Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing your network But still be able to access it Hugh Mahon.

Published byBuddy Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing your network But still be able to access it Hugh Mahon."— Presentation transcript:

1 Securing your network But still be able to access it Hugh Mahon

2 How dangerous is the 'net? ● A 'grep' of /var/log/messages for 'failure' found 10474 failed ssh login attempts over a two day period ● Attempts on root, and just about every 'standard' account name. ● Even with 'good' passwords how many script kiddie attacks can a site take?

3 Problem ● Ports for access (e.g., ssh) are well known ● How to allow access but stop, or at least slow down, the bad guys?

4 Protect ssh ● /etc/ssh/sshd_config – Remove root login ability: PermitRootLogin no – Do not allow passwords (require certificates): PasswordAuthentication no – Only allow specific users: AllowUsers tom dick harry ● Use /etc/hosts.allow or /etc/hosts.deny – In /etc/hosts.allow: sshd: 1.2.3.0/255.255.255.0 – Then in /etc/hosts.deny: sshd: ALL

5 iptables ● You can also use iptables to restrict access – Restrict ssh connections to those from specific hosts: ● iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT ● # Deny all other SSH connections ● iptables -A INPUT -p tcp --dport 22 -j DROP

6 More with iptables ● Restrict rate of connections from a host: ● iptables -I INPUT -p tcp --dport 22 -i eth0 \ -m state --state NEW -m recent --set ● iptables -I INPUT -p tcp --dport 22 -i eth0 \ - m state --state NEW -m recent --update \ -- seconds 60 --hitcount 4 -j DROP

7 Port knocking ● A server can allow access without making services easy to see with tools such as nmap ● A client 'knocks' on ports on the server to get the server to 'open up' a port for a service – The server offers no response during the 'knock' – After a correct 'knock' the server responds by opening the related port.

8 Types of Knocks ● Port knocks can be of several different types: – SYN packets sent to a sequence of ports – ICMP echo request (ping) packets with encrypted payloads – Sniff packets on specified ports listening for encrypted data.

9 Resources ● This presentation: anerd.org ● http://www.portknocking.org http://www.portknocking.org ● http://www.debian-administration.org/articles/187

Download ppt "Securing your network But still be able to access it Hugh Mahon."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Cosc 5/4765 Protecting against ssh attacks And is this secure?

Cosc 5/4765 Protecting against ssh attacks And is this secure?
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Ferry Astika Saputra Workshop Administrasi Jaringan TELNET & SSH.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Ferry Astika Saputra Workshop Administrasi Jaringan TELNET & SSH.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CIS 193A – Lesson10 Protecting Your Network. CIS 193A – Lesson10 Focus Question What information contained in packets can be used as matching criteria.

CIS 193A – Lesson10 Protecting Your Network. CIS 193A – Lesson10 Focus Question What information contained in packets can be used as matching criteria.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
IPTables Tips and Tricks: More Than Just ACCEPT and DROP

IPTables Tips and Tricks: More Than Just ACCEPT and DROP
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.

Similar presentations

Ads by Google