Secure Your Linux Box

Here are just a few small tricks to use to secure your linux based machines.

Disable Direct SSH Access For Root – Hackers must break or know TWO passwords to damage your system
1. SSH into your machine as root
2. cd /etc/ssh
3. nano /sshd_config
4. Under Authentication change PermitRootLogin to “no”
5. service sshd restart (Ubuntu is sudo /etc/init.d/ssh restart)

Slow Down SSH Attempts – This slows down attempts to no more than 3 per minute
1. SSH into your machine and su to root
2. iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
3. iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
4. iptables-save
5. iptables restart

[UPDATE 01.28.2008]
This requires a new(er) kernel with built-in support for the “recent” tag
1. SSH into your machine and su to root
2. iptables -N SSH_CHECK (this will create a new chain to lable all incoming SSH connections as SSH_CHECK)
3. iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_CHECK (Checks the connection state port 22)
4. iptables -A SSH_CHECK -m recent –set –name SSH (labels the session type as SSH)
5. iptables -A SSH_CHECK -m recent –update –seconds 60 –hitcount 4 –name SSH -j DROP (Drops the connection if the hit counter reaches 4 in 60 seconds)

And then in Ubuntu
6. nano /etc/network/interfaces
7. After your eth0 or other network connection, add pre-up iptables-restore /etc/iptables.rules and post-down iptables-restore /etc/iptables.rules

[UPDATE 05.05.2009]
Running on Debian 5 this one works:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

[UPDATE 01.06.2010]
Running on Ubuntu 9.10 this works:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 240 --hitcount 3 -j DROP

This only allows 3 connection attempts (or successes) for every 6 minutes. Since my box is a small one that doesn’t require a lot of logins, I’d probably go even higher than this. Too high, though, and you could be locked out of your own box by others.

If you were to reboot your machine right now, your iptables configuration would disappear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.

[UPDATE 02.15.2010]
You can also limit based on username and IP address:

Limit based on Username:
nano /etc/ssh/sshd_config

PermitRootLogin no
AllowUsers userA userB@localhost userC@IPaddress

Limit based on IP address:
nano /etc/hosts.allow

sshd : localhost
sshd : 127.0.0.1
sshd : 192.168.0.0/24
sshd : localhost 127.0.0.1 192.168.1.* 172.16.34.253

nano /etc/hosts.deny

sshd : all

[UPDATE 08.31.2010]
You should probably make sure that your phpmyadmin and webmin installations are secured as well. It’s not hard to check the logs and see that there are many bots trying to gain access to these two installations – even if you don’t have them installed/configured on your box. Damn bots…

nano /etc/apache2/conf.d/phpmyadmin.conf

Obviously add your own IP’s into the config file. Then save the file and exit. Then restart apache.
apache2ctl restart

Leave a Reply

Your email address will not be published. Required fields are marked *