Open main menu

CDOT Wiki β

Changes

OPS235 Lab 7 - Fedora17

102 bytes added, 11:39, 18 March 2011
no edit summary
{{Admon/tip | Tip! | Making your root password (and all other accounts!) both quite complex but easy to remember is not hard. Passwords should be a minimum of 8 characters long, preferably longer, contain upper and lower case letters, numbers, and special characters. A good example of a strong password might be "LotR3--RotK." This is not that hard to remember as it corresponds to a book title. "Lord of the Rings 3 Return of the King." The password "P@ssw0rd!" is not as good because it is quite obvious and common.}}
* # Think of a good quality password and change your root passwords on all 3 VM's to be more secure. (It would be a good idea to do this for non-root accounts also)* # The next change you can make is to prevent the root account from logging in to sshd altogether. * # Edit the file <code>/etc/ssh/sshd_config</code> and look for the option <code>PermitRootLogin</code>. Uncomment the option and change it to <code>"no"</code>.* # Even better it is possible to restrict access to just specific users that require it. * # Edit the file <code>/etc/ssh/sshd_config</code> and add a new option of <code>"AllowUsers account"</code> using your login account for account.* # In order for these changes to be effective , issue the following command to restart the sshd service.** :<br /><code>service sshd restart</code>* # Now any hacking attempt also has to guess an account name as well as the password. If you need to ssh with root access, ssh as a regular user and use <code>su -</code> to become root.* # Next change the default port number that sshd uses (TCP:22). * # Edit the sshd configuration file again and change the port number it uses to 2200. * # Restart the service. * # Confirm the new port is being used with a <code>netstat</code> command.* # Before we can use this new port we must change our firewall to allow traffic through the new port number and block access to port 22.** :<br /><code>iptables -I INPUT -p tcp -s0/0 --dport 22 -j DROP</code>** <br /><code>iptables -I INPUT -p tcp -s0/0 --dport 2200 -j ACCEPT</code>* # To test the new port connect to fedora1 from fedora2 using the following command:** <br /><code>ssh -p 2200 user@fedora1</code>
{{Admon/tip | Tip! | For scp access the option to be used is: <code>scp -P 2200</code>}}
{{Admon/tip | Tip! | For more ideas on making sshd more secure consult the HOW-TO link above.}}
* <ol><li value="14">Finally as a system administrator you should periodically monitor your system logs for unauthorized login attempts.</li>* <li>On Fedora systems the log file that is used is <code>/var/log/secure</code> </li> * <li>It also logs all uses of the <code>su</code> and <code>sudo</code> commands.</li>* <li>Attempt to connect to all of your VM's as root and other users using both public key and password authentication. Use some su and sudo commands also. </li>* <li>Inspect the log to see what kind of information is logged.</li>* <li>Answer the Investigation 7 question in your lab log book.</li></ol>
== Completing the lab ==
13,420
edits