Need some security advice

[digilink]

I have recently bought a new server for home use running Gentoo linux. I was scanning the logs today and was horrified when I saw how many people have been trying to break into my box, I don't believe anyone was succesfull(I think), but I really need to put some security measures in place.

I started off by closing the box off to the outside world until I can figure out the best security scheme to keep these bastards out of my box. I changed the default port in sshd_config to a different port number, and I would like to use a different authentication method other than user/password, but wasn't sure if such a solution exists. I remember vaguely reading about smart card auth, but that wouldn't be the best solution for me.

Can someone tell me if I can use a different authentication method other than username/password?(Id like to disable it alltogether) Also, I would like a shell script or program that will scan my log files and notice any discrepancies, if it finds any, sends me an email and bans the IP address of the offender. This is the first real linux box I have had, and I have never had any experience with break ins or securing my box. I do run a firewall, however, I need access to this box from the outside world when I am not home. If any of you security gurus could give me some tips, I would greatly appreciate it.

 

[PanzerBoxb]

ExamLog will give you the power to define how you want to parse through your logs but it requires Postgres database.

http://examlog.sourceforge.net/index.php

Syslog.org has several categories of syslog tools that you can browse through to see what meets your needs.

http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml

There is nothing wrong with keeping your authentication mechanism as the standard username/password combination. What you do want to do is disallow someone from trying to bruteforce those combos. Depending upon the variant of SSH you should look at configuring the service to automatically block anyone who attempts more than a certain number of connections in a given period of time.

In general, you should use something like iptables to protect your system. There is a decent GUI for it at http://www.fwbuilder.org. As usual, do some reading first before jumping in.

 

[Fint]

If you have a router, then most likely you have forwarded some ports from your router to your server (assuming by router, you mean DSL or cable router). Changing your SSH port is a decent first step, but only makes it harder to find. One thing you may want to do is to play around with TCP Wrappers. This is a way to run a mini-firewall around just certain services; for example, to be able to say that only the machine with IP of 1.2.3.4 is able to connect to your SSH server. This would prevent any one else from even getting a connection, let alone a username prompt.

Check /etc/hosts.deny, and read the man page (man hosts.deny)

 

[BobSutan]

If you have the capability to run a certificate server, you could generate your own certificates for an in-house PKI authentication scheme. Its not too difficult, especially if you have a Windows2000 or 2003 server. To be honest, I don't know how you'd set it up with *nix.