SSHFS:
sshfs is a filesystem client based on the SSH File Transfer Protocol.
Since most SSH servers already support this protocol it is very easy to
set up: i.e. on the server side there’s nothing to do. On the client
side mounting the filesystem is as easy as logging into the server with
ssh.

If you don’t already have sshfs installed or don’t know if you do or not you can run this command and install it:

    sudo apt-get install sshfs

This will also install fuse-utils and libfuse2, which are required.

Now, we are going to make a place to mount the remote file system locally. I usually just make a directory in my home directory to mount to because it is going to make a desktop icon for us to use anyway (At least on Ubuntu it will). The name I use for all my examples of my server is shual so I make this directory now.

    mkdir ~/shual

Now it is time to mount the remote file system, make note you can mount any folder or sub-folder that the user you are using has access to.

    sshfs www-remoteuser@example.com:/var/www ~/shual

At this point you will either have to give your password and the remote system will be mounted for your use.

Now I guess you need to know how to unmount it

    fusermount -u ~/home-pc

Enjoy and Have a Good’n!

Each menu option will allow you to open an SSH session in a new terminal window. You can organize the connections into groups of hosts using separator bars or sub-menus. You can even open all the connections on a submenu (in separate windows or tabs) with one click.

Here’s a killer feature found in SSHMenu , imagine you just connected to a production server and the terminal window had a red-tinted background, to remind you to tread carefully, well using terminal profiles, SSHMenu allows you to specify colours, fonts, transparency and a variety of other settings on a per-connection basis. You can even set window size and position, talk about convenient.

The latest source distribution can be downloaded from here, but you’ll probably want to get a pre-built package for your platform if possible.

If you’re running Debian, Ubuntu, etc … you can install the packages directly from the repository locate here. Downloading from these repositories will ensure that the Ruby and GTK dependencies are resolved automatically.

There are manual installation instructions that describe all the files in the distribution and where you need to put them on your system to make them work. This information is really targeted at people who wish to build packages for other OS distributions.

For more information setting up SSHMenu you can visit this page http://sshmenu.sourceforge.net/setup/

Enjoy and Have a Good’n!

You do have a regular user account don’t you well you should. One of the first thing s most installations these days ask for is a regular user account to be setup. Before we begin, you should make sure that you have a regular user account and that you can su or sudo to root from it.

The sshd_config file, is the main configuration file for the sshd service. Not always, but it’s usually it can be found in /etc/ssh/. Open the file up while logged on as root.

# vim /etc/ssh/sshd_config

Find this section in the file

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

Changethe following to look like this.

PermitRootLogin no

Reload your SSHD service configuration.

# /etc/ini.d/sshd force-reload

Your done. You should now be able to log into your server using your regular user account then su or sudo to root.

The first thing you need to do is make sure you have SSH and SSHD installed on the remote server. Second make sure that RSAAuthentication yes is set in your “/etc/ssh/sshd_config” and restart SSHD if you changed your configuration file.

# /etc/init.d/sshd restart

OK, now we are ready to setup your RSA keys. On your local machine (not the server) your notebook, desktop whatever computer you are most likely using now to read this you need to generate your Key Pair

# ssh-keygen -t rsa

Now you will be prompted for some information here follow the instructions as this can be different on different distros. When you get the question about a pass phrase you can just hit enter and you will not need to enter a password when SSHing into the system. This will generate a few files in your “~/.ssh” folder, the most important for what we are doing is id_rsa.pub. This file is the public half of your newly create RSA key pair, which we will need to upload to our server.

# scp ~/.ssh/id_rsa.pub <username>@example.com:~

Now that we have our key uploaded to the server we can login and finish the setup. Once you have SSHed into the server (the remote machine) you will need to concatenate the public key into the “~/.ssh/authorized_keys” file. If the ~/.ssh folder does not exists create it and then run the following.

# cat id_rsa.pub >> ~/.ssh/authorized_keys

You are now finish setting up your RSA keys and are ready to test by logging out and logging back into the remote machine.

sshd_config

Change the port:

The first and probably the easiest way to dramatically reduce the number of brute force cracking attempts on your server is to change the port that SSHD listens on. By default SSHD listens on port 22 and one of the most commonly used application used to troll for servers with SSHD scans port 22 by default. It is also common knowledge that hackers or crackers will use default port with the assumption; If some took the time and trouble to change their default ssh port, they probably have other methods in place to track my actions, thus moving on to the next server that is an easier target. Plain and simple just change the port which SSH runs on to something random above port 1024.

Denying Access:

I like denyhosts but there are also other applications which will accomplish the same thing but I just prefer this one. The basic concept here is that we want to block or deny certain IPs once we determine that the user from this IP is attempting a brute force attack of the SSH port.

Installing denyhosts (Article Coming Soon)

Disallow root login

Two reasons for this are simple if you think about it. One, the root account exists on all linux machines and is one of the first accounts that any would be intruder is going to attempt to login as. Two, this is the do all end all account, in other words if this account is compromised it’s game over.

The protocol:

most modern day systems are going to be using protocol 2 only but some older distros may still be using protocol 1 or both. This should be pretty straight forward here, the developers that develop SSHD decided that protocol was needed and more secure so why not use it. Would you watch TV on a black and white unit?

Final Thoughts

Securing ssh is not hard at all and with a little care and foresight you can save your self a lot of headaches.

The 101s

In this section I am just going to highlight the common knowledge stuff here. If you are looking for more details of specific things you can do to harden a given service it will be covered in the Advanced Tips section. In the Tips section I will draw out step by step or I will direct you to another article which clearly details what you can do to harden that given service.

Upgrade your system, applications, and the kernel and do it religiously

Hands down most systems are compromised due to lack of diligence when it comes to keeping their servers up-to-date. Most linux distros these days come with some type of package management solution and a way to automate the process of updating the system. It they provide it use it is my motto.

Shadow passwords (system level) and encrypt passwords on the web

Securing your passwords is essential. I can’t count how many times I have seen people storing passwords plain text and thought to myself are these people for real. Think about this for a second, if I can just read your password what stops me from using it. I want troll here long but please encrypt those passwords.

Use smart passwords

I know I said I would not troll long on the password subject but come on. The first thing we do when loggin into a server is to plug a password in somewhere ssh, telnet, smtp, or some custom application you have written to access the server the list goes on and on. Guess what guys, the first thing a hacker or cracker is gonna try is plugging a password in those same programs.

Use secure shell (ssh)

Ok you should be shot if you are still using telnet. Some of you are saying, “but my host provider does not provide ssh”, guess what time to get a new service provider. SSH2 is the only way to go as far as remote access goes. It can be used as a poor mans VPN solution, SFTP, and you can even set up a SOCKS proxy with it. This is a must, I repeat this is a must if you need remote access to your server.

Restrict access to services

Firewalls are your best friend. There are about two dozen firewall apps out there to chose from you just need to figure out what works best for you. I do recommend if you can install a hardware firewall but if you can’t at least use a software firewall. Other apps you can use here are iptables, denyhosts, fail2ban, and I am sure you can think of some I can’t.

Turn off or remove unneeded services

If your are not using a service or don’t know what a service is for shut it down. Not only will you be closing security holes but you will be freeing up resources as well. At the very least you should restrict access to just the ports you need open for your server, this usually means port 80 for apache, your custom SSH port and maybe SMTP or your DB (MySQL, SQL, Oracle, what ever DB you use) port all though I don’t recommend this.

Automate the restriction of services to “bad guys” or at the least install an intrusion detection software

If you don’t how to write a shell script and set up cron jobs, now is the time to learn. First it is not that hard to learn and second they can save loads of time and as we all know time is resource we don’t have enough of. Second when it comes to managing, and maintaining a linux server, you are going to repeat tasks over and over so why not have a shell script run at regular intervals to the repeat work for you. You can use denyhosts in conjunction with an automated shell script to create iptables based on the denyhosts application entries to just drop those services for offending ips. At the very least you should install something like tripwire so you know what is happening to your server while you sleep.

Treat your server like it is a money tree

You should not need an explanation here. Your server is making you money right? Even the weekend hobbyist can make money off of google adsense. You should treat your server with the same respect that you would any other resource in your company or hobby. The more care you give it, the better it will preform so do your self a favor and watch it closely and protect it at all times.

Applications, Scripts, and Commands

You need to take some time right now and familiarize yourself with the following apps, scripts, and commands. I can already hear some of you saying OK, another list that does not include blank, tell you what I will listen to your pleas send me an email (webmaster[at]blogternals[dot]com) with a subject of  “Linux Server Secure Guidelines” plea your case and I will include your script in the list. Some of you think I am kidding but I will even you give credit for your contribution if you take the time to compose that email.

Anyway without further delay:

awk - is a general purpose programming language that is designed for processing text-based data, either in files or data streams.
bash - is a free software Unix shell written for the GNU Project.
crontab - is a daemon for automating tasks.
dig - DNS lookup utility.
denyhosts - is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring the log files
free - Display amount of free and used memory in the system.
grep - print lines matching a pattern.
iptables - is a user space application program that allows a system administrator to configure the tables provided by Xtables and the chains and rules it stores.
logwatch - utility for off site monitoring log files.
namp - Network exploration tool and security / port scanner
ps - report a snapshot of the current processes.
ssh - OpenSSH SSH client (remote login program)

Advanced Tips and Tricks

I will make the same comment here about if you don’t see it send me an email and I’ll put it here or you could sign up for an account here, write the article, and I will publish it. (webmaster[at]webternals[dot]com)

• Securing SSH
• Securing Apache – (Coming Soon)
• Securing MySQL