SSH. Securing SSH with Key Based Authentication | Simon Holywell - Web developer in Brighton. Certificates are a useful way of restricting access to your SSH server because a user must have three things to log onto the server: UsernamePasswordCertificate Normally they would only need to have a password and username, which can be guess at or (potentially) brute forced. Forcing the user to supply a certificate on log on means that they must also have a tangible source of identification (without the key file they cannot log in!).
Creating the key pair Log onto the server and run ssh-keygen and you will get asked a few questions as follows (enter a passphrase): user@host$ sudo ssh-keygenGenerating public/private rsa key pair. This will generate two files: id_rsaid_rsa.pub in your home directory (if you chose the defaults). Add the public key Now on the server run user@server:~$ cat id_rsa.pub >> ~/.ssh/authorized_keysuser@server:~$ rm id_rsa which adds the public key to the list of authorized keys for this user. Activate the key based authentication on the server To edit the config run. Setting-up Chroot for SSH and for SFTP » IT Tips and Tricks. SSH with authentication key instead of password.
SSH with authentication key instead of password Posted by neofpo on Thu 7 Jun 2007 at 09:42 SSH is a must use tool for system administrators. However, residing access security on a human entered password is not very wise. Script kiddies may break into your system due to a lazy user with a weak password. And it is beyond the system administrator power to make users choose good passwords. The good news is that there is a way to leave remote access open and have not to worry about passwords. Another advantage of this method, is that one does not need different passwords to log on different servers. It is also possible to make logins with no password asked with this method.
How to do it Generate the authentication key On the client machine, the user must generate a public / private keys pair that will identify himself on the servers. Protecting the keys with password means that every time the user tries to connect to a server using those keys , the password for decrypting it will be asked. Securing Debian Manual. [ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ next ] Abstract This document describes security in the Debian project and in the Debian operating system.
Starting with the process of securing and hardening the default Debian GNU/Linux distribution installation, it also covers some of the common tasks to set up a secure network environment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. Copyright Notice Copyright © 2002-2013 Javier Fernández-Sanguino Peña Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright © 2000 Alexander Reelsen Some sections are copyright © their respective authors, for details please refer to Credits and thanks!
Contents Securing Debian Manual. Logwatch Configuration in Debian. Logwatch Configuration in Debian What is Logwatch? Logwatch is a modular log analyser that runs every night and mails you the results. It can also be run from command line. The output is by service and you can limit the output to one particular service. Logwatch generally ignores the time component in the output, that means, you will know that the reported event was logged in the requested range of time, but you will have to go to the raw log files to get the exact details. Logwatch Installation in Debian #apt-get install logwatch That's it installation done.Now you need to configure the logwatch Main Configuration file for logwatch located at /etc/logwatch/conf/logwatch.conf Default Logwatch configuration file as below and you need to change this file options # All these options are the defaults if you run logwatch with no # command-line arguments.
. # command-line. # You can put comments anywhere you want to. . # rest of the line. # this is in the format of <name> = <value> . # is removed. Print = No. Install and Config Fail2Ban in Debian 7 Wheezy. Fail2Ban (authentication failure monitor) is an intrusion prevention software, written in Python. Fail2Ban analyzes various services log files (ssh, apache, postfix etc) and if it detects possible attacks (mainly Brute-force attacks), it creates rules on the firewall ( and many others) or tcp wrappers () to ban (temporarily or permanently) the wannabe hacker.
Simultaneously, fail2Ban informs system administrator with email for its activity in real time. Some activities which considered as attacks are: multiple attempts for ssh connection using accounts that do not exist in the system multiple attempts for ssh connection switching passwords Apache requests for web pages often requested by bots and scanners. You do not need fail2ban (not even iptables) if your hosting provider offers a dedicated hardware firewall.
Hardware firewalls as Cisco ASA 550 series and even smaller devices as FortiGate-60C can offer protection, which fail2ban offers (and moreover). Setup Configuration In summary: Securing Webmin. This chapter covers the steps you should take to add additional security to Webmin on your system once it has been installed. It explains both IP address restrictions, and the use of SSL. Network security Unless you are running Webmin on a system that is never connected to any other network, it is a wise idea to restrict which client network addresses are allowed to login. Because Webmin is so powerful, anyone who manages to login will have total control over your system â as though they had root shell access. Even though a username and password is always required to login, it is always good to have an additional layer of security in case an attacker guesses or somehow discovers your password. To restrict which IP addresses and networks Webmin will accept connections from, follow these steps : In the Webmin category, click on the icon for the Webmin Configuration module. ** Figure 3-1 âThe IP access control formâ SSL Encryption Install the OpenSSL?
Requesting a valid SSL certificate. HowTo/ChangeHostname. Translation(s): English - Italiano This page explains how to change a system's hostname (i.e. rename a computer/server) Executive summary: hostname(1) isn't enough. Core networking Update /etc/hostname Update /etc/hosts, so local address(es) resolves with the new system name. Reload the network configuration. Application specific avahi Avahi is used to publish (announce) local services. Invoke-rc.d avahi-daemon force-reload Adjust /etc/printcap . Ejabberd Refer to the Change Computer Hostname section of the ejabberd Installation and Operation Guide. Exim Adjust /etc/exim4/update-exim4.conf.conf (hostname=). Mailname Adjust /etc/mailname. Message Of The Day Adjust /etc/motd. OpenSSH server Adjust /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_dsa_key.pub and /etc/ssh/ssh_host_ecdsa_key.pub (root@hostname at the end).
Ssmtp Ssmtp is a light weight, send-only SMTP server. Adjust /etc/ssmtp/ssmtp.conf (hostname=, etc.). Sysklogd Idea of script to help you on Intrusive script Toggle line numbers See also. Iptables. Translation(s): English - Italiano- Español NOTE: iptables is being replaced by nftables starting with Debian Buster Iptables provides packet filtering, network address translation (NAT) and other packet mangling. Two of the most common uses of iptables is to provide firewall support and NAT. Configuring iptables manually is challenging for the uninitiated. Fortunately, there are many configuration tools (wizards) available to assist: e.g., fwbuilder, bastille, ferm (wiki page), ufw (Uncomplicated Firewall, from Ubuntu). Viewing current configuration See what rules are already configured. Iptables -L The output will be similar to this: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination This allows anyone access to anything from anywhere.
Storing iptables rules in a file Note: there is a package designed to help with this: iptables-persistent #! See also. HOWTO apache myadmin filter - Fail2ban. I don't use PHP MyAdmin but I'm tired of the fools looking for it cluttering up my log files so I wrote a filter to trap them and ban them for a period of time. Most of the traffic I see comes from DHCP blocks issued to various ISP's so I don't want to ban them forever. First off, you'll want to configure the ignoreip directive in the jail.conf. If you have an ISP that does dynamic IP addressing you will need to follow these steps so that you do not ban yourself! You can locate your own external IP using That that IP and plug it in here - which will tell you what range of IPs you fall into. That that range of IP's and plug it into the CIDR calculator to get the CIDR notation to plug into the config file.
The top row of output that says "Network = 111.111.111.111/20" is the part you want. Open jail.conf in your favorite editor and find the line that says "ignoreip = 127.0.0.1" in the [DEFAULT] section and make it look like this.