l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2006 Sep 21 13:52

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] security dilemma
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] security dilemma



On Wednesday 20 September 2006 09:19 pm, Cylar Z cylarz-at-yahoo.com |lugod| 
wrote:
> Hey all,
>
> I have a security-related question and would like to
> solicit your advice on the best way to lock down my
> system, given the situation.
>
> My Redhat system is on a network, has a public static
> IP, and is exposed to the full traffic of the Internet
> - no DMZ or router/firewall protection. (I've
> considered adding a small router in front of it, but
> that is a separate issue.)
>
> I'm using an iptables firewall along with TCP
> wrappers. These two measures bolster system security
> by only allowing connections from a limited set of IP
> addresses where I and/or authorized users should be
> coming from while accessing the system remotely via
> SSH2. (All other connections are automatically denied
> by the firewall). I've also implemented some secondary
> security measures, but TCP wrappers and the firewall
> stop over 99% of break-in attempts.
>
> Here's the issue. As with many broadband customers, my
> IP changes occasionally, and every so often, my
> assigned client IP address falls outside of the range
> defined by the firewall and/or TCP wrappers on the
> remote Red Hat server. However, expanding the range of
> IP's it allows to try logging in is a problem for two
> reasons:
>
> 1. I don't know the full range of IP's offered by my
> ISP. The pool of possible IP's I've so far been
> assigned from is HUGE - ranging at least 4 Class A
> address groups, based on the ones my ISP has pushed at
>  me so far. Meaning the IP assigned varies anywhere
> between 70-73.XXX.XXX.XXX.
>
> That is a huge amount of addresses to leave open,
> since potentially many thousands of attackers would be
> able to bypass both of my primary security measures
> and have a shot at guessing a user/pass combination
> that would let them onto the system.
>
> 2. My logs have recorded numerous break-in attempts on
> the server, by individuals originating from the range
> listed above. So again, I'd prefer not to just open
> the entire range, since that lets attackers past my 2
> best security layers. Even if I wanted to open the
> whole range, how would I find out what the range was?
> The tech support people aren't going to know the
> answer to a question like that.
>
> Any advice would be much appreciated. On the one hand,
> I'm sick of getting either locked out of my own system
> when my IP changes. On the other, I'm sick of people
> who have the same ISP as I do, trying to crack into my
> server.

You have several possible options:

1) Security through obscurity.  Put SSH on a random high port.

2) Port Knocking.  You send a serias of syn packts to your firewall and it 
temporarily opens the port. See google for more info.

3) Run dyndns on your broadband connection, and use cron to re-resolve your 
IP on a regular basis, and update an iptables rule
-- 
Ryan Castellucci - http://ryanc.org/
GPG Key: http://ryanc.org/files/publickey.asc
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.