Post a Comment        E-mail this Article to a Friend        Join the List

Coder's Corner: Securing Your Linux Server

A few months back I built up a brand new web server from the ground up using Fedora Core 5. Having only used pre-built and pre-configured servers in the past, it was at this point that I was faced with the task of figuring out how to lock it down as securely as possible. Here's a quick rundown of some of the solutions I came across.

Disable FTP

If your distribution comes with a built-in FTP server, turn it off and use SFTP instead. It's much safer, as all data (including usernames and passwords) is transfered as SSH traffic (and thus encrypted) instead of as plain text. Using conventional FTP, any machine running a packet sniffer like Ethereal sitting between your computer and your server could easily pick out your login information.

Securing SSH with sshd_config

By default, SSH does not put any restrictions on which users can log in to your server. This means that unless you manually alter the configuration of your system, all of your user accounts (including root) are accessible via SSH and are therefore much more vulernable to dictionary attacks.

To fix this, you can make a small change to your SSH config file (located at /etc/ssh/sshd_config) in order to tell the deamon which accounts are allowed remote access.

At the bottom of the file, simply add either of the following lines:

DenyUsers [user1], [user2], ...

or

AllowUsers [user1], [user2], ...

Where the values in braces are the names of the user account you'd like to allow or disallow access.

A good reason for using AllowUsers over DenyUsers is that root is probably not the only user you would want to deny access to (for instance, other system users that might happen to have a shell assigned to them).

You will, of course, have to restart the SSH daemon after altering the config file using service sshd restart. Don't worry, this will not kill your current session.

Securing SSH with DenyHosts

Another great tool for locking down your SSH deamon is DenyHosts, a free tool available from their SourceForge page. If you look at /var/log/secure, you might be horrified to see just how many hack attempts your server is getting. DenyHosts attempts to secure SSH by imposing rules on how many failed login attempts are allowed by remote users. It's highly configurable, but I chose to limit each login attempt to a max of three bad passwords on existing accounts and zero attempts on accounts that do not exist. This will thwart just about any dictionary attack someone throws at you.

Upon breaking either of the above rules, the user is permanently blocked from further login attempts by adding their originating IP address to /etc/hosts.deny.

Securing VNC

VNC can be a great tool for doing sysadmin work for those who are not fully comfortable using a shell. However the VNC protocol has many security flaws, including the fact that all data (passwords, etc) will be sent over the net in plain text. A simple workaround for this problem is using an SSH tunnel. Here's the rundown:

Name
Email
URL
Body
Are you human?