On Thu, 2005-04-28 at 06:33 -0700, Mike Hoy wrote: > Hi, > > i just set up a new server with FC3. after reading george toft's > presentation on security i thought it would be a good idea. i had gentoo > installed and probably it was being hacked all the time, i don't know. > > today in my new install of FC3 i was told as root that i 'had new > messages', in /var/spool/mail/root > so i checked it out > somebody has been trying to ssh into my acct with all kinds of usernames > and apparently with no success. i'm told this is called ssh hammering > and i need to setup iptables. I need to get started on tightening up > security on this thing. My server runs a website and ssh will need to be > running. > my question: (i'm sure more to come) > I was told I can set ssh up so that root can only access ssh from > 127.0.0.1. how do i go about doing that. ---- edit /etc/ssh/sshd_config - it should be obvious where the changes should be made but if not, let us know. ---- > also how can i make my personal > username have access to /whatever/apache/htdocs/* so I don't have to be > root to edit things. ---- generally easier to have each user put their web pages in their own directory # getent passwd|grep craig craig:x:500:500:Craig White:/home/craig:/bin/bash mkdir /home/craig/html chown craig:dom_users /home/craig/html edit /etc/httpd/conf/httpd.conf to serve this directory note that craig has a valid shell note that I never use ftp for upload and thus don't turn on ftp at all but use scp/sftp note that a serious look at what you are doing with iptables is important on any computer directly exposed to the internet note that I generally don't use the standard port 22 for sshd any more because of the experiences that you are observing but rather moving it to an unprivileged port (> 1024) If you want to keep port 22 and sshd active, you might want to look at some scripts that identify these types of attacks such as... http://bluedogsecurity.cyberinfo.se/ssh_block/ http://linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry Craig --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss