|
These details
cover only a few ways of securing your machine, there are countless
ways and some are just too complex and are just not necessary. It
is up to you to establish if you want to secure you box and to what
level your willing to put your security upto, remember with security
also comes complexity, but don't let this stop you.
User Passwords
The first step of securing anything that has users and passwords
is to make sure that the passwords themselves are hard to find.
You all know the banks usual pitch "don't keep your PIN on
or near your KeyCard, blah blah blah", but they are right aren't
they? You should never carry a password around with you (except
in your head).
One way of
making sure you passwords are hard to guess or crack is to periodically
change them. On top of this its always a good concept to use that
your passwords have a combination of UPPERCASE, lowercase and special
characters (such as @, $, & etc.), this just makes it alot harder
for someone to work out the password as there are just more options
to choose from.
Another way
that I would definitely recommend is the use of a random password
generator, it provides a method of creating passwords of varying
length that are completely secure (well to a level, nothing is 100%
unfortunately). Random password generators or Random text generators
are readily available as cgi scripts or binary programs, they are
also useful for when you create certain accounts and you want the
person who will use the account to select a password, just generate
one and then allow them to change it to what they want.
If you are
running Red Hat on your machine then there is a random password
generator that is provided, this can be used by typing in mkpasswd,
"mkpasswd - generate new password, optionally apply it to a
user". This can be used in scripts to create a random password
generator for your website or assign one to a new user on your machine.
If you would like to see an example then you can find my cgi script
here.
If you allow
friends or other people to have certain access your machine then
you want to make sure that there passwords are secure, you can help
them by providing them access to the above mention generator. Another
way of verifying that they actually have a secure password is to
regularly run a program that tries to "hack" the password
of the user accounts, this is a good idea as many wannabe hackers
use scripts such as these.
Securing
Your Login (Encrypted Connection)
If you want to have a more secure login to your Linux box then
you should try using a SSH daemon rather than using the standard
telnet server or rlogin. SSH provides a compressed and encrypted
connection to your machine and thus makes it harder for someone
to 'sniffer' your telnet connection and work our your password or
any other sensitive information you don't want anyone to see (just
think how bad it would be if someone worked out your root password
by sniffing your connection as you run the su
command).
The first thing
you will need to do is download a SSH daemon (server), the first
one that we used for this was found at www.ssh.com
and downloaded from the Aarnet mirror here.
The RPM is probably the easiest to download, but the source in .tar.gz
format is also available. Once you have downloaded the daemon then
you will need to install it, we used the file ssh-2.4.0-1.i386.rpm,
and you can install this simply by typing rpm
-ivh ssh-2.4.0-1.i386.rpm at the console prompt. Once it
has finished installing, it will generate itself a key for the server
(unless you previously had a SSHd on your system). Now you can run
this, there are two ways, you can either make it run on port 23
instead of telnet on another port such as 22 and you can use telnet
for your LAN (secure already) and SSH for your WAN (more vulnerable).
Its recommended that you run them together, if you worried about
the telnet server being open to the outside world then you can block
the port from external interface (see instructions below). If
you would like to read the manual before getting started then you
should type man sshd, otherwise to start the server just type /usr/local/sbin/sshd
-p <port> (this example selected port 22 as its similar
to the telnet 23 and therefore easier to remember).
One good idea
is to make your SSHd NOT permit users to log in as root, this is
what telnet does by default. In order to set this up you must edit
your sshd_config
file (usually /etc/sshd_config),
and change the PermitRootLogin
yes line to PermitRootLogin
no. While your editing this file you can also do a number
of things, you can restrict login to a certain specific IP address
by modifying the ListenAddress
0.0.0.0 line and a whole lot more, so have a look around
while your already there.
Another SSHd
that is defiantly worth trying is openSSH, this is apparently one
of the best SSH daemons there is, with many configuration options.
OpenSSH can be freely downloaded from www.openssh.com,
(as always it is in our files section also) was highly recommended,
it can be installed similarly to the above.
Since SSH uses
a more secure encrypted connection you will also need to install
a client on your personal machine or any machine you want to use
to connect to the server. Once again there are many different client
available but we used SecureCRT,
this was only available as a 30 day trial, but there are probably
free SSH1&2 client programs available. Once you have downloaded
your client you just need to install it (scrt33.exe).
To install
SecureCRT just follow the regular Windows GUI installation procedure,
when you get to the dialog "Select Profile Options" you
can either select a Common Profile or a Personal Profile, your selection
of these depends on whether your on a shared computer and whether
or not you trust the people that have access to you PC. When you
get to the "Select Protocols", you want as a minimum,
SSH1, SSH2, telnet, rlogin, that way you can use the program to
access your box via any connection method. When the installation
is complete then its time to test it all out, On your first run
of the program it will ask you where you want to store you profile,
just select the appropriate directory or leave it and click OK.
Once loaded click the "Quick Connect" icon (second along
from the left). You want to select SSH2 form the drop down (as this
is what we installed earlier), then type in the hostname (or IP
address) of the machine you want to connect to. Enter the appropriate
port number in and then your username for the connection (this is
the same as your account you would use for telnet etc.). Unless
you want to save the session then uncheck the box and click "Connect".
If all goes well you should be prompted for your password (you can
choose to save it) and then be able to use your machine as if connected
form telnet.
Another more
portable SSH Client is called Putty, this is a single executable
binary file for Win9x/ME/NT/2k and can be downloaded from here.
I personally prefer this program as it doesn't require installation
of any kind and you can take it with you (i.e. when your on a computer
that you need to log into your machine at home you can just download
the 220k file and your away). The version used in this document
is PuTTY Release 0.51.
In order to
use Putty just double click on the downloaded executable and then
enter your machine details, such as the IP address of the machine
and the port that SSH is on (should default to port 22 used in the
SSHd setup above), you can save your settings by specifying a name
and clicking save, and the great thing is you can use Putty for
Telnet access also. Your settings should look something like this:
Now you have
configured the program you can click the "Open" button
and it will connect to the specified machine. Please note that the
first time you run Putty (or any SSH client for that matter) you
will be asked to save the security key, which is used to encode
and decode the SSH session.
Once connected
you can use this just as you would your normal Telnet session, also
a good feature of SSH is that it will display the different colours
that Linux distros use to tell you which is a directory and which
is a file. (This is not possible in Win98/NT Telnet, but is in Win2k
as some of you may already know)
To make your
SSHd start when your box is booting (an especially good idea if
your not using Telnet anymore) you will need to add the the above
used command in one of your initialisation scripts, e.g. edit your
/etc/rc.d/rc.local
file and add something like the following line (at the end of the
file):
echo "Starting
SSHd Service..."; /usr/local/sbin/sshd -p 22
Next step
setting up your firewall... CONTINUE
|
Linuxathome.net
- Linux news and help for home broadband internet users
