configure the sshd server to disable password login and enable keys.
First - We need to generate a pair of keys.
ssh-keygen -v -t rsa -b 2048
and then
cat /home/buddy/.ssh/buddy_rsa.pub > /home/buddy/.ssh/authorized_keys
Editing the config file /etc/ssh/sshd_config
login to remote server using the password to configure the sshd server to disable password login and enable keys.
And then edit…
PermitRootLogin no
#Disable Login password
#PasswordAuthentication no
ChallengeResponseAuthentication no
#Allow forwarding yes
AllowTcpForwarding no
# Uncomment ‘PasswordAuthentication no’ line only after making sure that the key authentication is working properly.
# Disabling root login is recommended anyway, though not useful after disabling login password.
# Allow forwarding is not recommended for multi user hosting envirnoment where keys could be exposed. Anyway, we should only allow it if we intend to forward keys from server to server but keep all our keys on the local machine.
SELinux Access Control
SELinux has 3 forms of access control:
Type Enforcement (TE): Type Enforcement is the primary mechanism of access control used in the targeted policy
Role-Based Access Control (RBAC): Based around SELinux users (not necessarily the same as the Linux user), but not used in the default targeted policy
Multi-Level Security (MLS): Not used and often hidden in the default targeted
policy.
SSH tunnel for Mysql
This will open a tunnel, listening on localhost:3308 and forwarding everything to yourdomain.com:3306
ssh -L 3308:yourdomain.com:3306 username@yourdomain.com
And then
mysql -u username -p -h 127.0.0.1 -P 3308 databasename
iptables limit module
Using iptables limit module to limit the the number of connections to the ssh port to 3 per minute.
iptables -A INPUT -p tcp –dport 22 –syn -m limit –limit 1/m –limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 –syn -j DROP
The first line will accept new connections on port 22 provided that IP address hasn’t made more than 3 connection attempts in the last minute. If more than 3 connection attempts have been made within the last minute, then the second line will DROP the connection.
Use a Non-Standard SSH Port
By default, ssh listens for incoming connections on port 22. For a hacker to determine ssh is running on your machine, he’ll most likely scan port 22 to determine this. An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. Many people choose 2222 as an alternative port (as it’s easy to remember), just as 8080 is often known as the alternative HTTP port. For this very reason, it’s probably not the best choice, as any hacker scanning port 22 will likely also be scanning port 2222 just for good measure. It’s better to pick some random high port that’s not used for any known services. To make the change, add a line like this to your /etc/ssh/sshd_config file:
# Run ssh on a non-standard port:
Port 2345 #Change me
and restart the sshd service. Don’t forget to then make any necessary changes to port forwarding in your router and any applicable firewall rules.
Because ssh is no longer listening for connections on the standard port, you will need to tell your client what port to connect on. Using the ssh client from the command line, we may specify the port using the -p switch:
