Re: Hardening CentOS

I recommend closing as much ports as possible.
E.g.: If you need to ssh to the machine, allow port 22 only from known, trusted IPs and subnets.

There are so many things you have to pay attention to, like patch management etc. that it would be best to use the NSA hardening guide or things like that.


Relevant Pages

  • Re: sshd brute force attempts?
    ... I think you misunderstood what I meant by public service, or maybe it wasn't clear: By a public service I mean a service available for anyone, even anonymously: You're not going to register the world to let people send mail to your server, require authentication to send mail from your server). ... If this is stored on a usb-stick the user carries with him, or only on systems that require local authentication first, then I think you're better off than password based ssh. ... Cracklib is in ports and easy to build -- FreeBSD could use a) an option in make.conf to prevent passwd from getting built on a buildworld and b) the patched passwd/yppasswd tree in ports. ... I don't assume that level of savvy. ...
  • Re: Prot Forwarding
    ... Al's SSH method would be the best. ... configure the remote control programs to use different ports on each ... that let you configure the ports in use. ... > Personally I use a Secure Shell tunnel to access multiple XP Pro ...
  • Re: hacked?
    ... So I ssh'd in and did a netstat and saw what looked like an unwanted SSH connection... ... On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps/services. ...
  • Re: [SLE] Security, ssh/vpn into a network
    ... "My server is running several services, ... outside are http and ssh. ... Again, ports 5900 is not open to the outside, neither is any of the ... not being forwarded on the firewall but through the ssh tunnel. ...
  • SUMMARY: All ports in use, but I dont think they are
    ... Some let me do X forwarding, ... I have restarted ssh several times, ... > timeout on Solaris 9 boxes is 4 minutes, but I see no ports in TIME_WAIT ... My thanks to many many folks on both the sunmanagers and secureshell lists ...