We have a project that an external group is helping with, and wanted a hardened machine for them to ssh into without worries.
For projects like this, I recommend you wander over to secmaniac to see Dave Kennedy’s blog on security related stuff. He’s got out a relatively new tool (a few months old) that’s (a first for him) on the defensive side of security (as opposed to the breaking stuff side of security) called Artillery. Now I know, you are probably a geospatial professional and therefore leave the security to someone else (if at all). Don’t. It’s no fun to be pwned.
Anyway, I deployed it on Ubuntu 11.10 with great ease, just svn a copy and follow the directions in the readme. It will re-write your firewall rules, leave some ports of your choice open for sniffing, and then write a permanent deny entry for connecting on your machine’s ports. I banned my own machines pretty quickly before remembering to whitelist… . In Dave’s words:
“Artillery is a tool designed to confuse attackers and block them before an actual attack occurs. Artillery is a newer project and does a combination of host monitoring, security hardening, and honeypot type defensive strategies. Artillery has an active component where if it detects a connection on a given port that is triggered as a honeypot, it will automatically block the offending IP address.”
I’m hoping to modify it a bit to handle whitelisting dynamic IPs, but I don’t think I even need to poke under the hood to do that– just write a script to modify the config file whitelist and reload.
While I advocate you look into this tool, do watch the licensing– while released under a modified BSD, it does have a clause requiring a hug and a beer be offered if you meet Dave in a bar. Don’t use it if you aren’t comfortable with the terms.
One thought on “Beefing up the firewall using Artillery”