On 5/16/2011 6:15 PM, Patrick Litke wrote:
@Rene - I see lots of people saying fail2ban is invaluable, and I have
gotten it compiled (after realizing I can just apt-get it) and
theoretically running, but the documentation is pretty limited. I
have no idea what I'm doing and I haven't really found a good tutorial
about it.
The default config is pretty good, the only thing I edited in my setup
was /etc/fail2ban/jail.conf See the comments in that file for what all
may need tweaking.
I am still working on getting iptables configured properly. It's a
bit trickier than I had originally imagined. When you all are working
in your servers, do you ever use a GUI at all? (don't hate me for
being a total newbie :P ) And, that's not to say that I am
uncomfortable in the console, just .. well, see the blind man /
chainsaw reference.
I avoid using the GUI's for server config. Partly because of my age, I
started playing on Unix before there was a GUI. Also partly because I
do consulting on the side and it's much easier to get a command line on
a remote server than access to an exported GUI.
Debian/Ubuntu/Centos/Fedora, they all have different config GUIs but
generally the text config files are in the same place and say the same
things. So in the interest of memorizing as little as possible, I'm
gonna stick with the text files.
Finally, it's generally good and often critical to read the text config
files because that's where the developers tend to leave a lot of
comments that help you figure out what's going on.
@Jim - Thank you for the advice. I am unclear as to how users for
services are handled. Though, I guess it makes sense that if a
service needs its own user, then logins shouldn't be allowed. But if
that's the case, then how does one (the service) even run as said
user? As far as the brute force or the ftp-eavesdrop, I highly doubt
either. FTP was never set up for just that reason of being too
insecure (not that it ultimately would have mattered).
From a security standpoint, each service should be running as a
separate user. So if somebody finds a hole to hack into that service,
the damage they can do is limited to the files that user can access. If
each service is locked into its own sandbox, then the damage is
limited. If a hacker manages to break into a process running as root,
well, it's game over.
@Dan - How does one go about modifying a users shell access level?
Your advice is great, I appreciate it a lot.
Either through the chsh program or just edit the /etc/passwd file.
Rene
--
------------------------------------------------------------------------
René Churchill
VP of Development (i.e. Geek #2)
WherezIt.com - Your source for Local information
[email protected] <mailto:[email protected]>
802-244-7880 x527
http://www.wherezit.com/
