SSH. Securing SSH with Key Based Authentication. Certificates are a useful way of restricting access to your SSH server because a user must have three things to log onto the server: UsernamePasswordCertificate Normally they would only need to have a password and username, which can be guess at or (potentially) brute forced.
Forcing the user to supply a certificate on log on means that they must also have a tangible source of identification (without the key file they cannot log in!). Creating the key pair Log onto the server and run ssh-keygen and you will get asked a few questions as follows (enter a passphrase): user@host$ sudo ssh-keygenGenerating public/private rsa key pair. This will generate two files: id_rsaid_rsa.pub in your home directory (if you chose the defaults). Add the public key Now on the server run user@server:~$ cat id_rsa.pub >> ~/.ssh/authorized_keysuser@server:~$ rm id_rsa which adds the public key to the list of authorized keys for this user. Activate the key based authentication on the server To edit the config run. Setting-up Chroot for SSH and for SFTP » IT Tips and Tricks. SSH with authentication key instead of password.
SSH with authentication key instead of password Posted by neofpo on Thu 7 Jun 2007 at 09:42 SSH is a must use tool for system administrators.
However, residing access security on a human entered password is not very wise. Script kiddies may break into your system due to a lazy user with a weak password. And it is beyond the system administrator power to make users choose good passwords. The good news is that there is a way to leave remote access open and have not to worry about passwords. Securing Debian Manual. [ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ] Abstract This document describes security in the Debian project and in the Debian operating system.
Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. Copyright Notice Copyright © 2002-2013 Javier Fernández-Sanguino Peña. Logwatch Configuration in Debian. Logwatch Configuration in Debian What is Logwatch?
Logwatch is a modular log analyser that runs every night and mails you the results. It can also be run from command line. The output is by service and you can limit the output to one particular service. The subscripts which are responsible for the output, mostly convert the raw log lines in structured format. Logwatch generally ignores the time component in the output, that means, you will know that the reported event was logged in the requested range of time, but you will have to go to the raw log files to get the exact details. Install and Config Fail2Ban in Debian 7 Wheezy. Fail2Ban (authentication failure monitor) is an intrusion prevention software, written in Python.
Fail2Ban analyzes various services log files (ssh, apache, postfix etc) and if it detects possible attacks (mainly Brute-force attacks), it creates rules on the firewall ( and many others) or tcp wrappers () to ban (temporarily or permanently) the wannabe hacker. Simultaneously, fail2Ban informs system administrator with email for its activity in real time. Some activities which considered as attacks are: multiple attempts for ssh connection using accounts that do not exist in the system multiple attempts for ssh connection switching passwords Apache requests for web pages often requested by bots and scanners.
You do not need fail2ban (not even iptables) if your hosting provider offers a dedicated hardware firewall. Hardware firewalls as Cisco ASA 550 series and even smaller devices as FortiGate-60C can offer protection, which fail2ban offers (and moreover). Setup Configuration. Securing Webmin. This chapter covers the steps you should take to add additional security to Webmin on your system once it has been installed.
It explains both IP address restrictions, and the use of SSL. Network security Unless you are running Webmin on a system that is never connected to any other network, it is a wise idea to restrict which client network addresses are allowed to login. Because Webmin is so powerful, anyone who manages to login will have total control over your system â as though they had root shell access. Even though a username and password is always required to login, it is always good to have an additional layer of security in case an attacker guesses or somehow discovers your password. To restrict which IP addresses and networks Webmin will accept connections from, follow these steps : In the Webmin category, click on the icon for the Webmin Configuration module. ** Figure 3-1 âThe IP access control formâ HowTo/ChangeHostname. Translation(s): English - Italiano This page explains how to change a system's hostname (i.e. rename a computer/server) Executive summary: hostname(1) isn't enough.
Core networking Update /etc/hostname Update /etc/hosts, so local address(es) resolves with the new system name. Reload the network configuration. Application specific avahi Avahi is used to publish (announce) local services. Invoke-rc.d avahi-daemon force-reload Adjust /etc/printcap . Ejabberd Refer to the Change Computer Hostname section of the ejabberd Installation and Operation Guide. Exim. Iptables. Translation(s): English - Italiano- Español NOTE: iptables is being replaced by nftables starting with Debian Buster Iptables provides packet filtering, network address translation (NAT) and other packet mangling.
Two of the most common uses of iptables is to provide firewall support and NAT. Configuring iptables manually is challenging for the uninitiated. HOWTO apache myadmin filter - Fail2ban. I don't use PHP MyAdmin but I'm tired of the fools looking for it cluttering up my log files so I wrote a filter to trap them and ban them for a period of time.
Most of the traffic I see comes from DHCP blocks issued to various ISP's so I don't want to ban them forever. First off, you'll want to configure the ignoreip directive in the jail.conf. If you have an ISP that does dynamic IP addressing you will need to follow these steps so that you do not ban yourself! You can locate your own external IP using That that IP and plug it in here - which will tell you what range of IPs you fall into. That that range of IP's and plug it into the CIDR calculator to get the CIDR notation to plug into the config file.
The top row of output that says "Network = 111.111.111.111/20" is the part you want. Open jail.conf in your favorite editor and find the line that says "ignoreip = 127.0.0.1" in the [DEFAULT] section and make it look like this.