Free and Open Source blogger with an attitude
computer security related topic
This is the quickest way to limit the number of connection to your SSH server with iptables.
[bash]
sudo /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 5 -j REJECT
[/bash]
This will only allow up to 5 concurrent connections to the SSH server, subsequent connections will be rejected by iptables, thus this can thwarts Brute-force attempts to your server.
More Articles About Securing SSH Server
Fail2ban is a security tool used for preventing brute-force attack and Distributed Denial of Service (DDoS) attack to your GNU/Linux box.
Fail2ban monitors failed login attempts and subsequently blocks the ip address from further logins. Although Fail2ban can also be used to secure other services in Ubuntu server, in this post, I will only focus on securing SSH server.
Step 1: Install Fail2ban and (optionally) sendmail
sudo apt-get install fail2ban sudo apt-get install sendmail-bin
Step 2: Setting up Fail2ban
Next, you need to configure fail2ban by creating a copy of ‘jail.conf’ to ‘jail.local’
cd /etc/fail2ban sudo cp jail.conf jail.local
Step 3: General fail2ban configuration
Edit fail2ban configuration file using your favorite text-edito (I personally use ‘nano’)
sudo nano /etc/jail.local
You can set IP address for fail2ban to ignore, IP addresses can be separated by space.
Bantime is the duration of time that you want fail2ban to block suspicious attempt, the value is in seconds
Maxretry is the number of failed attempts before fail2ban block the IP-address, in this case 3600 means 1-hour ban
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.1 bantime = 3600 maxretry = 3
Step 4: Enabling ssh and ssh-ddos protection
Find ssh configuration under [ssh] heading, and enable it.
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
Similarly, you can also enable [ssh-dos] protection by changing the enabled value to “enabled = true”
[ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 2
Step 5: Enable Sending Notification Email (optional)
Optionally you can have fail2ban sends you notification email in case of suspicious login detected. To do that, you need to locate destemail settings and changed it to your email
destemail = security@mypapit.net
Fail2ban can use ‘sendmail’ and ‘mail’ application to send notification email
Step 6: (Re-)start Fail2ban
After all is done, you may save the file, and (re)start the fail2ban service
sudo /etc/init.d/fail2ban restart
You can test the configuration by trying to login into your box. You may also check fail2ban log in /var/logs/auth.log (or in other directory specified in jail.local)
For more information about fail2ban, you can read : the official fail2ban manual
Recommended Reading
OpenID is a standard that allows users to be authenticated in a decentralized manner. OpenID enables user to be identified across the internet using a single unified OpenID identifier (or account).
However some websites (particularly blog and forums) insist users to login in order to leave a short comment or remarks which sometimes is not convenient for some users that value anonymity.
The OpenID Anonymity service is an OpenID provider that helps you get around website or application that requires OpenID login. To use OpenID Anonymity service, the user only need to key in its URL Identifier – http://openid.anonymity.com/some_random_id and the user will be automatically authenticated, without the need to log-in or to enter password, which is very convenient if one needs to be anonymous.
Try it!
p/s: Additionally here’s a collection of Public Domain OpenID (tangofied) icons, created by Jakub Szypulka
Allowing Secured Shell (SSH) remote login is a security risk for your system as it open up your computer to a host of malicious activities. One way to reduce the risk is to disallow root login from SSH, but that is not enough if there are a lot of users in your system and you only want a few of them to be able to login remotely to your server.
This post will detail how to allow or restrict certain users from SSH-ing to your server by editing /etc/ssh/sshd_config file.
DenyUsers / AllowUsers
Is used to allow or deny a number of users.
Usage:
#/etc/ssh/sshd_config
DenyUsers tom bob alice
AllowUsers mypapit johnmoffet
DenyGroups / AllowGroups
#/etc/ssh/sshd_config
DenyGroups users ftpusers
AllowGroups wheel developers
Ensure that the file is properly saved and restart sshd server for the changes to take effect!
Recommended Books for Secured Shell (SSH) Security
Pro OpenSSH (Expert’s Voice in Open Source)
MySQL service port are not meant to be accessible to the outside world as it would become a security concern to the administrator.
Although MySQL server (mysqld) by itself has a built-in mechanism to deny access from unauthorized ip-address, it still does not protect it from being overwhelmed by multiple malicious requests or buffer overflow attack directed to the server.
One of the solution is to limit the MySQL port access to trusted network using iptables
This assume your trusted network has the address within the range of 192.168.1.1-192.168.1.254
iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
MySQL server (mysqld) uses port 3306.
Note: Always assume the internet as the untrusted network!
sudo is probably the most used command in Ubuntu.
In this post, I will show you how to make ‘sudo’ display funny and humorous error messages in Ubuntu Linux.
To do that, you would only need to edit the /etc/sudoers :
sudo nano /etc/sudoers
Then find the line that starts with Defaults env_reset, add insults at the end of the line so it would look like this:
# See the man page for details on how to write a sudoers file
#
Defaults env_reset, insults
Save the file, and you are done! You can test the results by running the sudo command and entering the wrong password.
Screenshot Demo
