The Joy of Sec(urity)

Security is a big buzz word these days. As CPUs gets faster, the power of those with malicious intent increases, so on some level, it warrants some concern. The latest release of Ubuntu boasts the ability to encrypt not only your data partitions, but your swap as well. While this does have its place, I believe that whole hard drive encryption is often used unnecessarily, while other more appropriate security measures are ignored. Let’s examine something that I do feel is worthwhile, and can sometimes be overlooked.
SSH, for example, is a protocol that I use almost every day to access my home LAN. It’s easy, convenient, and far too often not secured properly. Here’s some easy steps you can take to make sure you don’t have any unwanted intruders:
  • Port: Change the access port for your SSH server. As the saying goes, “security through obscurity is no security at all”, but we’re not going to give an armchair cracker an excuse to think that your public IP is intriguing. The set of ports that most malefactors are interested in are in the 3 digit range, because that’s where the majority of the service ports are defined by the IANA. With that in mind, pick a port well into the 4 digit range, and try to make it something you’ll remember. Of course, you’ll need to make sure that you’re forwarding the correct port on your firewall as well.
  • Protocol: Ensure that SSH-1 access is disasbled by specifying “2”. SSH-2 clients are readily available for Linux and Mac via openSSH and Windows via PuTTY, so there’s no excuse for using an outdated protocol with proven security flaws. This also means using an rsa/dsa key pair for your host key. If you find that your default configuration was set to allow SSH-1 connections, you may have to regenerate the host keys with ssh-keygen.
  • ClientAliveInterval: Set a timeout for your sessions. This option is specified in seconds and will automatically disconnect you if you’re idle for longer than this duration. This is useful in case you’re pulled away from the computer you’re working at and forget to close your session.
  • Use your /etc/hosts.deny and /etc/hosts.allow to your advantage. If you’re only going to be connecting from specific locations, find out the public IPs of those locations and add them to your hosts.allow, while ensuring that hosts.deny denies everything else.
  • RSAAuthentication and PubkeyAuthentication: Use assymetric encryption to authenticate yourself by specifying “yes” to these. Making a public and private key pair is easy, and far more secure than any password you could ever dream up (and hope to remember). Controlling physical access to the keyfile is trivial, as well. Limit the number of places it exists. For example, my key only exists in two places: buried in my home directory with restricted permissions, and on my USB drive which stays attached to my keychain. It also uses a strong password which wouldn’t be easily cracked by a dictionary or brute force attack.
  • PasswordAuthentication: Disable password based authentication by specifying “no” to this. This goes along with the above. If you’re going to be carrying around your private key, there’s no need to leave the door open for someone to try and brute force their way into your system with a password. You can, however, allow password access from within your own network by using the “match address” parameter in your sshd_config file. There is a caveat with this: if you have a wireless network, please make sure its secure. Use WPA2 encryption with a strong passphrase, filter MAC addresses, set a narrow DHCP scheme, and if you’re truly paranoid, you can use a network mask of more than 24 bits to reduce the number of available addresses across the entire network. In other words, if you set a subnet mask of 28 bits or 255.255.255.240, you effectively have a network of 14 addresses, including your router (xxx.xxx.xxx.1 through xxx.xxx.xxx.14). This handy Subnet Calculator can help you find the fine tune your network to your needs.

Last but not least, check the logs! Make sure that your security measures are effective. If you see an IP that looks malicious and you haven’t set a deny all rule in hosts.deny with explicit allows, add the offending IP’s entire network to the deny list.

Happy SSH’ing!
Random website for those of you out there who are PC builders and think you have mad skillz. Check out  these and see how how much you have to learn about true artistry.
Advertisements

8 Responses to “The Joy of Sec(urity)”


  1. 1 Alex Reisner November 9, 2009 at 2:53 pm

    Nice post. I love the idea of being able to SSH to various servers from my G1, but I’ve never felt comfortable putting private keys on a mobile device that could get lost or stolen. Maybe I can pin down my G1’s IP address range and allow password auth from there only. Thanks for the idea.

    • 2 Dave November 9, 2009 at 5:48 pm

      Don’t forget that with private keys, invalidating them is as simple as validating them. If you suspect them lost or compromised, simply remove the the public side from your authorized_keys file and generate a new pair. If you have multiple keys in the file and need help distinguishing between them, place a double equals sign at the end of the key and you can add a description (e.g. ….RRTB7aYQ== haruko@quake).

  2. 3 Jon November 18, 2009 at 12:13 am

    Awesome tip (*important* tip actually). I ended up having a fairly enlightening weekend reading about pgp and keys and the whole shabang. thanks 🙂

  3. 4 konnio November 18, 2009 at 12:44 pm

    Hmmm, very interesting … I really enjoy your blog

  4. 5 Read Full Report March 28, 2013 at 3:42 pm

    I think this is one of the most important information for
    me. And i’m glad reading your article. But want to remark on few general things, The website style is wonderful, the articles is really excellent : D. Good job, cheers

  5. 6 hack cheat download July 15, 2013 at 3:13 am

    you are really a excellent webmaster. The web site loading
    pace is amazing. It sort of feels that you’re doing any distinctive trick. Furthermore, The contents are masterpiece. you’ve performed a great job on this subject!

  6. 7 technolgy December 17, 2014 at 7:41 pm

    I used to be recommended this blog through my cousin. I am now not positive whether this submit is written through him
    as nobody else understand such targeted approximately my difficulty.
    You are incredible! Thanks!

  7. 8 Your Hacks Forumc February 19, 2015 at 3:09 am

    Hi my family member! I wish to say that this post is awesome, great written and come with approximately all important infos.
    I would like to see extra posts like this .


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





%d bloggers like this: