[Bio-Linux] Bio-Linux 5.0 security
Anthony Pemberton
A.J.Pemberton at bham.ac.uk
Wed Jan 28 12:25:32 EST 2009
Dear All,
Another approach is to simply secure the firewall further by only
allowing certain machines or subnets to access sshd. This can be done
fairly simply with iptables by adding the -s option to the sshd line in
the iptables config. Also by using tcp_wrappers to also limit access.
Obviously this depends on how much the admin wants to limit access,
Regards,
Tony Pemberton
> -----Original Message-----
> From: bio-linux-bounces at envgen.nerc-oxford.ac.uk [mailto:bio-linux-
> bounces at envgen.nerc-oxford.ac.uk] On Behalf Of Tim Booth
> Sent: 28 January 2009 15:46
> To: Bio-Linux help and discussion
> Subject: Re: [Bio-Linux] Bio-Linux 5.0 security
>
> Hi Tony,
>
> Useful advice, but a word of warning on fail2ban - I've known it to
> block legitimate hosts, including even localhost! It seems that NX,
> which a lot of people use for remote access, did not play nicely with
> fail2ban in that case.
>
> If you have a small number of users on a machine (eg. if it is just
> your
> personal workstation) I would ensure that membership of the ssh group
> is
> kept to a minimum, use hard-to-crack passwords
> (http://www.dowling.edu/mydowling/tech/good-passwords.html) and
> consider
> moving from password-based login to key-based login.
>
> Key-based login takes a little bit of work to set up but is immune to
> current 'brute-force' attacks and can actually save you time typing
> passwords. If anyone on this list is interested in knowing more then
> let me know and I'll post some details.
>
> Cheers,
>
> TIM
>
> On Wed, 2009-01-28 at 15:26 +0000, Tony Travis wrote:
> > Hello,
> >
> > I've just installed Bio-Linux 5.0.2 on one of our NuGO servers
> (nbx1).
> >
> > I'm pleased to see that "openssh-server" is pre-installed in Bio-
> Linux,
> > but I think it might be wise to install "fail2ban" as well, to
defend
> > against 'brute-force' attacks from the Internet via SSH. I've done
> this
> > on "nbx1", and I've also installed "linux-server", which depends on
> the
> > latest version of the Ubuntu Linux kernel for 'server' equipment.
The
> > 'server' kernel supports PAE (Physical Address extension), which
> allows
> > 32-bit systems to use >4GB RAM. Any one 32-bit process can't access
> more
> > than 4GB RAM, but several 32-bit processes can use > 4GB in total.
> >
> > Thanks for all the work you've put into the latest Bio-Linux
release!
> >
> > Bye,
> >
> > Tony.
> > --
> > Dr. A.J.Travis, University of Aberdeen, Rowett Institute of
Nutrition
> > and Health, Greenburn Road, Bucksburn, Aberdeen AB21 9SB, Scotland,
> UK
> > tel +44(0)1224 712751, fax +44(0)1224 716687,
http://www.rowett.ac.uk
> > mailto:a.travis at abdn.ac.uk,
http://bioinformatics.rri.sari.ac.uk/~ajt
> >
> > _______________________________________________
> > Bio-Linux mailing list
> > Bio-Linux at envgen.nox.ac.uk
> > http://envgen.nox.ac.uk/mailman/listinfo/bio-linux
> --
> Tim Booth <tbooth at ceh.ac.uk>
> NERC Environmental Bioinformatics Centre
> at CEH Oxford
> +44 1865 281 975
>
>
>
> _______________________________________________
> Bio-Linux mailing list
> Bio-Linux at envgen.nox.ac.uk
> http://envgen.nox.ac.uk/mailman/listinfo/bio-linux
More information about the Bio-linux-list
mailing list