On Feb 26, 2011 7:18 PM, "Slicky Johnson" <slickyjohnson@gmail.com> wrote:
>
> On Sat, 26 Feb 2011 23:46:25 +0000
> Brian <ad44@cityscape.co.uk> wrote:
>
> > On Sat 26 Feb 2011 at 16:12:33 -0700, Aaron Toponce wrote:
> >
> > > Either way, you're exposing your internal network to the Internet
> > > if you don't have good security procedures in place. Have a strong
> > > password (I recommend http://passwordcard.org), chroot jail your
> > > daemon, use remote logging, and take advantage of strict firewalls.
> > > In other words, lock it down.
> >
> > If the strong password is being used by only one person (which appears
> > to be the case here) in what sense is it lacking if it is the only
> > security in place? Doesn't it give sufficient lockdown?
> >
> >
>
> Well this thread could certainly go on forever.
I agree with this. And there are a few harden* packages that help prevent you from installing absolute crap :)
My only real addition to this is get familiar with how to add deny rules to iptables. Then, every time pam reports that ssh got a bad pass and you didn't do it, block it.
I also wouldn't use a gateway box for anything other than snort and forwarding traffic. Get another crappy box for ssh (if you do openvpn you might have to upgrade though).
>
> Jason, also have a look at the securing Debian manual with attention on
> ssh. Perhaps removing passwords all together and only using a key, no
> root, etc. From experience I will say moving your listening port from
> 22 to something else will keep your logs fairly clear. Internet facing
> machine I'm looking at right now only had 8 packets hit 22 yesterday.
> Dropped of course and not by chance from the same Chinese IP.
>
Yeah, if you setup snort on an external box you get to see all the people who scan the internet every day.
Also, if your ip changes too offer, I'd just email it to me when it changes. However, my current isp hasn't changed my ip sense I got the service a year ago so I just trust that they're not going to change it on me at random.