Re: [qmailtoaster] added entry on wiki
Martin Waschbuesch wrote: Hi all, As promised, I added the steps I took to make the toaster a little more secure to the user tipstricks section. I am rather unfamiliar with the wiki editing, so please feel free to reformat to make it 'blend in' ;) Martin Thanks Martin! Any contributions are appreciated! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] added entry on wiki
W dniu 08.11.2009 10:57, Martin Waschbuesch pisze: Hi all, As promised, I added the steps I took to make the toaster a little more secure to the user tipstricks section. I am rather unfamiliar with the wiki editing, so please feel free to reformat to make it 'blend in' ;) Martin About http://wiki.qmailtoaster.com/index.php/User_Tips_%26_Tricks#SSH It not hardening system. :( Someone can use dictionary attack on urdinary user account, then after logging as user tried to login as super user (sudo, su or by kernel bug). I prefer: #Protocol 2,1 Protocol 2 PasswordAuthentication no Only version 2 ssh protocol and no way to login by password, I permit root login. File ~/.ssh/authorized_users determines who physically can login. In this file are public keys of authorized to login on this (i.e. root) account. It's more secure. :) Installation of ossec can improve the security of server to. -- Pozdrawiam / Regards, Aleksander Podsiadły mail: a...@westside.kielce.pl jid: a...@jabber.westside.kielce.pl ICQ: 201121279 gg: 9150578 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] added entry on wiki
Am 08.11.2009 um 17:37 schrieb Aleksander Podsiadly: W dniu 08.11.2009 10:57, Martin Waschbuesch pisze: About http://wiki.qmailtoaster.com/index.php/User_Tips_%26_Tricks#SSH It not hardening system. :( I agree there are ways to do even more (enforcing use of ssh public/ private key pairs among the lot)! But when compared to a 'stock' toaster, I think it is a good idea to limit the amount of times a dictionary based attack can come from the same IP address before that IP is banned, as the stock toaster does not provide any limitations here. Someone can use dictionary attack on urdinary user account, then after logging as user tried to login as super user (sudo, su or by kernel bug). I prefer: #Protocol 2,1 Protocol 2 PasswordAuthentication no Only version 2 ssh protocol and no way to login by password, I permit root login. File ~/.ssh/authorized_users determines who physically can login. In this file are public keys of authorized to login on this (i.e. root) account. It's more secure. :) Personally, I prefer to not having to carry my key around with me (on a USB stick??), but I need to be able to log on from different machines. But at any rate: I think pure SSH2 /key pair authentication is a great suggestion, so why not add it to the entry? Thanks, Martin -- No man, for any considerable period can wear one face to himself and another to the multitude without finally getting bewildered as to which may be the true. Nathaniel Hawthorne - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] added entry on wiki
W dniu 08.11.2009 18:31, Martin Waschbuesch pisze: [...] Personally, I prefer to not having to carry my key around with me (on a USB stick??), but I need to be able to log on from different machines. [...] USB stick the file container encrypted by Truecrypt (Realcrypt) solve the problem. Private key is password encrypted to. I can publish my root password and no one can login without physical access to console. :) -- Pozdrawiam / Regards, Aleksander Podsiadły mail: a...@westside.kielce.pl jid: a...@jabber.westside.kielce.pl ICQ: 201121279 gg: 9150578 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com