Tuesday, February 28, 2006

Security Updates

Having had much more free time recently (or at least not being at work) I've had time to review my network security. What started out as annoyance at looking at /var/log/secure daily and seeing multiple attempts to access my system via brute-force ssh, combined with an interest to learn a few new skills turned into something of an obsession with locking down just about every application and service I could find.

It all started with my log files. Day after day, my host on the LAN which had ssh forwarded to it was logging numerous failed attempts from all over the world to login, and I was not alone; reports of the same activity are all over the internet of brute-force attacks. Initially it didn't seem very worrying as the usernames sent were all of the type root, apache, mysql, admin and I had only allowed myself to login via ssh in the config file. Later though I noticed all sorts of other names being sent so it was inevitable that mine would be used at some point, and sometimes the same IP address would be logged several hundred times just in one day. I was reluctant to disable the forwarding rule on my firewall at this time as I was finding remote access too useful. My first counter-measure was denyhosts, a script which runs as a cronjob searching the logfiles for repeated failed login attempts (you can set the threshold) then adding these IP addresses to /etc/hosts.deny. This did indeed work as my steadily growing hosts.deny faile proved, but the attacks continued and I still felt uneasy. What if some one got lucky between runs of the cronjob? Next on the list of defenses was public-key access. Yes I admit that I was still using username/password combination; I'd simply never got around to understanding how to apply public-key crypto to ssh. I'm not going to explain here either as there are many excellent guides already on the internet such as Steve Friedl's here.

At about the same kind of time I discovered openvpn, an SSL site to site vpn which supports most flavours of Linux/Unix as well as Mac and Windows. Even better, its released under the GPL. Unlike many 'SSL' vpn's you may have seen/heard about which are just web front ends to applications, openvpn is a true network level (OSI 2/3) vpn solution which while using the proven security of openssl, avoids the complexity and problems of ipsec. Once you've got your head around generating and deploying the certificates it really is so easy to setup, with easy to read config files only a few lines long for the most simple configurations (the openvpn website has a lot of good documentation/exampls and a quick start guide). You may have guessed by now that I really like it :) - Anyway, I started thinking - why use ssh when I've got openvpn which is at least as secure now (probably more so) and which also gives me access to my entire network remotely?

So now ssh forwarding is turned off on my firewall and I use openvpn for remote access. There is still loads that I haven't mentioned yet like clamav, WPA, rkhunter, truecrypt. I'll have to write part 2 later.....

No comments: