Archlinux fronting the Internet

ftornell · 2009-05-27 12:25:21

Hi,
Was thinking of running Arch on one of my servers at home and open up for SSH in the router (portforward) to the arch server.

If I only run a basic archinstall with samba and a sshdaemon its kinda safe right?

I know the threat is always higher if you have more services running on the box but will only hold samba for local filesharing and ssh to connect to the server from my work!

fukawi2 · 2009-05-27 12:38:23

1. Run it on a non-standard port such as 2222 or 1022 etc.
2. Disable root login
3. Allow connections only from certain source addresses if possible.
4. Use key based authentication instead of passwords.

I run several Arch servers exposed to the internet with the above precautions and never had a problem.

.:B:. · 2009-05-27 14:11:28

And a nice firewall that closes up all possible holes (not just inbound traffic, also outbound traffic). You can't lock that stuff down enough .

Daenyth · 2009-05-27 14:39:52

I also like to put an "AllowGroup sshusers" into sshd_config, that way only users in that group can do a remote login.

ftornell · 2009-05-27 21:40:57

Thx guys, many suggestions...
Just one thought...what is key based authentication?

fukawi2 · 2009-05-27 23:06:11

Daenyth wrote:

I also like to put an "AllowGroup sshusers" into sshd_config, that way only users in that group can do a remote login.

Ah yes, I knew there was one I forgot, thanks

ftornell wrote:

Thx guys, many suggestions...
Just one thought...what is key based authentication?

http://www.ibm.com/developerworks/library/l-keyc.html
http://pkeck.myweb.uga.edu/ssh/

Last edited by fukawi2 (2009-05-27 23:07:34)

ngoonee · 2009-05-27 23:11:23

Port-knocking is a must i think. Simple to setup. of course, you'd need other security too

fukawi2 · 2009-05-27 23:29:39

ngoonee wrote:

Port-knocking is a must i think. Simple to setup. of course, you'd need other security too

Certainly another tool on the belt, but I wouldn't call it a must. Disallowing root login is a must.

robmaloy · 2009-05-29 10:57:42

fukawi2 wrote:

ngoonee wrote:
Port-knocking is a must i think. Simple to setup. of course, you'd need other security too
Certainly another tool on the belt, but I wouldn't call it a must. Disallowing root login is a must.

changing the port too, or you will end up with hundreds of megabytes of failed logins in auth.log

btw can i set iptables to run a program/script when a packet matches a rule (passing source ip+port preferably)?

fukawi2 · 2009-05-29 11:43:02

No... That would be a very quick way for someone to DoS your server.

Arch Linux

#1 2009-05-27 12:25:21

Archlinux fronting the Internet

#2 2009-05-27 12:38:23

Re: Archlinux fronting the Internet

#3 2009-05-27 14:11:28

Re: Archlinux fronting the Internet

#4 2009-05-27 14:39:52

Re: Archlinux fronting the Internet

#5 2009-05-27 21:40:57

Re: Archlinux fronting the Internet

#6 2009-05-27 23:06:11

Re: Archlinux fronting the Internet

#7 2009-05-27 23:11:23

Re: Archlinux fronting the Internet

#8 2009-05-27 23:29:39

Re: Archlinux fronting the Internet

#9 2009-05-29 10:57:42

Re: Archlinux fronting the Internet

#10 2009-05-29 11:43:02

Re: Archlinux fronting the Internet

Board footer