Server security, when a system is used as a server on a public network, it becomes a target for attacks. For this reason, hardening the system and locking down services is of paramount importance for the system administrator. Although security is a vast issue to deal with, it’s a common saying that “nothing is 100% secure in this world” but i believe there is always a reason to take care of it. Here we are going to talk ’bout the step ensuring basic server security, however we would be exploring firewall through iptables, in little depth.
There are few common attacks, that could possibly by avoided taking care of few things. First of all i’m going to talk ’bout the ssh brute force attack. This event is generated when an attacker attempts to login to an SSH server by guessing usernames and passwords. By default, the ssh access to the server is blocked however if someone needs to open the ssh access, few things should be taken care of.
- Change default port 22 of ssh service.
- Do not permit root login.
- Keep changing your passwords.
- Use a good password for accounts using shell access.
- Do not give shell access to regular users.
- If you do need to grant shell access to an end user, make sure they are also using a good password.
- Use key-based authentication.
Next step comes is to filter, access to your server. We can achieve this goal in several manner, but first step we can take is to use “tcp wrappers“.
TCP WRAPPERS : TCP wrappers provide access control to a variety of services. Most modern network services, such as SSH, Telnet, and FTP, make use of TCP wrappers, which stand guard between an incoming request and the requested service.
The benefits offered by TCP wrappers are enhanced when used in conjunction with xinetd, a super service that provides additional access, logging, binding, redirection, and resource utilization control.
TCP wrappers is a host-based network ACL system, used to filter network access to Internet protocol services run on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes. It handles ssh, telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, comsat, and other services that have a one-to-one mapping onto executable files.
Now the question is, how to filter access to a particular service using TCP ? The answer is in the configuration files of TCP Wrappers :
- hosts.allow and hosts.deny files with the rules for allowed and denied services
- tcpdchk program that checks configuration files for problems
- tcpdmatch program that reports how a service will be handled
Now let’s filter out some access to some particular services, let’s say ssh and telnet. Consider a scenario, you have an ip a network and a domain to allow access for ssh and telnet but don’t wanna provide access fro rest of the world.
it can be done by editing two files: /etc/hosts.allow and /etc/hosts.deny
In hosts.allow put out few lines to allow access to the service to these ip’s, network, domainname and the sub domains
sshd : ip adress #let’s say 1.2.3.4
sshd : network address # like 1.2.3.4/24
sshd : domain name # xyz.com
sshd : .xyz.com EXCEPT .abc.xyz.com
In hosts.deny deny rest of the world
sshd : ALL
So now we have seen how to filter access to a particular services using TCP WRAPPERS. To log whot’z trying to be intruder into your server using which service, place a the following line to log attack attempts by adding :
ALL : spawn /bin/ ‘date’ %c %d >> /var/log/intruder_alert
Further If certain types of connections are of more concern than others, the log level can be elevated for that service via the severity option. Assume anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker. To denote this, place a emerg flag in the log files instead of the default flag, info, and deny the connection.
To do this, place the following line in /etc/hosts.deny:
telnetd : ALL : severity emerg
This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.
That’s enough talking for first part will see what we can discuss next.
