Security | Linhost

Before making any changes to the SSH configuration do not close or kill any connection in case you need to make some emergency changes.

The primary file we need to edit is located at.

/etc/ssh/sshd_config

also the # means it’s default value in the configuration file

SSH is a vital tool for any administrator, but also happens to be the focus for attacks some succeed because of systems running default configurations which makes the job of the attacker easier. The point of this article is to change the obvious default values and remove unnecessary access.

The basic rule for scanning is to first scan for common port in the case of SSH it happens to 22, the solution it use another port above 1024.

#Port 22
Port 1520

There are two protocols used by SSH 1 and 2, protocol 1 is old and insecure by now, to save us from future problems we need to disable protocol o1 and only to the current protocol which is 2.

#Protocol 2,1
Protocol 2

The Root account has no need to be reachable from the Internet, instead create a user with privileges. It’s kind of obvious instead of having to provide a single password now the user is required to provide two.

First of all we have to deny direct access to the root account.

#PermitRootLogin yes
PermitRootLogin no

Automated attacks will benefit from default configurations, like allowing a high number of invalid attempts, we limit the number of fails attempts before denying and requiring another attempt.

#MaxAuthTries 6
MaxAuthTries 2

Now lets limit the amount of unauthenticated connection the SSH server will handle at the same time. When we make the numbers smaller than the default of 10 we are making it harder for the attacker to coordinate an attack with multiple connections. The new values tell the SSH server to allow 3 users at the same time then randomly and increasingly drop the connections between 2 / 8.

#MaxStartups 10
MaxStartups 2:40:8

By default the SSH server will hold open an unauthenticated connection for 2 minutes which is a long time in the Internet, 30 seconds is more than enough time to log in.

#LoginGraceTime 2m
LoginGraceTime 30

SSH keys are far more secure than passwords, if using keys it’s a good idea to disable password login all together.

#PasswordAuthentication yes
PasswordAuthentication no

This may seem basic but we are actually giving the attacker a run for his or her money, remember to always restart the service

/etc/init.d/sshd restart

If you find any of the material on this site useful please take a moment to make a small donation.

Most of the world runs Windows, at lest the client side and we are all aware of the security problems, the only reason for this post to exist is to let you know about free and proven software that will help secure your PC and also some basic guidelines for using Windows. I will only recommend software that I am currently using.

Software line up

Avast Antivirus (Home Edition)

avast! 4 Home Edition is a full-featured antivirus package designed exclusively for home users and non-commercial use. Both of these conditions should be met! Our company offers the Home Edition free of charge, since, in our opinion, it is possible to avoid global virus spreading by efficient prevention.

Ad-ware SE (Free)

Ad-Aware 2007 Free remains the most popular anti-spyware product for computer users around the world, with nearly one million downloads every week. Our free anti-spyware version provides you with advanced protection against spyware that secretly attaches and takes control of your computer, resulting in aggressive advertising pop-ups, sluggish computer activity, even identity theft through stolen bank details, passwords, and credit card account numbers.

Windows Defender (Spyware)

Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it’s detected and minimizes interruptions and helps you stay productive.

CCleaner

CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. But the best part is that it’s fast (normally taking less than a second to run) and contains NO Spyware or Adware!.

A router is not a firewall

No protocols are directly connected to the WAN, making port scans harder.
No resource demands on the local systems, since its an external device (Software firewalls may slow downs things a bit).
Consider getting something like the Linksys WRT54GL router that can be flash to run a Linux variant which in turn allows you to configure Iptables (Linux packet filtering that provides firewall capabilities).
Do not run Windows in Administrator mode allot of infections on systems can be prevented if instead a normal account is used. The administrator account will only be used when making an install.
Surfing the web is one of the most common things to do on a computer, you might be using Internet Explorer and its the default browser on Windows and by default its the most commonly used web browser making it the primary target for exploits, the most obvious alternative for IE is Firefox which in my opinion has better capabilities. No software is perfect because of Firefox rinsing popularity the amount of exploits has increased, now the third alternative appears to be Opera web browser check it out for your self.

That’s concludes my recommendation for a better online experience, comments are welcome.