper library. Denyhosts will download (if you enable the feature) a list of blocked ip addresses and allow you to set rules on how many login attempts before blocking an ip. It also allows you to specify a purge period.
Set AllowUsers to only the specific users you want to allow to ssh into your machine. This can be just username or usern...@address. I usually have one user that can do nothing but login and be an unpriviledged user with no address, and another user that is bound to certain addresses. That way if I am at a remote location I can still get in and su into the user that has sudo access. Setup key based encryption and turn off password based logins. http://www.digital39.com/computers/ssh-lockdown/2008/04/ will give you a break down on setting that up. Install and enable logwatch and set it to the highest level of detail. This will send you an email with login attempts, denyhost log entries, and a lot of good system information. If someone breaks in the logs will be useless if they are good, but it is nice to know the information logwatch sends out. I usually block everything but 443, 80, and 22 on my servers and use tunnels to get to anything else. If it is only one server it might not be possible, but setting up syslogd to log remotely will make the logs more effective. The attacker would then have to break into the 2nd machine to get access to the /var/log/secure entries that he would need to remove. Check for rootkits from time to time. On Tue, Oct 14, 2008 at 3:18 PM, Ragi Y. Burhum <[email protected]> wrote: > Do any of you have a sort of checklist that you go over or reference guide > (self made or available somewhere) that you use when you are going to put an > Ubuntu Server live to the evil Internet? > > I am looking for something more specific than "close the ports that you are > not using" or "uninstall the stuff you don't need". "Maybe something like > sendmail is on by default. Take it out" or "chmod this file and that file > for x reason." "Use so and so package to monitor for weird activities and so > on and so forth" > > My Ubuntu system is working perfectly now (it has all the stuff I need)... > I just need to make sure that a portscanner and some brute force crap will > not take it out within 5 minutes of putting it live :) > > Recommendations? > > - Ragi > > _______________________________________________ > LinuxUsers mailing list > [email protected] > http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers > > -- Peter Manis (678) 269-7979
