CNT5605 - 2011 Fall
Group Assignment 4
Printed Journals Due Wednesday, October 5, at the beginning of class.

Assignment: Improving SSHD security on your Debian box

Objectives: (1) Move SSHD to a non-obvious port on your debian box. (2) Configure your iptables firewall. (3) Install knockd and configure it to protect your SSHD.

Moving SSHD

This is by far the easiest portion of the assignment. Just edit the /etc/ssh/sshd_config file to move your sshd to a non-obvious port, and restart sshd. "Non-obvious" in this case means a port above 20,000 of your choice.

Configuring IP tables

This is a bit more challenging. Currently, unless you have already set up a firewall on your Debian box, your iptables rulesets are empty (you can see this with iptables -L -n.) This portion of the assignment is to set up a firewall that allows (1) pings to your Debian box and (2) connections to ports 80 and 443, but should generally forbid other TCP connections (we will take of your new sshd port in the next section with knockd.)

You are welcome to install whatever firewall management toolkit you like, or you can just use the standard iptables-restore and iptables-save by hand — but if you do so, you will also have to set up automatic installation of your iptables on reboot.

In either case, verify that your changes are permanent by rebooting the machine and doing an iptables -L -n.

Installing and configuring knockd

Now we want to set up special access to your sshd, which is now blocked by your new firewall.

We are going to use the program knockd to do this. First, install knockd from a repository. Second, please configure it so that:

You will need to do at least three verification steps for this: (1) verify that you can connect only for a short period from your XCP box to your Debian box. (2) Verify using iptables -L -n both during and after the 20 second window to verify that the sshd port rule is correctly appearing and disappearing. (3) Verify that everything works correctly after a reboot.

A journal is due for this assignment. Make sure that you document in your journal all of the steps that you went through, following the guidelines on the class home page. For this assignment, please include in your write-up both

Please share the workload so that all team members get experience with all aspects of the work. PLEASE DON'T FORGET TO PUT YOUR TEAM NUMBER ON THE ASSIGNMENT. Please turn in a printed copy of this assignment at the beginning of class on Wednesday, October 5th.