Date: Tue, 08 Feb 2005 08:13:15 -0800 From: "Mark A. Garcia" <mag@hamletinc.com> To: crzdgns1@starpower.net Cc: freebsd-questions@freebsd.org Subject: Re: Newbie Security Concerns Message-ID: <4208E51B.9040408@hamletinc.com> In-Reply-To: <c5ead59.cb785457.81e0700@ms07.mrf.mail.rcn.net> References: <c5ead59.cb785457.81e0700@ms07.mrf.mail.rcn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
crzdgns1@starpower.net wrote: >Hello, > >I am a new user of UNIX and FreeBSD and have never had to do any >administration or security configuration myself before. I am running >IP Firewall on FreeBSD-5.3-RELEASE. Last night I was checking my >logs and discovered that sshd reported many illegal users. Does > This seems to be a common thing that occurs all to often on internet facing systems who have a publicly available ssh port. But it being common is definately a reason not to ignore it. Here are some things that I do: - Don't allow root logins via the sshd_config in /etc/ssh - Bind ssh to a specific IP or IP's - Running IP Firewall, block any access to your system with generic block rules, then open up specific ports with specific from IPs that you know you will be coming from. - You can even go really gonzo and install ports/security/doorman which is a port knocking mechanism that allows you to play knock-knock-who-is-it. Send a udp sequence to your server. If it matches a certain type of signature, then issue a firewall rule change to open the port, i.e. ssh. Very automated and convient. Otherwise, the port will be closed to all users. If if the port is open, then one would still have to password crack your accounts. I'm hoping that one would see a port is open via email, and know it's not them and immediately do some justice. - Also, it would be good to block those ips where the password attempts occur. Last but not least, you're system probably isn't compromised unless you actually see a successful login on those accounts. Cheers, -.mag > >that mean my system i compromised? As configured, there are only >three accounts on my system, root, toor, and one user account for >me. I suppose you need more information from me, but am not sure >what to provide. Any help would be greatly appreciated. > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4208E51B.9040408>