Securing your ssh server

One of the most common questions that I see in my favorite IRC channel is: “How can I secure sshd on my server?” There’s no single right answer, but most systems administrators combine multiple techniques to provide as much security as possible with the least inconvenience to the end user. Here are my favorite techniques listed from most effective to least effective: SSH key pairs By disabling password-based authentication and requiring ssh key pairs, you reduce the chances of compromise via a brute force attack....

2010-10-12 · 4 min · Major Hayden

Adding comments to iptables rules

After I wrote a recent post on best practices for iptables, I noticed that I forgot to mention comments for iptables rules. They can be extremely handy if you have some obscure rules for odd situations. To make an iptables rule with a comment, simply add on the following arguments to the rule: -m comment --comment "limit ssh access" Depending on your distribution, you may need to load the ipt_comment or xt_comment modules into your running kernel first....

2010-07-26 · 1 min · Major Hayden

Private network interfaces: the forgotten security hole

Regardless of the type of hosting you’re using - dedicated or cloud - it’s important to take network interface security seriously. Most often, threats from the internet are the only ones mentioned. However, if you share a private network with other customers, you have just as much risk on that interface. Many cloud providers allow you access to a private network environment where you can exchange data with other instances or other services offered by the provider....

2010-03-02 · 3 min · Major Hayden

Automatically loading iptables rules on Debian/Ubuntu

If you want your iptables rules automatically loaded every time your networking comes up on your Debian or Ubuntu server, you can follow these easy steps. First, get your iptables rules set up the way you like them. Once you’ve verified that everything works, save the rules: Next, open up /etc/network/if-up.d/iptables in your favorite text editor and add the following: Once you save it, make it executable: Now, the rules will be restored each time your networking scripts start (or restart)....

2009-11-17 · 1 min · Major Hayden

ip_conntrack: table full, dropping packet

Using Linux kernel 3.12 or later? See this updated post instead. Last week, I found myself with a server under low load, but it couldn’t make or receive network connections. When I ran dmesg, I found the following line repeating over and over: I’d seen this message before, but I headed over to Red Hat’s site for more details. It turns out that the server was running iptables, but it was under a very heavy load and also handling a high volume of network connections....

2008-01-24 · 1 min · Major Hayden