http://www.Linux-Sec.net


  • Hardening-Tightening

    Security_Policy
  • Hardening-HOWTO

    Linux Distros

     Distro Patches

     Kernel-Patches

     Dedicated Servers
  • Firewalls
  • DNS Servers
  • Mail Servers
  • Web Servers

    Turn-Off Daemons

     Tighten Inetd Services

  • Top-10 Vulnerabilities

    Top-7 Security Mistakes

    Top-10 Vulnerabilities

    Top-20 Most Critical Vulnerability


    Top-10 Virus


  • Scans/Attacks Stats

    Top-10 Attacks

    Hacked Servers


    • One Minute Audits
  • OpenPorts Audit


    AntiVirus - AntiSpam
  • Anti-Spam
  • Anti-Virus

  • spam.wav


    Wireless [In]Security
  • Sniffers


  • Security Tools

    SSH_SSL

     Firewalls

     MailServer

    FileSystem

    VPN

    Port Scan Detectors

     IDS Tools

     LogFile Analysis

    Ethernet Monitoring

     Server Monitoring

     Tracking & Forensics


  • Hackers Tools

    Audit Tools

     Port Scanners

     Hacking Tools

     DDOS Tools

     Sniffer Tools

     Spoof Tools

     Exploits & Vulnerbilities

  • Wireless

    Wireless [In]Security


  • Misc

    Statistics

     Linux/BSD Distros

     Links,Articles,WatchDogs

    Security Mailing Lists/FAQs

    Liability Insurance



    • 1U Rackmount Chassis

    Custom-Chassis.com

    Linux-1U.net

    1U-ITX.net


    ITX-Blades.net

    Small PC cases

    Mini-Box.net

    Wrap-Box.net

    Wrap-OS.net


    Wan-Sim.net


    Linux-Consulting.com

    Linux-CAE.net

    Linux-Sec.net

    Linux-Boot.net

    Linux-Backup.net

    Linux-Wireless.org

    Linux-Office.net

    Linux-Video.net

    Linux-VOIP.net

    Linux-Jobs.net

    Linux-Diff.net

    1U-Raid5.net

    Linux-Howto.net


    Spam Reporting



    Free Linux CDs

    ISO9660.org

    Distro-CD.org

    Patch-CD.org


    Contact



    Linux is a registered trademark of
    Linus Torvalds

    More Linux Legalese


    SSH - SSL


    Some Obvious PreCautions
    • If you want/have a ( ssh/ssl based ) secure "login" server ...
      • You should have different passwd for each service and servers

      • You should NOT run telnet, use ssh securely instead
      • You should NOT run ftp, use scp securely instead
      • You should NOT run pop3/imap, use secure pop3s/imaps instead

      • You should NOT run ppp, put it on a different server...
      • You should NOT run dhcp, put it on a different server...
      • You should NOT run wireless, put it on a different server...

      • Put VPN/SSH connections from their home OUTSIDE your firewall, NOT inside on your important corp lan

      • Put laptops OUTSIDE your firewall, NOT inside on your important corp lan

      • Those (insecure) services should be on a separate insecure server on an insecure private LAN outside your firewall - do NOT trust those insecure services

    Minimum Recommendations
    • Download and install the latest ssh from OpenSSH.org
      -- or --
    • Download and install the latest ssh from SSH
        -- ssh daemon (sshd), ssh clients (ssh) and secure ftp (scp)

    • Download and install the latest ssl from OpenSSL.org

    • Download and install the latest VPN if you still insist on allowing insecure connections from "home" where you, the corp admin, have zero control of their home network/environment

    SSH Clients for Microsoft Windows

    SSH Mailing List and Archives

    Blocking Annoying SSH Attempts

    • If they didn't get in, you just recieved a free 5-second audit of your system

    • Assuming that your sshd has been compiled with tcp_wrappers

    • vi /etc/hosts.allow
        # only allow these incomng ssh connections from these 3 hosts
        sshd : 192.168.1.1 192.168.1.11 192.168.111

    • vi /etc/hosts.deny
        # Disallow everything
        ALL : ALL

    • now try to login from those ip# and see if it works
    • try to login from other machines and see if you get an error message
      • ssh_exchange_identification: Connection closed by remote host

    • Other ways to block incoming ssh connection attempts
    • You're in trouble ( cracked ) if you see something like this
      • ( we're assuming that your libraries and binaries have not been modified to hide the crackers )

      • netstat -v 
         tcp 0 0 your-PC:port# hackers-ip:ssh  ESTABLISHED

      • grep sshd /var/log/{messages,auth,syslog} 
         Oct 27 22:58:55 YourPC sshd[pid]: Accepted password for USER from hacker-ip# port number ssh2

    SSH Links

    SSL Links

    TLS
    Stunnel

    Kerberos Links

    Secure Telnet

    Secure FTP

    Copyright © 2000
    Linux-Consulting
    All Rights Reserved.
    Updated: Sat Jan 28 20:56:33 2006 PDT