Lock Down Your Server

The internet can be a dangerous place.  Data and personal information can be attacked from malicious hackers, script kiddies, and open relays.  The open relay option even provides the user the added bonus of anonymity. 

The logical solution would be to hide everything behind a firewall and lock it down.  While data is safer behind a firewall, the experienced hacker might still be able to access it.  Firewalls can also be a hindrance to remote data access.  With larger number of companies choosing to cut cost by moving to remote offices for employees it is vital that they balance data protection against data access.  Even if companies do not have telecommuters on their work force, they may need remote data access for traveling workers or even for clients.  Whatever the reason, it is vital that they be able to access the data while protecting it as well.

There are several problems with remote connections.  For example, when using user name and password authentication, if that information is captured the entire network is compromised.  Another would be passing data in clear text which leaves personal data exposed. 

Now that we've looked at some of the problems with having remote access to data, what are options for a solution?  An excellent choice is a virtual private network (VPN), which allows for secure authentication, host/client validation, and passwords behind keys.  Another option would be a secure shell which allows for secure authentication, can use keys, and can be included with all UNIX/Linux.

Secure Shell

Secure Shell (SSH) is a protocol, not a shell.  The SSH allows a connection to BASH, which is a Unix shell.  The SSH offers secure authentication, secure file transfer, secure remote command execution, and implements PK Infrastructure.

Port Forwarding is an option with SSH.  Standard SSH Port is Port 22, however you can forward this port to another server.  That server must also have a firewall.  SSH starts as an encrypted connection.  Authentication is also encrypted with SSH.  On first connection, a host key is exchanged and stored on the server.  This will defeat the "man in the middle" attack.  Once authentication is valid, it connects the user to normal shell.

Firewalls

Firewalls are our first line of defense against attack.  A firewall will be able to hide all of the network computers behind it, it can refuse to answer PINGs and some will inspect network packets.  It is vitally important to always use a firewall - even at hotels.

Script Kiddies

Script kiddies are normally not highly skilled.  The common script kiddie will download a script from the internet, scan a set of IP addresses, look for SSH, Telnet, Mail, etc. connections, and then perform scripted password attacks.  The common home mail/web server gets around 1,500 attempts a day.  Some days they can receive over 5,000 attempts.

Some of the best ways to stop script kiddies is to get off Port 22, Implement IPTABLES to lockout any IP with a certain number of failed attempts for a designated number of minutes, and to disable passwords and instead use Public Private Keys and RSA Keys.

Public Private Keys are a key pair, one public and available, the other private and secure.  The public key encrypts only while the private key decrypts only.  The private key should be encrypted with a pass phrase and is used to encrypt authentication.

Server Configuration

The SSH Server Configuration file on Linux is:

/etc/ssh/sshd_config

To modify your configuration you must be in ROOT.  Uncommented options will change a default setting.

Turn on key authentication.

PubkeyAuthentication yes

Turn off passwords.

PasswordAuthentication no

Turn off direct root logons while you are at it.

PermitRootLogin no

This is also the place to change the ssh port.

Port 8000

Then restart the ssh server to

activate the changes.

[root@navdb root]# service sshd restart

Stopping sshd:[  OK  ]

Starting sshd:[  OK  ]

In conclusion, a properly set up SSH can provide a secure, protector remote login capability.  This SSH will also provide encrypted authentication and "man in the middle" protection. 

If you like Oracle tuning, you might enjoy my book "Oracle Tuning: The Definitive Reference", with 950 pages of tuning tips and scripts.  You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.