Tag Archives: SSH

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers – Part 2 (Linux)

English: Screenshot of Alpine via SSH on a Deb...
Screenshot of Alpine via SSH on a Debian Server

Hello friends and neighbors. This post, as it turns out, is the follow-up to our groundbreaking, skybreaking article on server hardening; it also is the prequel to our final post on Windows server hardening. This post, the meat of the sandwich (ham, in this case), is on how to harden Linux servers.

Server hardening is a simple concept, and it’s crucial to initiate if you want safety for your website. Essentially, simiarly to the experience of an end-user on a client machine, when you use a server, the systems are not built (their default settings) for high-end security. They’re built, rather, for features. In essence, the Internet is optimized for usability/freedom over administration/security. Securing a system, then, is a matter of revoking freedoms or modifying expectations in order to ensure a secure experience for the system and for all users.

We aren’t only concerned with Windows and Linux servers though. Actually, the NSA Datamine server is one of the most secure options out there. Everyone is thrilled by this server. It’s been called “bootserverlicious” by P. Diddy and “P.-Diddy-riffic” by a worldwide consortium of boot servers.

To get a sense of server hardening on any of the major OSs, we are looking at three sources: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com (good info, though the language is a little rough); and “Baseline Server Hardening,” by Microsoft’s TechNet. Each of these posts broadens our horizons and is lactose- and gluten-free so that it doesn’t distract from the extra-cheese, thick-crust pizza we’re inhaling.

How to Harden Your Linux Server without Having to Think

No one ever wants to have to think. Let’s not do it, then. Let’s refuse to think, and just feel our way to a hardened server. Don’t call me “baby,” though, please, because that’s disrespectful, sugar. Anyway, the Linux server: here are approaches you can use specific to that OS.

1.    Non-Virtual Worlds: Go into BIOS. Disallow any boot operations from outside entitites: DVD drive or anything else that’s connected to the server. You should also have a password set up for BIOS. GRUB should be password-enabled as well. Your password should be “moonsovermyhammy123987”; I recommend tattooing it on your lower back for safekeeping.

2.    Partitioning as a Standard: Think (no, don’t!) of how a virtual environment or virtual server is constructed. Division into smaller parts is an essential security concept. Any additional pieces of the system will require their own security parameters and challenges. That means you want a streamlined system, of course, like a digestive tract without all the intestines and stuff; but it also means you want everything divided into disparate sections. Any app from an outside source should be installed via options as follows:

/

/boot

/usr

/var

/home

/tmp

/opt

3.    Packet Policies: Along the same line, you don’t want anything unnecessary. That’s the case with anything you’re doing online. Let’s face it: the web is essentially insecure. It’s like a dinosaur with a new outfit that she’s afraid to show off to her other dinosaur friends … sort of.

Here’s the command to check:

# /sbin/chkconfig –list |grep ‘3:on’

And here’s the command to disable:

# chkconfig serviceName off

Finally, you want to use yum, apt-get, or a similar program to show you what’s on the system; that way you can get rid of whatever you don’t need. Here are the command lines for those two services:

# yum -y remove package-name

# sudo apt-get remove package-name

4.    Netstat Protocol: Using the command line netstat, you see what ports are being used and what services are accessible through them. Once you’ve done that, use chkconfig to turn off anything that’s not serving a reasonable function, such as a service that’s just counting over and over again to a billion but won’t tell you why. See below and this netstat-geared article for more specifics.

# netstat -tulpn

5.    SSH: You want to use secure shell (SSH), but you also want it configured properly to maximize your security. SSH is the secure, cryptographic replacement for telnet, rlogin, and other earlier protocols that sent all data (passwords included) as “plain text” (no “scramble” prior to transfer, basically).

You typically don’t want to communicate via SSH as the root user. Sudo allows you to use SSH. See /etc/sudoers for specifics; you can customize them using visudo, available via VI editor.

Finally, switch the port for SSH from 22 to a larger number, and change the settings so that it’s not possible for all account holders to tunnel in through Secure Shell. Here are the file and three specific adjustments:

# vi /etc/ssh/sshd_config

  1. PermitRootLogin no
  2. AllowUsers username
  3. Protocol 2

Conclusion & Continuation

All right. Basic explication: Done. Linux: Done (well, it’s significantly more complex than discussed above; see here for further details). Windows: Next.

Finally, I assume if you’re reading this article, you might want to take a gander, or even a poke, at our dedicated servers, VPS hosting, or colocation.

By Kent Roberts

Authorized SSH Access

How many of you are still confused by the terminology SSH, aka Secure Shell? Today I’ll point you in the direction of some commentators with either hands-on experience or theoretical understanding to discuss it in different ways, with the hopes that one of the methods of explanation will stick for each of us.

Authorized SSH Access

Structure of an SSH binary packet

From rabbitbytes.wordpress.com – 2 weeks ago

Also known as remote SSH access without passwords, Secure Shell (SSH) and it’s related utilities (SCP, slogin) should be used whenever possible to provide encrypted data communications.

The owner of the Rabbit Bytes blog is a Systems Administrator for a Linux server. He goes into great detail here with excerpts of command line code in a step by step guide that will help you set up a password-free (that’s what SSH is) access to your Linux server. Basically SSH “Tunneling” is a secure means of encrypting access to your root server, from a remote access point. You may also be familiar with the term “salt” – as in providing a salt key for example to your private WordPress Blog article. This is something similar.

Perhaps an SSH broadcast will help explain things better than I, though…

The Linux Action Show! | Jupiter Broadcasting


Linux’s Wirecast Problem | The Linux Action Show! | Jupiter Broadcasting | How to Grow Your Business Online | Scoop.it

From www.jupiterbroadcasting.com – 3 weeks ago

This week we come clean on why the world’s #1 Linux podcast is edited on a Hackintosh, as well as what it’s going to take for things to get any better.

Juliana Payson‘s insight:
One of my favorite things about the Droid DNA is the SSH app allowed me not to have to carry around my laptop because I can do most simple remote administration from there. Does anyone know of any good SSH apps out there? Here in the Linux show they go on to review a couple of remote access “Tunneling” SSH apps. They even go on to explain when you should use SSH over Virtual Private Network or VPN.

Remoter for Mac 1.4.0 – Remote Access For Mac Made Easy

Screen Sharing

From themactrack.com – Today

Remoter Labs today announces Remoter 1.4.0 for OS X, an update to their productivity app that allows users to remotely control Macs, via Screen Sharing, and Windows or Linux PCs, using the VNC.

We saw from the Linux show that they actually edit their podcast from their Mac. They come clean with it because they recognize that Linux has some ways to go to catch up to professional media editing. Well, for those that are fully soaked in Mac due to your media profession, I’ve found a cool SSH app for the OS X that allows you to tunnel into your remote server from a completely different operating system.

by – Juliana