Posted: November 4th, 2005 | Author: Administrator | Filed under: Linux, Security | 1 Comment »
I’ve been noticing a lot of attempted brute force attacks on port 22 (SSH) – undoubtedly from script kiddies. Many times, out of curiosity, I reverse DNS the IP and find a business website (usually in Korea or China) on the other end. I am sure these businesses have no idea their website has been hacked (probably on port 22) and is being used as a base of operations for bots that scour the net for other brute force attacks.
The chance these scripts, running through the most common username/password combos found on servers, would break into my server is highly unlikely. I have good strong passwords not based on a dictionary word and have disabled root logins for SSH. However, why even give them the chance? A little searching on the internet and a little firewall knowledge a la IPTABLES produces the following firewall rules:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
These rules will basically drop packets that have attempted to logon more that 4 times in 60 seconds on port 22 (SSH). Of course, once hackers figure this out, they can limit their connection attempts to only three per minute — but I will have new rules waiting when that happens.
Protect yourself by ensuring your passwords are strong, disable root SSH logins, and adding these firewall rules to your sever.
To disable root logins for SSH, edit your /etc/ssh/sshd_config file. Then find the section labeled #Authentication:. You will find an option #PermitRootLogins yes – change this line to read:
PermitRootLogins no
Then restart your ssh daemon by issueing the command: /etc/init.d/sshd restart.
Posted: November 3rd, 2005 | Author: Administrator | Filed under: Linux | No Comments »
I decided to begin doing research on a project that I have been milling over in my head for nearly a year now. The concept was simple enough: With WiFi hotspots as prominent as they are now, their popularity will certainly rise along with the need for WiFi hotspot owners to control access.
One of the first steps I decided was necessary was whether prefab hardware was available to provide a small footprint. There’s no sense creating an appliance that has an ATX motherboard with dual NICs running Linux – that’s a computer. I wanted a sleek, slim, to the point appliance that a cafe owner could plug in and go – not a big bulky somputer generating more noise and heat.
What, you may ask is a Radius server? A radius server is an authentication server ensuring that a user name and password matchup. The radius server also stores various options such as time limits, bandwidth limits, etc. that it can pass back to other services after authentication. Authentication is achieved through a standard user name and password (CHAP), or more advanced methods of authentication such as EAP.
Why would cafe owners possibly be interested in something like this? Imagine you offer free wireless at your cafe. Within a few months of opening you are pleased to see your shop is filled to the brim (no pun intended). However, for as busy as you seem — the profits are not there. What’s going on? Simple – leechers. People will sit themselves down, spread out on a table, pull out the laptop and a cell phone and basically use your cafe as a “portable” office for siz hours a day.
How would this Radius device work within the confines of the cafe? After a purchase of an item – a coffee, a bagel, or whatever – the receipt number would be entered into the system by an employee valid for “X” hours. The customer takes his/her receipt back to their table, powers on their laptop and enters the receipt number into the web page that appears.
After a bit of searching, I found the perfect device that even has two Mini-PCI slots at http://www.mini-box.com/s.nl/sc.8/category.19/it.A/id.281/.f. The site even sells cases designed around the footprint of the board as well as the necessary power adapters. All-in-all, a cool $180 will suffice. Because the motherbaord has no IDE connections, I will have to delve into embedded linux land using a Compact Flash card.
I came up with the following outline for this project:
- Small footprint – 256MB to 512MB
- Bootable without need for configuration – “Plug & Play”
- Custom configuration can achieved through a user friendly web interface
- Strong Firewall options
While I wait for the ordered WRAP.1E board to arrive, I will build a prototype machine to test the functionality of the software.
See you in a few days!
Posted: October 29th, 2005 | Author: Administrator | Filed under: Linux | No Comments »
Getting the Fedora Core installation program to work on a laptop may result in a garbled display. However, by simply adding a few command line boot options, you can avoid this and continue with the installation as normal.
When you boot from the Fedora Core CD or DVD, you are prompted with the following:
boot:
by adding the option nofb, you should be able to complete the installation procedure.
