Friday, February 10, 2012

59 Open Source Tools That Can Replace Popular Security Software


Anti-Spam

1. ASSP Replaces: Barracuda Spam and Virus FirewallSpamHeroAbaca Email Protection Gateway
ASSP (short for "Anti-Spam SMTP Proxy") humbly calls itself "the absolute best SPAM fighting weapon that the world has ever known!" It works with most SMTP servers to stop spam and scan for viruses (using ClamAV). Operating System: OS Independent.

Used by more than 100,000 sites, MailScanner leverages Apache's SpamAssassin project and ClamAV to provide anti-spam and anti-virus capabilities. It's designed to sit on corporate mail gateways or ISP servers to protect end users from threats. Operating System: OS Independent.

This Apache project declares itself "the powerful #1 open-source spam filter." It uses a variety of different techniques, including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases, to filter out bulk e-mail at the mail server level. Operating System: primarily Linux and OS X, although Windows versions are available.

This group of tools uses Bayesian filters to identify spam based on keywords contained in the messages. It includes an Outlook plug-in for Windows users as well as a number of different versions that work for other e-mail clients and operating systems. Operating System: OS Independent.

Anti-Virus/Anti-Malware

5. ClamAV Replaces Avast! Linux EditionVirusScan Enterprise for Linux
Undoubtedly the most widely used open-source anti-virus solution, ClamAV quickly and effectively blocks Trojans, viruses, and other kinds malware. The site now also offers paid Windows software called "Immunet," which is powered by the same engine. Operating System: Linux.

If you're looking for a free version of Clam for Windows, this is the way to go. It's used by more than 600,000 people on a daily basis and integrates with Outlook and Windows Explorer. Note however, that it doesn't have an automatic real-time scanner—you have to click on individual files in order to scan them. Operating System: Windows.

Anti-Spyware

7. Nixory Replaces Webroot Spy SweeperSpyBot Search and DestroyAdAware
Nixory removes malicious cookies that you might have picked up while browsing the Web with Internet Explorer, Firefox or Chrome. The latest release includes a lightweight real-time scanner that deletes cookies while you surf. Operating System: OS Independent.

Application Firewall

8. AppArmor Replaces: Barracuda Web Application FirewallCitrix NetScaler Application Firewall,
Included in both openSUSE and SUSE Linux Enterprise, Novell's application firewall aims to secure Linux-based applications while lowering IT costs. Key features include reports, alerts, sub-process confinement, and more. Operating System: Linux.

The "most widely deployed WAF (Web Application Firewall) in existence," ModSecurity protects applications running on the Apache Web server. It also monitors, logs, and provides real-time analysis of Web traffic. Operating System: Windows, Linux.

Backup

10. Areca Backup Replaces: NovaBackup
Designed to be both simple and versatile, Areca lets you choose which files to back up, set up a schedule and determine what type of backup to perform (incremental, differential, full or delta). Notable features include compression, encryption, as-of-date recovery and more. Operating System: Windows, Linux.

Enterprise-ready Bacula backs up multiple systems connected to a network. Users often say that it is easier to set up than similar commercial programs, and it can write to many different types of storage media. Operating System: Windows, Linux, OS X.

The "most popular open source backup and recovery software in the world," Amanda backs up the data from more than half a million desktops and servers. In addition to the free community version, it's also available in a supported enterprise version, as an appliance or in the cloud through Zmanda. Operating System: Windows, Linux, OS X.

Partimage is particularly useful if you need to recover from a complete system crash or if you need to install multiple images across a network. It's very fast and can restore to a partition on a different system. Operating System: Linux.

Browser Add-Ons

14. Web of Trust (WOT) Replaces: McAfee SiteAdvisor Plus
Web of Trust describes itself as "the world's leading community-based, free safe surfing tool." It's very similar to SiteAdvisor, providing a traffic light-like symbol that shows you the trustworthiness of a site before you click. It works with all major browsers, including Firefox, Internet Explorer, Chrome, Safari and Opera. Operating System: Windows, Linux, OS X.

If you struggle to create and remember unique passwords for all the sites and services you use, PasswordMaker can help. With this tool, you only need to remember one master password. And unlike other password management systems, this plug-in doesn't save your passwords in a database anywhere, so it's even more difficult for someone to figure out your login credentials. Operating System: Windows, Linux, OS X.

Data Removal

16. BleachBit Replaces Easy System Cleaner
BleachBit frees up extra space on your hard drive while protecting your privacy by erasing your cookies, temporary files, history, logs and other junk. It also includes a "shredder" that completely erases all traces of files you have deleted. Operating System: Windows, Linux.

17. Eraser Replaces BCWipe Enterprise
Just because you've deleted a file doesn't mean it's actually gone from your system. Eraser thoroughly eliminates data you don't want by writing over it several times with random information. Operating System: Windows

18. Wipe Replaces BCWipe Enterprise
Very similar to Eraser, Wipe provides the same functionality for Linux users. This site also provides a little bit more technical detail about the process in case you're curious about how it works and want to drill down into the geeky details. Operating System: Linux.

Before you recycle or donate old systems, it's a good idea to delete all the data on your drives. Darik's Boot and Nuke (DBAN for short) shreds all data on any drives it can detect. Operating System: OS Independent.

Data Loss Prevention

20. OpenDLP Replaces RSA Data Loss Prevention SuiteCheckPoint DLP Software BladeSymantec Data Loss Prevention Product Family
OpenDLP scans your network and identifies sensitive data at rest on your Windows systems. In includes both a Web app, which lets system administrators or compliance officers deploy the tool and view reports, and a client, which runs inconspicuously on end users' systems. Operating System: Windows.

The creators of MyDLP strongly imply that if the U.S. government had installed their software, it could have prevented the WikiLeaks scandal. It detects and protects sensitive data from being transmitted, and it installs in just 30 minutes. Operating System: Windows, Linux, VMware.

Encryption

22. AxCrypt Replaces McAfee Anti-TheftCryptoForge
The "leading open source file encryption software for Windows," AxCrypt has been registered by more than 2.1 million users. It's particularly easy to use—simply right-click to encrypt and double-click to de-crypt. Operating System: Windows.

Based on OpenPGP, "GPG" allows users to encrypt and sign digital communication. This is a command-line version, but several other projects offer graphical implementations of the same engine (see below). Operating System: Linux.

24. GPGTools Replaces <="" a="" style="color: rgb(0, 140, 180); text-decoration: none; ">, Cypherus This is a nice version of GPG for Mac users. Operating System: OS X.

And, as you probably guessed, this is a version of GPG for Windows. This one comes with excellent documentation. Operating System: Windows.

26. PeaZip Replaces WinZip
Technically, PeaZip isn't an encryption tool; instead, like WinZip it's a compression and archiving tool. However, like WinZip, PeaZip includes encryption capability, and PeaZip reads and writes more formats than its commercial counterpart. Operating System: Windows, Linux.

Lightweight and ultra-fast, Cyrpt encrypts and decrypts Windows files with minimal fuss. In fact, you don't even have to install it on your system in order to use it. Operating System: Windows.

Like AxCrypt, NeoCrypt supports right-click encryption directly from Windows Explorer (however, it does not support Windows 7). It offers users a choice of 10 different encryption algorithms and includes batch encryption capabilities. Operating System: Windows.

"Linux Unified Key Setup" or "LUKS" provides a standard format for hard disk encryption that works on all Linux distributions. The cryptsetup project makes LUKS usable on the desktop. Operating System: Linux.

This tool creates virtual disks on your system that encrypt all data stored there. It's easy to use, and can even be run from a thumb drive. Operating System: Windows.

If you want to encrypt your entire drive or a partition of a drive (not just a few files or folders), TrueCrypt does the job for you. Its popularity continues to grow, and it has now been downloaded more than 17 million times, up from around 14 million downloads a year ago. Operating System: Windows.

 

Secure File Transfer

32. WinSCP Replaces CuteFTPFTP Commander
Downloaded more than 40 million times as of last November, WinSCP is a very popular SFTP, FTP, and SCH client. Note that it offers a file transfer client only (no server version). Operating System: Windows.

If you'd like to set up your own SFTP, FTP or FTPS file server, FileZilla makes it easy. It also offers a client version of the software . Note that while the client version works on all operating systems, the server is for Windows only. Operating System: Windows, Linux, OS X.

Forensics

34. ODESSA Replaces EnCase ForensicsX-ways ForensicsAccessData Forensic Toolkit
Although it hasn't been updated in several years, the Open Digital Evidence Search and Seizure Architecture, aka "ODESSA," offers several different tools that can be useful in analyzing digital evidence and reporting on findings. The site also offers several white papers related to the topic. Operating System: Windows, Linux, OS X.

The Sleuth Kit includes a set of digital investigation tools that run from the command line. For those that prefer a graphical interface, the Autopsy Browser provides a front-end to the tools. Operating System: Windows, Linux, OS X.

Gateway/Unified Threat Management Appliances

36. Endian Firewall Community Replaces: Check Point Security GatewaysSonicWallSymantec Web Gateway
With Endian Firewall Community, you can turn any PC into a Unified Threat Management appliance. It includes firewall, antivirus, anti-spam, content filtering and a VPN. The company also sells pre-configured appliances and supported versions of the software. Operating System: Linux.

Like Endian, Untangle offers free software that you can use to create your own multi-function Unified Threat Management appliance. Untangle also offers preconfigured appliances, as well as paid versions of the software with support and additional features. Operating System: Linux.

Designed for smaller organizations, ClearOS combines network server functionality with a gateway appliance. In addition to anti-spam, anti-virus and the other usual assortment of security software, it includes multi-WAN, groupware, database, Web server software and more. Support and additional services are available for a fee. Operating System: Linux.

NetCop describes itself as "an identity-based UTM with stateful inspection firewall, antivirus, web cache, content filter, IPS/IDS, WANLink load balancer, bandwidth limiter, anonymous proxy blocker, WiFi hotspot manager, SSL VPN manager, and much more!" It's free for up to five concurrent users or available in paid SME or Enterprise versions. Operating System: Linux.

Intrusion Detection

40. Open Source Tripwire Replaces Tripwire
Tripwire alerts IT when changes have been made to specific files connected to the network, helping them to detect intrusions. The standard version of Tripwire is no longer an open source project, but the community-developed version is based on the original project code. Operating System: Windows, Linux.

41. AFICK Replaces Tripwire
Another File Integrity Checker, or AFICK, offers very similar functionality to Tripwire. It was designed to be portable and easy-to-install. Operating System: Windows, Linux.

Network Firewalls

42. IPCop Replaces Barricuda NG FirewallCheck Point Appliances
Designed for home or home office users, IPCop turns any basic PC into a Linux-based firewall to protect your network. It can be accessed and maintained via a Web interface and includes some good documentation, so it's fairly easy to use. Operating System: Linux.

Originally designed as another Linux-based network firewall, Devil-Linux can now also serve as an application server. It can boot and run from a CD-ROM or a USB thumb drive. Operating System: Linux.

This IPtables firewall also lets you create your own network firewall from an existing PC. To set it up, you can either edit an XML document directly or use an easy Web-based interface. Operating System: Linux.

Also known as "Shoreline Firewall," Shorewall provides a tool for configuring Netfilter. You can use it to create your own network firewall or gateway appliance or to protect a standalone Linux system. Operating System: Linux.
46. Vuurmuur Replaces Barricuda NG Firewall
This iptables-based firewall can be used to create simple or very complex firewall configurations. Key features include remote administration via SSH, traffic shaping and powerful monitoring capabilities. Operating System: Linux.

Like most of the other apps in this category, m0n0wall allows you to create your own firewall, but unlike most of the other firewalls here, this one runs on FreeBSD, not Linux. It occupies just 12MB and can be loaded from a compact flash card or a CD. Operating System: FreeBSD.

This project is a fork of m0n0wall. While m0n0wall was created to be used on embedded hardware, pfSense was designed to make it easier to use on a full PC. It's been downloaded more than 1 million times and protects networks of all sizes from home users to large corporations. Operating System: FreeBSD.

49. Vyatta Replaces Cisco products
Vyatta actively markets its products as an alternative to Cisco, and even offers a comparison chart on its site. The "core" open source software can be used to create your own firewall/networking appliances, or you can purchase supported versions of the software or pre-built hardware appliances. Operating System: Linux.

Network Monitoring

50. Wireshark Replaces: OmniPeekCommView
The self-proclaimed "world's foremost network protocol analyzer," Wireshark has won quite a few awards and become a standard in the industry. It allows users to capture and view the traffic on their networks. Operating System: Windows, Linux, OS X.

51. tcpdump/libpcap Replaces: OmniPeekCommView,
These command line tools provide packet capture (libpcap) and analysis (tcpdump) capabilities. It's a powerful tool, but not particularly user-friendly. Operating System: Linux.

52. WinDump Replaces: OmniPeekCommView
WinDump ports the tcpdump tools so they can be used on Windows systems. The project is managed by the same company that owns Wireshark. Operating System: Windows.

Password Crackers

53. Ophcrack Replaces Access Data Password Recovery ToolkitPassware
For those occasions when passwords can't be recovered any other way, Ophcrack can help systems administrators figure out lost passwords. It uses the rainbow tables method to crack passwords, and it can run directly from a CD. Operating System: Windows.

John the Ripper excels at cracking weak Unix passwords. To use it, you'll need a list of commonly used passwords. You can buy password lists or enhanced versions of the software from the site. Operating System: Windows, Linux, OS X.

Password Management

55. KeePass Password Safe Replaces Kaspersky Password Manager
Instead of struggling to remember dozens of different passwords or, even worse, using the same password all the time, you can remember just one master password while KeePass stores the rest in a secure database. It's lightweight and easy-to-use, so it won't slow you down. Operating System: Windows.

Originally, this project ported KeePass so that it could be used with Linux. Now, it supports multiple operating systems and adds a few features not in the original KeePass. Operating System: Windows, Linux, OS X.

Password Safe offers the same functionality as KeePass, plus you can create multiple databases for different types of passwords or different people who use the same system. It's also available in a thumb-drive version for a fee. Operating System: Windows.

User Authentication

58. WiKID Replaces Entrust IdentityGuardVasco DigipassRSA's SecurID
Designed to be less-expensive than solutions that require hardware tokens, WiKID uses software tokens to provide two-factor authentication. In addition to the free community version, it's also available in an enterprise version that's priced per user. Operating System: OS Independent.

Web Filtering

59. DansGuardian Replaces McAfee Family Protection NetNannyCyberPatrol
DansGuardian runs on a Linux or OS X server to block objectionable content from any PC connected to the network (including Windows PCs). It uses URL and domain filtering, content phrase filtering, PICS filtering, MIME filtering, file extension filtering and POST limiting to block pornography and other content that you don't want your children or employees accessing. Operating System: Linux, OS X. 
By at
Labels:

Using User Authentication in virtual host (.htpasswd)

# cd /home/myhome

# htpasswd -c .htpasswd user1
# htpasswd .htaccess user2
# cat .htaccess
user1:J7BhPKjbKUJ6I
user2:j8b9aZmd.DGFw
# chmod 644 .htaccess

# vi /etc/httpd/conf/httpd.conf
.
.
.

NameVirtualHost *:443


    DocumentRoot /home/myhome/www
    ServerName hostname.yourdomain.com
    ErrorLog logs/hostname.yourdomain.com-error_log
    CustomLog logs/hostname.yourdomain.com-access_log common

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/your.crt
    SSLCertificateKeyFile /etc/pki/tls/private/your.key

   
        AuthUserFile /home/myhome/.htpasswd
        AuthGroupFile /dev/null
        AuthName "My Private Directory"
        AuthType Basic
       
            require valid-user
       
   


# service httpd restart
By at
Labels:

Six Top Screen Capture Tools for Linux

Basic screenshot software is really handy to have on hand, even if you don't use it often. If you rely on screengrab tools often, however, you know how important it is to have software with lots of tools and features. No matter what your screen capture software needs are, you're sure to find something you like in this list of the top six open source options.

recordMyDesktop - Here's a desktop session recorder written in C and with a choice of two front ends -- pyGtk and pyQt4. Besides screen capture, this tool will also record just audio through ALSA, OSS, or the JACK audio server. If you need to produce files in multiple formats, then skip this app because your only options with recordMyDesktop are theora for video and vorbis for audio, using the ogg container.

ZScreen - This Windows-only screen capture app has tons of features. It grabs a shot of the active window, a selected window, or the entire screen. Once you've got the image, automatically open it in your image editor or upload it to Twitpic, YFrog, Flickr, or one of several other supported services. ZScreen caches all your images, even ones on the clipboard, so there's always a history of your screenshots right at your fingertips.

Wink - This free tool isn't open source but it does work reliably on Linux. You can capture screenshots or use pre-made images in one of several formats. Wink supports many different output formats as well, including Macromedia Flash, Standalone EXE, PDF, PostScript or HTML. Wink will also capture screenshots automatically based on mouse and keyboard gestures, which is a great feature to have if you take a lot of screengrabs.

Shutter - Use Shutter to take a timed or instant screenshot of your entire desktop, a single window, or a particular area of your screen. You can even dispatch it onto the Internet to take a snapshot of a Web site and bring you back the results.Once you have the shot you need, use the highlighting tool to call attention to certain areas of the image or the pencil to draw freehand. Spotlight any section of your screenshot with arrows, circles, boxes, ovals, or shading.

xvidcap - This tool captures movement on an X11 display, either a single frame at a time or in the form of an MPEG video. Unlike some screen capture apps, this one will capture the specific shape your mouse pointer if the Xfixes extension is installed. If not, xvidcap will simply record using the default mouse shape.

Greenshot - Here's an app that the developers say is "optimized for productivity." It will capture a shot of a single window, a region of the screen, or a full screenshot, then export it in one of several image formats. Once you've got your shot, use the built-in editing tools to apply text and shapes to it before saving.

By at
Labels:

How to install source rpm (src.rpm)

1. Download .src.rpm

2. Install
rpm -ivh package.src.rpm

3. Go to SPECS dir
cd /usr/src/redhat/SPEC (or cd ~/rpmbuild/SPECS)

Note. If you can't find SPECS dir, install rpm with -ivvh then you can see where .spec located

4. build binary package only from
rpm -bb package.spec

5. Install .rpm
rpm -Uvh package.rpm
By at
Labels:

Dropbox setting for Fedora

1. Turning off SELinux

echo 0 > /selinux/enforce

* Completely turning off SELinux
vi /etc/selinux/config
SELINUX=disabled


2. Create repo

vi /etc/yum.repos.d/dropbox.repo
-----------------------------------------
[Dropbox]
name=Dropbox Repository
baseurl=http://linux.dropbox.com/fedora/$releasever/
gpgkey=http://linux.dropbox.com/fedora/rpm-public-key.asc
-----------------------------------------


3. install dropbox

yum install nautilus-dropbox -y


4. To install daemon, run:

dropbox start -i


5. Your dropbox folder is ~/Dropbox
By at
Labels:

Dynamic Content with CGI


1. Edit httpd.conf

vi /etc/httpd/conf/httpd.conf
-------------------------------
AddHandler cgi-script .cgi .pl 


        ...
        ...
    ScriptAlias /cgi-bin/ /home/user/www.yourdomain.com/cgi-bin/
-------------------------------


2. Restart httpd

service httpd restart


3. Create a perl script

cd /home/user/www.yourdomain.com/cgi-bin/
vi hello.pl
-------------------------------
#!/usr/bin/perl
print "Content-type: text/html\r\n\r\n";
print "Hello, World.";
-------------------------------
chmod +x hello.pl


4. Test with web browser

http://www.yourdomain.com/cgi-bin/hello.pl
By at
Labels:

Advanced SSH security tips and tricks


The SSH server configuration file is located in /etc/ssh/sshd_conf. You need to restart the SSH service after every change you make to that file in order for changes to take effect.

Change SSH listening port

By default, SSH listens for connections on port 22. Attackers use port scanner software to see whether hosts are running an SSH service. It's wise to change the SSH port to a number higher than 1024 because most port scanners (including nmap) by default don't scan high ports.

Open the /etc/ssh/sshd_config file and look for the line that says:

Port 22

Change the port number and restart the SSH service:

/etc/init.d/ssh restart

Allow only SSH protocol 2

There are two versions of the SSH protocol. Using SSH protocol 2 only is much more secure; SSH protocol 1 is subject to security issuesincluding man-in-the-middle and insertion attacks. Edit /etc/ssh/sshd_config and look for the line that says:

Protocol 2,1

Change the line so it says only protocol 2.

Allow only specific users to log in via SSH

You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:

PermitRootLogin yes

Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.

It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised. When creating this user, make sure it's in the wheel group, so that you can switch to superuser.

If you would like to have a list of users who are the only ones able to log in via SSH, you can specify them in the sshd_config file. For example, let's say I want to allow users anze, dasa, and kimy to log in via SSH. At the end of sshd_config file I would add a line like this:

AllowUsers anze dasa kimy

Create a custom SSH banner

If you would like any user who connects to your SSH service to see a specific message, you can create a custom SSH banner. Simply create a text file (in my example in /etc/ssh-banner.txt) and put any kind of text message in it; for example:

*****************************************************************
*This is a private SSH service. You are not supposed to be here.*
*Please leave immediately. *
*****************************************************************

When done editing, save the file. In the sshd_conf file, find a line that says:

#Banner /etc/issue.net

Uncomment the line and change the path to your custom SSH banner text file.

Using DSA public key authentication

Instead of using login names and passwords for SSH authentication, you can use DSA public keys for authentication. Note that you can have both login names and DSA public key authentication enabled at the same time. Having a DSA public keys authentication enabled makes your system bulletproof against dictionary attacks, because you don't need a login name and password to log in into SSH service. Instead, you need a pair of DSA keys -- one public and one private. You keep the private key on your machine and copy the public key to the server. When you want to log in to an SSH session, the server checks the keys, and if they match, you are dropped into the shell. If the keys don't match, you are disconnected.

In this example the private machine (from which I will connect to the server) is station1 and the server machine is server1. On both machines I have the same home folder; this won't work if the home folders are different on client and server machine. First you need to create a pair of keys on your private machine with the command ~$ ssh-keygen -t dsa. You'll be prompted for a pass-phrase for your private key, but you can leave it blank because this is not a recommended method. A key pair is generated: your private key is located in ~/.ssh/id_dsa and your public key is located in .ssh/id_dsa.pub.

Next, copy the contents of ~/.ssh/id_dsa.pub to server1 into the ~/.ssh/authorized_keys file. The content of ~/.ssh/id_dsa.pub file should look something like this:

~$ cat .ssh/id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAM7K7vkK5C90RsvOhiHDUROvYbNgr7YEqtrdfFCUVwMWcJYDusNG
AIC0oZkBWLnmDu+y6ZOjNPOTtPnpEX0kRoH79maX8NZbBD4aUV91lbG7z604ZTdrLZVSFhCI/Fm4yROH
Ge0FO7FV4lGCUIlqa55+QP9Vvco7qyBdIpDuNV0LAAAAFQC/9ILjqII7nM7aKxIBPDrQwKNyPQAAAIEA
q+OJC8+OYIOeXcW8qcB6LDIBXJV0UT0rrUtFVo1BN39cAWz5puFe7eplmr6t7Ljl7JdkfEA5De0k3WDs
9/rD1tJ6UfqSRc2qPzbn0p0j89LPIjdMMSISQqaKO4m2fO2VJcgCWvsghIoD0AMRC7ngIe6btaNIhBbq
ri10RGL5gh4AAACAJj1/rV7iktOYuVyqV3BAz3JHoaf+H/dUDtX+wuTuJpl+tfDf61rbWOqrARuHFRF0
Tu/Rx4oOZzadLQovafqrDnU/No0Zge+WVXdd4ol1YmUlRkqp8vc20ws5mLVP34fST1amc0YNeBp28EQi
0xPEFUD0IXzZtXtHVLziA1/NuzY= anze@station1.example.com

If the file ~/.ssh/authorized_keys already exists, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on server1. The only thing left to do is to set the correct permissions of ~/.ssh/authorized_keys file on server1:

~$ chmod 600 ~/.ssh/authorized_keys

Now, configure the sshd_conf file to use the DSA keys authentication. Make sure you have the following three lines uncommented:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Restart the service. If you configured everything correctly, you should now be able to SSH to your server and fall directly into your home folder without any interaction.

If you would like to use DSA authentication only, make sure you uncomment and change the PasswordAuthentication line in sshd_config from yes to no:

PasswordAuthentication no

If anyone tries to connect to your SSH service and doesn't have a public key on the server, he will be rejected without even seeing the login prompt with this error:

Permission denied (publickey).

Using TCP wrappers to allow only specific hosts to connect

This approach is useful if you would like to allow only specific hosts on a network to be able to connect to your SSH service, but you don't want to use or mess up your iptables configuration. Instead, you can use TCP wrappers; in this case the sshd TCP wrapper. I will make a rule to allow only hosts on my local subnet 192.168.1.0/24 and remote host 193.180.177.13 to connect to my SSH service.

By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. I'll create a rule like this in /etc/hosts.deny:

sshd: ALL

This means that by default all hosts are forbidden to access the SSH service. This needs to be here, otherwise all hosts would have access to the SSH service, since TCP wrappers first looks into hosts.deny file and if there is no rule regarding blocking SSH service, any host can connect.

Next, create a rule in /etc/hosts.allow to allow only specific hosts (as defined earlier) to use the SSH service:

sshd: 192.168.1 193.180.177.13

Now only hosts from the 192.168.1.0/24 network and the 193.180.177.13 host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this:
ssh_exchange_identification: Connection closed by remote host

Using iptables to allow only specific hosts to connect

An alternative to TCP wrappers (although you can use both at the same time) is limiting SSH access with iptables. Here's a simple example of how you can allow only a specific host to connect to your SSH service:

~# iptables -A INPUT -p tcp -m state --state NEW --source 193.180.177.13 --dport 22 -j ACCEPT

And make sure no one else has access to SSH service:

~# iptables -A INPUT -p tcp --dport 22 -j DROP

Save your new rules and you're all done.

SSH time-lock tricks

You can also use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch in any of the following examples.

In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP

Conclusion

These features are not hard to configure, but they are very powerful techniques for securing your SSH service. It's a small price to pay for a good night's sleep.
By at
Labels:
Subscribe to: Posts (Atom)