In Episode 048 of the BSD Now podcast, Allan referenced a great blog post on twisteddaemon listing basic security steps to perform after a new install. The checklist is also a good guide for a mature server checkup, which I recently did with a production server. Besides confirming sshd was configured correctly for public-key login only, I found forgotten open ports related to ntpd and ftp enabled (neither of which I need anymore), and I also found syslogd was opening a port for remote logging (all of which have now been disabled).
In addition to the checklist, Allan also recommended using a tool like denyhosts to reduce ssh door knocking. I’ve never quantified the time being wasted checking the door, but I’m running older hardware and my server log lists several hundred to upwards of a thousand knocks per day, so it may be significant.
Installing denyhosts was pretty simple with the help of On How to Install denyhosts on FreeBSD. The only issue I had was how to include at least one allowed port to prevent accidentally locking myself out. I never connect to the server from a static IP address, and it’s not readily clear to me what addresses would cover my travels around town. However, the server is in the basement, so it’s not an issue so long as I’m not travelling.
I’ll let you know in a couple weeks how my server logs are looking, and if my 2G single-core P4 is feeling less stressed (and behaving snappier).
Other references:
- man hosts.allow
- stackoverflow – denyhosts keeps adding back my IP