Great article. I enjoyed reading it. I'll have to try a honeypot, just for yucks :)

For prevention, I'd add a few things, which should ALWAYS be done on your firewall:

1. ALWAYS the first thing is to disable root login via ssh.

2. You should at least add port knocking. It is incredibly easy to do. This stops ALL SSH attacks. Simple port knocking suffices for most people. More security conscious should use something like fwknop.

3. There should only be two accounts: root, and whatever username you installed with. Give both a tough password.

4. Use a robust firewall configuration tool (or write a robust iptables script). I recommend advanced tools like shorewall.

Lastly, if the sysadmin isn't comfortable building a custom firewall, then use one of the pre-built ISO's available. There are some great ones, such as SmoothWall Express, Pfsense, IPCOP, ClarkConnect, Endian Firewall, m0n0wall, etc. Just download the ISO, burn a CD, boot it, answer a few questions, and you get an awesome firewall, complete with remote web-based configuration tool.

Also, it doesn't hurt to join a popular unix or linux forum, such as linuxquestions.org, and get feedback in the security forum.

Sorry for the long post... cheers!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1876/1133#1133