At Unixlore.net, Doug Maxwell has a couple of new posts out today on SSH security:
* Actually an update and expansion of his April 19, 2006 post.
Another good read:
Over the weekends, I spend some of my time tinkering with my servers, especially my virtual private server (VPS) instance on Linode. Given the recent attacks on them, I’ve been spending more time on improving my own server security.
I’ve had my own Linode server since March, 2009. Until this point, I’ve done *nix systems administration work on my own boxes at home. At work, I mostly relied on the sysadmins. I didn’t have to focus hard on security either at home or at work. I would make sure my systems were patched, took basic security precautions in my coding, and avoided doing the obviously stupid mistakes. At home, I made sure my firewall locked down everything I didn’t need opened. I didn’t run a web server or enable ssh in. I still don’t, and this is mostly a matter of convenience and priorities. I will need to put the time into getting the pieces in place so that I’m confident attackers are going to have a really hard time breaking into my home LAN.
Having a server out on the Internet changed my attitude tremendously. Keeping my shiny new VPS protected from the botnets and baddies on the Internet would be up to me, and only me. I knew I needed to establish some baseline of security, or I would get hacked in short order. I read up on what I felt I needed and locked down my Linode instance. I disabled root ssh, set up iptables rules, installed fail2ban, etc.
I monitored the logs religiously. About a week after the server went online, I got a trickle, then a stream of attack attempts, mostly on port 22. So I moved the port to block that stream of attack and set iptables to block that port. I finally disabled PAM, but haven’t found a need to move SSH back to port 22 yet.
So, what’s my point? My point is that I’m not a security expert. Through necessity I started learning more about systems security. By maintaining my server and continually learning more about systems administration and systems and network security, I have become much more security conscious. This in turn has made me a better software developer.
Today, everything is networked and everything is a potential point of attack. As software developers, we no longer have the luxury to ignore security.