You are not logged in.
- Topics: Active | Unanswered
#1 2014-10-18 08:58:09
- mariosangiorgio
- Member
- Registered: 2010-07-10
- Posts: 25
How can I harden an archlinux box visible on the internet?
Hello, I have an archlinux box that exposes a few services on the internet. The only visible ports are the ones for ssh and for OpenVPN.
I had a look at the logs with journalctl and I found a lot of failed access attempts from machines in China. I don't want my box to be owned so I'm thinking at hardending it.
What I am doing first is to setup ssh to accept only certificate based connections so I'm going to change my /etc/sshd_config in the following way:
PermitRootLogin no
PasswordAuthentication noIs there anything else I can do prevent unauthorised accesses to my machine?
Offline
#2 2014-10-18 09:03:19
- Spider.007
- Member
- Registered: 2004-06-20
- Posts: 1,175
Re: How can I harden an archlinux box visible on the internet?
That's a good start. If you want to get rid of some of the noise in your logs you could configure rate-limiting in iptables: http://www.debian-administration.org/ar … onnections. You could also configure MaxAuthTries & LoginGraceTime to something low; to make it more difficult to brute-force. These are explained in `man sshd_config`
Offline
#3 2014-10-18 09:12:56
- mariosangiorgio
- Member
- Registered: 2010-07-10
- Posts: 25
Re: How can I harden an archlinux box visible on the internet?
Thanks for your answer. I'm going to change my configuration taking them into account
Offline
#4 2014-10-18 09:23:00
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,280
Re: How can I harden an archlinux box visible on the internet?
For openvpn this list seems to be pretty complete: http://darizotas.blogspot.de/2014/04/op … sheet.html
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#5 2014-10-18 10:13:08
- mariosangiorgio
- Member
- Registered: 2010-07-10
- Posts: 25
Re: How can I harden an archlinux box visible on the internet?
In this guide I found some other useful tips like creating a group for the users I want to be able to access to the system via ssh and to limit the number of unauthenticated connections
Offline
#6 2014-10-18 15:17:19
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 20,354
Re: How can I harden an archlinux box visible on the internet?
For ssh:
Require keys, disable password log in.
Use a tool like sshguard or fail2ban to limit brute force attacks
Block China at the firewall.
Move the ssh service to a different port
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#7 2014-10-18 17:54:02
- Pse
- Member
- Registered: 2008-03-15
- Posts: 415
Re: How can I harden an archlinux box visible on the internet?
I've been using denyhosts, which is simple to setup and quite effective.
Offline