Help - Search - Members - Calendar
Full Version: Securing A New C3000
OESF Forums > General Forums > General Support and Discussion > Security and Networking
SwiftOne
I'm the owner of a new C3000, and I'd like to make sure I've locked it down properly. I've read that previous Zaurii had (essentially) root FTP with no password, but that is no longer the case. Is there anything too lax on it that I should tighten down? I've already installed SSH for my outbound connections.
speculatrix
QUOTE(SwiftOne @ Mar 14 2005, 05:26 PM)
I'm the owner of a new C3000, and I'd like to make sure I've locked it down properly.  I've read that previous Zaurii had (essentially) root FTP with no password, but that is no longer the case.  Is there anything too lax on it that I should tighten down?  I've already installed SSH for my outbound connections.
*


I imagine that the 300 is not much different to the 860 I am using at this instant.

just ssh into it as root, and type "passwd root"

my question is what might break when you set the root password?

also/ what happens if you set the password on the zaurus user?
SwiftOne
QUOTE(speculatrix @ Mar 14 2005, 05:53 PM)
just ssh into it as root, and type "passwd root"


That tells me _how_ I can do something, not _what_ I should do. What's currently open? What's currently open that should be closed?

Although I am curious to see what gotcha's exist about closing any of this.
bluedevils
"netstat -a" while you are connected to a network should tell you what services are listening (open). You could also install iptables and setup a tight firewall.
speculatrix
QUOTE(bluedevils @ Mar 15 2005, 12:46 AM)
"netstat -a" while you are connected to a network should tell you what services are listening (open).  You could also install iptables and setup a tight firewall.
*


So, basically, lock down networked ports to stop stuff coming in.

If you're not sure about putting passwords on accounts, then put your public ssh key into the authorized_keys files for each user, then change the sshd config to not allow plain text passwords, that way the lack of passwords doesn't matter... also, you can put specific users into the sshd config which are allowed to login, and thus prevent attempting to log in to the Zaurus account for example.

Don't forget to save a copy of the old config files first.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.