Archive

Archive for the ‘Linux’ Category

Install and configure VNC in 8 easy steps

1. Install vnc server rpm as per linux distribution you are using.

2. Once you will install vnc server you can check for the following commands listed below.

3. Now set the password for vnc sessions by executing command vncpasswd

4. Once password is set you can run the command vncserver which will create a file .Xauthority and a folder .vnc in user’s home directory with all the configuration files. It also starts the first session for client.

 

5. Now we have to kill the vnc session as before connecting we have to configure vnc properly. To kill a vnc session you have to use the following command shown in the figure.

Here: 1 is the vnc session id.

6. Now open .vnc/xstartup file to modify the parameter. Beginning the file looks like below

7. Now uncomment the 3rd and 4th line containing unset and exec command. Keep the next two lines as it is (uncommented).Comment out the rest lines of the file. At the end add a startx command. After making the changes the content should look like below.

N:B:-This is for GNOME Desktop Environments. For KDE Desktop environment you have to mention startkde & at the end instead of startx &

Now start the vncserver. That’s all configurations from server side.

8. Now open the vnc viwer from client side.It will ask for servername and password.

Now Give the server as hostname: session id or IP address: session id .It will ask for password and you will get the remote desktop screen after successful authentication.

9. If your client system is a Linux system then install vncviewer rpm. Then you can connect to remote system by executing vncviewer command.

Different Run levels in Linux and how to switch between them

What are different Run levels in Linux and how to switch between them?

Run levels:-Run levels define what processes or services to run automatically while the system boots up. This is defined in /etc/inittab file.

N. B: – The init process is the last step in the boot procedure and has pid of ‘1’.’ “init” is responsible for starting system processes as per defined in the /etc/inittab file.

 

“init” process checks which default run level is defined in /etc/inittab and starts the system in that run level which means all the services defined for that run level gets executed.

 

There are 7 different run levels present (run level 0-6) in Linux system for different purpose. The descriptions are given below.

0: Halt System (To shutdown the system)
1: Single user mode
2: Basic multi user mode without NFS
3: Full multi user mode (text based)
4: unused
5: Multi user mode with Graphical User Interface
6: Reboot System

 

Most desktop Linux distributions boot into run level 5, which starts up the Graphical Login Prompt. This allows the user to use the system with X-Windows server enabled. Most servers boot into run level 3, which starts the text based login prompt as it is advisable not to install graphical windows in a server as lots of space goes waste and also it takes lot of resource to run.

 

Each run level is defined inside its own directory structure. These directories are located in the /etc/rc.d/ directory, under which you have rc1.d, rc2.d… rc6.d directories where the number from 0 to 6 corresponds to the specific run level. Inside each directory symbolic links are defined to a  to master initscripts found in /etc/init.d or /etc/rc.d/init.d.

 

Switching or Changing between different runlevels:-

Method-1: Changing run level temporarily without reboot.

We can use init command to change rune levels without rebooting the system.

Ex:-if we are currently in run level 3 and want to go to run level 1, just we need to execute

# init 1

Or if you want to shutdown a machine you can take help of run level ‘0’ .Just you need to execute

#init 0

Remember this change is not permanent and on next reboot you will get your default runlevel.

 

Method-2: Changing run level permanently

If you want to change your default run level then

Open the file /etc/inittab and edit entry initdefault:

# vi /etc/inittab

Let’s set initdefault to 5, so that you can boot to X next time when Linux comes up:

id:5:initdefault:

 

Method-3:-Change run level at boot time

You can also change the run level at boot time. If your system uses LILO as the boot manager, you can append the run level to the boot command:

LILO: linux 3 or
LILO: linux 5

If your system uses GRUB, you can change the boot runlevel by pressing the `e’ key to edit the boot configuration. Append the run level(in our case 5) to the end of the boot command as shown:

kernel /vmlinuz-2.6.18-164.el5 ro root=LABEL=/ rhgb quiet  5

 

 

Categories: Linux Tags: , , , ,

Create your own local repository and solve yum related problems

November 22, 2010 2 comments

In RHEL 5.0 onwards Red hat introduced YUM concept by which it is very easy to install some rpm without being getting worry about the dependency problem.YUM takes care of this dependency problem by selecting all dependent RPM to install from a central repository either from RED HAT or from some third party repository like oracle has or you can create your own repository if you want to use YUM offline

YUM: – Yellowdog Updater, Modified (YUM)

In first section we will discuss how to create your own local repository.

1. To create that inserts your Red hat DVD installer inside DVD ROM.

2. Mount the DVD by

[root@localhost ~]#mounts /dev/cdrom /media

3. Create a folder of your choice. In my case I have created /home/rpms

4. Copy all the RPM from /media/Server/ to /hom/rpms folder

[root@localhost ~]#mkdir /home/rpms
[root@localhost ~]#cp -rv /media/Server/*  /home/rpms

6. Now look for a folder /etc/yum.repos.d. If the directory exists then YUM package is already installed and you can skip this step. So you just need to configure. If it is not there you have to install yum and yum-utils package. Also install one RPM called createrepo.

[root@localhost rpms]# cd /media/Server/
[root@localhost Server]# rpm -ivh yum-3.0.1-5.el5.noarch.rpm
[root@localhost Server]# rpm –ivh yum-utils-1.0.4-3.el5.noarch.rpm
[root@localhost Server]# rpm -ivh createrepo-0.4.4-2.fc6.noarch.rpm

7. Once YUM packages are installed you will get the /etc/yum.repos.d folder. Go inside the folder and open the entire .repo file present inside that folder. In all .repo file search for

enabled = 1

and replace by

enabled = 0

This means you are disabling the default repository locations or else you can delete all repo files.

8. Edit the /etc/yum.conf file,change the following line:

keepcache=0 to keepcache=1

9. Now prepare the directory /rpms to act as a repository. For this we run the command

[root@localhost ~]createrepo -p /rpms 

This command will take some time to finish and once finished you can see a directory called repodata will be created inside the /rpms directory.

11.If some error comes like “Cannot delete .olddata” Then you have to remove it manually by “rm -rf /home/rpms/.olddata”

yum error 39

10. Now create a file myrepo.repo inside /etc/yum.repos.d folder

[root@localhost ~]touch /etc/yum.repos.d/myrepo.repo

11. Put the following contents inside the myrepo.repo file

[myrepo]
 name=My Local Repo
 baseurl=file:///home/rpms
 enabled=1 
gpgcheck=0

Save the file and exit.

Now your repository is ready. Before running any installation first clean the cache by

Yum clean all

Now you can install anything like

[root@localhost ~]yum install httpd

You will get a screen like below where you have to say “y” or “n”

yum installation

N:B-Here I have used file:// protocol as base url.You can use ftp:/// or http:// if you have remote repository location.

Common Errors and their solutions

1)Errno 256:Metadata file does not match checksum

Solution:

1) Edit /etc/yum.conf and add the following line

http_caching=packages

2) Run "yum clean metadata"

3) Retry the yum install

2)“TypeError: rpmdb open failed” or “TypeError: rpmdb unable to join the environment”

Solution:

# yum clean all 
#rm -f /var/lib/rpm/__db* 
#rpm –rebuilddb 
#yum update

3)ValueError: need more than 1 value to unpack

Solution:

#yum clean all

#yum clean metadata

#yum clean dbcache

 

and then execute

#yum makecache

4)thread.error: can’t start new thread

Solution:

#rm /usr/lib/yum-plugins/ threading.py

#yum update

5)[Errno -3] Error performing checksum

Solution:

#createrepo -v -s sha1 <repository location>

#yum clean all

6)TypeError: unsubscriptable object

Solution:

#yum clean metadata

#yum update missing dependency error

Solution:

#yum clean all

#yum update

7)Yum install GPG error

Solution:

#rpm --import /etc/pki/rpm-gpg/RPM*

8)Error: Cannot retrieve repository metadata (repomd.xml)

Solution:

This is a network issue.Please check DNS,Proxy etc. settings for the same.

Categories: Linux Tags: , , , ,

Step by step explanation of Linux boot sequence

October 19, 2010 25 comments

In this topic we will discuss indepth of Linux Boot Sequence.How a linux system boots?This will help administrators in

troubleshooting some bootup problem.Before discussing about  I will notedown the major component we need to know

who are responsible for the booting process.

        1.BIOS(Basic Input/Output System)

        2.MBR(Master Boot Record)

        3.LILO or GRUB

             LILO:-LInux LOader

             GRUB:-GRand Unified Bootloader

        4.Kernel

        5.init

        6.Run Levels

1.BIOS:

      i.When we power on BIOS performs a Power-On Self-Test (POST) for all of the different hardware components in the system to make sure everything is working properly

     ii.Also it checks for whether the computer is being started from an off position (cold boot) or from a restart (warm boot) is
stored at this location.

     iii.Retrieves information from CMOS (Complementary Metal-Oxide Semiconductor) a battery operated memory chip on the motherboard that stores time, date, and critical system information.

     iv.Once BIOS sees everything is fine it will begin searching for an operating system Boot Sector on a valid master boot sector
on all available drives like hard disks,CD-ROM drive etc.

     v.Once BIOS finds a valid MBR it will give the instructions to boot and executes the first 512-byte boot sector that is the first
sector (“Sector 0”) of a partitioned data storage device such as hard disk or CD-ROM etc .

2.MBR

     i. Normally we use multi-level boot loader.Here MBR means I am referencing to DOS MBR.

     ii.Afer BIOS executes a valid DOS MBR,the DOS MBR will search for a valid primary partition marked as bootable on the hard disk.

     iii.If MBR finds a valid bootable primary partition then it executes the first 512-bytes of that partition which is second level MBR.

     iv. In linux we have two types of the above mentioned second level MBR known as LILO and GRUB

3.LILO

     i.LILO is a linux boot loader which is too big to fit into single sector of 512-bytes.

     ii.So it is divided into two parts :an installer and a runtime module.

     iii.The installer module places the runtime module on MBR.The runtime module has the info about all operating systems installed.

     iv.When the runtime module is executed it selects the operating system to load and transfers the control to kernel.

     v.LILO does not understand filesystems and boot images to be loaded and treats them as raw disk offsets

GRUB

     i.GRUB MBR consists of 446 bytes of primary bootloader code and 64 bytes of the partition table.

     ii.GRUB locates all the operating systems installed and gives a GUI to select the operating system need to be loaded.

     iii.Once user selects the operating system GRUB will pass control to the karnel of that operating system.
see below what is the difference between LILO and GRUB

4.Kernel

     i.Once GRUB or LILO transfers the control to Kernel,the Kernels does the following tasks

  • Intitialises devices and loads initrd module
  • mounts root filesystem

5.Init

     i.The kernel, once it is loaded, finds init in sbin(/sbin/init) and executes it.

     ii.Hence the first process which is started in linux is init process.

     iii.This init process reads /etc/inittab file and sets the path, starts swapping, checks the file systems, and so on.

     iv.It runs all the boot scripts(/etc/rc.d/*,/etc/rc.boot/*)

     v.starts the system on specified run level in the file /etc/inittab

6.Runlevel

     i.There are 7 run levels in which the linux OS runs and different run levels serves for different purpose.The descriptions are
given below.

  • 0  – halt
  • 1  – Single user mode
  • 2  – Multiuser, without NFS (The same as 3, if you don’t have networking)
  • 3  – Full multiuser mode
  • 4  – unused
  • 5  – X11
  • 6  – Reboot

     ii.We can set in which runlevel we want to run our operating system by defining it on /etc/inittab file.

Now as per our setting in /etc/inittab the Operating System the operating system boots up and finishes the bootup process.

Below are given some few  important differences about LILO and GRUB

LILO

GRUB

LILO has no interactive command interface GRUB has interactive command interface
LILO does not support booting from a network GRUB does support booting from a network
If you change your LILO config file, you have to rewrite the LILO stage one boot loader to the MBR GRUB automatically detects any change in config file and auto loads the OS
LILO supports only linux operating system GRUB supports large number of OS

To know more about the booting process you can follow the link below
http://www.ibm.com/developerworks/linux/library/l-linuxboot/

Categories: Linux Tags: , , , , , ,

Give access of a super user to a normal user—Sudo user

Normally when you are installing RHEL in one system in post installation stage it asks you to create a normal user and if you are not creating it give a warning massage. Root user is the most powerful user in the system and it can do everything. So in real time environment it is advised that if you have installed Linux in server you shouldn’t give root access to any user even though he may be a giant in Linux. If you are giving root access to someone else that means you don’t have any control on the server. If tomorrow server crashes server reboots because of a wrong usage of command you will be helpless.

But saying that sometimes people may need root access to the server for some particular task like restarting apache service or for running some scripts etc. . . . Here as a system admin you have to provide them some specific access so that it won’t affect the whole server.

To achieve this purpose we use the concept of sudo user.

So what is a sudo user?

A sudo user is a root like user who can be permitted to execute specific commands or all commands executed by superuser.

You may think now if will give all permission to a sudo user then what will be the difference between the sudo user and root?

The only difference I can think of is whenever we are executing a command using sudo the system keeps a log for that command which is not in case of root.

Also one more thing is the system asks for password when we run a command as sudo.That means a user is getting time to verify its command which is helpful when we are running command like rm –rf *.

Mainly sudo concept is used only if there is some situation where a normal user wants to do some administrative operations but not all operations.

Now how can we make a normal user as sudouser?

To make a user sudo user login as root to the server and execute following command.

     #visudo

This command will open a read-only file /etc/sudoers where you can define the access for normal user.

There are two scenarios for a user to be a sudo user.

    1. Give all access as root user
    2. Give specific access to a user to run on specific mach

Give all access as root user:-

To do this in /etc/sudoers file search for a line

     root       ALL=(ALL)            ALL

This lines means that the user root can execute from ALL terminals, acting as ALL  users, and run ALL  command.

And append a line for the user let’s say bob

     bob     ALL=(ALL)     ALL

you can separate by comma for multiple users.

     bob , chalres   ALL=(ALL)    ALL

To give a user specific permission let’s say user bob can only restart apache server append the blow line to /etc/sudoers file.

     bob localhost=/etc/init.d/apache restart

To give user permission to do multiple operations we can append a line like following

     bob ALL= /bin/kill, /etc/init.d/httpd

As we told above for each command run under sudo user  gets looged into the system.To see that run a command as a sudo user and check the log file /var/log/secure.

As bob user execute

     #sudo /etc/init.d/httpd restart

Then check the log file by

     #tail –f /var/log/secure
     Output:- Aug 28 03:21:30 sudo:       bob : TTY=pts/3 ; PWD=/home/bob ; USER=root ; COMMAND=/etc/init.d/httpd restart

For advances users,

Concept of Sudo:-

Try to do this experiment

1) Login as root in tty1, Login as bob in tty2.
2) In tty2 execute a sample command ‘# vi abc’ . Go to tty1 and excute # ps -Alf
3) In tty2 execute a sample command ‘#  sudo vi abc’ . Go to tty1 and excute # ps -Alf

Now examine third field for the output of step 1 & 2

You will see when a user with is running something as sudo user practically it is running that command with root users gid.

Install GNOME or KDE desktop environment from the CLI mode

September 21, 2010 2 comments

Install GNOME or KDE desktop environment from the CLI mode

Yesterday I got a request from my user that they need graphical interface to be installed in the server as they require this for their project work. I knew that this is very simple to install using yum groupinstall but the problem I faced was terrific. As this was our internal server it was not connected the internet and it was a VM on VMware. Hence no physical optical drive was present. I am giving below the steps how I got that thing to work.

  1. Mount the ISO image of CD/DVD to your system. If you have a physical system you can insert the CD/DVD and mount or else you have to virtually mount this.

    mount /dev/cdrom /mnt
  2. Create one directory and put all the contents of the Server directory into it.

    mkdir /repository

    cp  -rvf  /mnt/Server/*  /repository/
  3. Unmount the CD/DVD drive.        
    umount /mnt

    If you face any problem in unmounting you can use the command        

    umount   -l /mnt

  4. Go inside the /repositories folder and install all the createrepo packages.

    rpm –ivh createrepo*
  5. Now go inside the folder/etc/yum.repos.d/ and create a file called myrepo and put the following contents to the file
      [base]
           name=Red Hat Enterprise Linux $releasever - $basearch - Debug
           baseurl=file:///repository/
           enabled=1
           gpgcheck=0
    
  6. Now Go inside /repository folder and check for a specific package yum-utils is present there or not.
          cd /repository
            ls –l| grep yum-utils

    This package is responsible for making group of packages.

  7. If it is not there you have to download this, keep inside this folder (/repository) and install it. You can download it from http://rpm.pbone.net/ .This website has the option of advanced search where you can download packages specific to particular OS version.
  8. Use createrepo command to create your repository
    createrepo   /repository/
    
  9. Now after creation of repository and installation of the package yum-utils you can try the command

    yum grouplist

    The output will list you some groups like given below

     Loading "rhnplugin" plugin
     Loading "installonlyn" plugin
     Setting up Group Process
     Setting up repositories
     rhel-debuginfo            100% |=========================| 1.1 kB    00:00
     Installed Groups:
               MySQL Database
               Editors
               System Tools
               FTP Server
               Network Servers
               Printing Support
               Mail Server
               Server Configuration Tools
     Available Groups:
               Administration Tools
               GNOME Software Development
               X Software Development
               GNOME Desktop Environment
               Authoring and Publishing
               Games and Entertainment
               X Window System
               KDE Software Development
               KDE (K Desktop Environment)
               Sound and Video
               Graphical Internet
               Done
  10. If you are not able to see output like given above then you need one xml file called comp.xml to create your own group.Below.If you don’t know how to create the xml file you can use the following link to create the comp.xml file.
  11. http://cooker.wbitt.com/index.php/Example_comps.xml_file

  12. After placing the comp.xml file inside /repository directories you have to recreate the repository.createrepo /repository
  13. Now run the command yum grouplist and you will see the output as below
    yum grouplist

    Sample output:

     Setting up Group Process
     Setting up repositories
     rhel-debuginfo            100% |=========================| 1.1 kB    00:00
     Installed Groups:
              Printing Support
     Available Groups:
              GNOME Desktop Environment
              X Window System
              Graphical Internet
     Done
    
  14. Now you can install the groups listed above. To install GNOME desktop Environment you can use the simple command
yum groupinstall "GNOME Desktop Environment"

Now you can use startx to see your graphical GNOME desktop screen.

Simillarly you can install KDE desktop environment.Just you need to change the xml file and give the command

yum groupinstall "KDE (K Desktop Environment)"

Categories: Linux Tags: , , , , ,

Best Practices to secure a OPENSSH/SSH Server

What are you using for remote connection?
For linux users there are two protocols which regulate remote connection. One is telnet and the other is ssh.
People use telnet to connect to remote host but problem with telnet is the whole communication between the local host and the remote host is sent in clear text which any one can see if he will put a packet sniffer and start capture the packets. Hence Telnet is not secure.
To avoid this security risk we are using OpenSSH protocol. OpenSSH uses SSH (Secure Shell) protocol which is fully secure as it uses strong encryption like 3DES, Blowfish, AES and also it uses public/private key pair for authentication.
N:B-Whatever steps given below has to be done by following the steps given below.

a.Open two terminals, One for experiment and other for safety if sshd show some problem

b.Take the backup of configuration files

c.After each change reload SSH service only after testing the configuration. You can test it by executing

                         /usr/sbin/sshd –t

d.If you are finding some error in configuration file after executing the above command you should revert back to original config file in order to prevent yourself from getting disconnected.


When configuring SSH the default files we need to edit are

i. /etc/ssh/sshd_config –configuration file for SSH server side.

ii. etc/ssh/ssh_config – Configuration file for client side.

iii.~/.ssh/ -This is the directory where all ssh keypair and authorization file stays

iii./etc/nologin – If this file exists then sshd protocol refuses all login except root login

Now we will come to our topic on configuring a secure SSH server. To make your server secure you can follow the following points. Before changing anything in the default configuration file  always make a backup copy of config files you wish to edit.
1.Change the default port number

By default SSHD protocol runs on port 22. The vast majority of ssh attacks are directed by compromised zombie machines against ssh servers listening on the default port of “22”.Your first task is to change the port for ssh. To do this follow steps below

a. open /etc/ssh/sshd_config file

b. Search for line containing Port 22

c.  Edit that line as Port 2222  //here 2222 port is my choice you can use yours

d.  Save

2.Listen to specific IP Address

In most case you need to connect to your server from your office network or from some specific machine. If you can make your SSHD protocol to listen to those specific IP address and reject others then you will minimize risk of getting attacked from outside world. To do this

a. open /etc/ssh/sshd_config file

b. Search for the line which says

ListenAddress *

c.  Now comment the above line and make entry as per your criteria. Lets say if I will give access to 192.168.1.1 and 192.168.1.2 to access then I have to add following two line

ListenAddress 192.168.1.1

ListenAddress 192.168.1.2

               
3. Now you need to update IP table rule to allow your allowed IP’s (192.168.1.1,192.168.1.2) to           communicate with the custom port (port 2222 in my case).

4. You can also use IP table throttling feature to throttle the incoming connections

5.    Limit the users(allow or deny) who can access by username
We have already seen how we can limit the number of IP address which can connect to SSH server. We may have multiple users in single system from which some users do not need to access. So we have to restrict that user’s access.  To do sowe can follow the steps

a. Open  /etc/ssh/sshd_config file

b. Add the following line to allow specific user.For example allow users root ,hari,prit

AllowUsers root hari prit

c.        Also we can allow specific groups. To allow a group called ssh access add the line

AllowGroups sshaccess

d. similarly if we want to deny some specific users or groups to use ssh we can add the deny lines .Ex:-If I want to deny users navin,amiya and group kopex then I have to add lines

     DenyUsers navin amiya

     DenyGroups kopex

It all depend upon you how you want to put user access control


6.    Do not allow root login
As we know the power of root we should not allow root users to log in rather we should create some sudo users and we can limit them to doing specific task. Also if someone needs to work as root they can use su command. To disable root login

a. Open /etc/ssh/sshd_config file

b.Uncomment the following line

        PermitRootLogin no

7.Disable Empty Passwords
You should not allow remote login from accounts with empty passwords. If you do this there is chance that some bots will try to log in continuously and damage your system.To do this

a.Open /etc/ssh/sshd_config file

b.Edit the line containing PermitEmptyPasswords  to no

        PermitEmptyPasswords no

8. Configure client idle Timeout Interval
You can set idle time interval for the users who are logging through SSH so that if someone has forgotten to logout from a session the system will log him out immediately. To do this

a. Open /etc/ssh/sshd_config file

b. Set these two lines as per your requirement

               ClientAliveInterval 180         //180 is in seconds
               ClientAliveCountMax 0

9.Disable Host-Based Authentication
Avoid using this method as if you add one host it does not ask for any kind of password to login.To disable host based authentication you can do the following steps

a. Open /etc/ssh/sshd_config file

b. Edit the entry HostbasedAuthentication in the file as below

                     HostbasedAuthentication   no

10. Always use Latest version of SSH as always latest version will be having patches and more security features which makes your job easy or else you have to patch with the latest patch from the vendor.

11. User strong SSH passwords and paraphrases so that it won’t be easy for someone to crack. You can check your password strength using john the ripper tool

12. Use Authentication based on only public/private keys
You can also disable the password and use public/private key pairs to login to remote system. But it is advisable to protect your keys by giving strong paraphrases so that if someone takes your key still he needs to know paraphrase to login

To disable password logins, add the following to sshd_config:
                                                   PasswordAuthentication no

13.  Restrict users to their home directories
Using some tools or chroot concept you can restrict users to their home directories so that they cannot move or delete the configuration and system files.

14. Allow/Deny using TCP Wrappers
As ssh is associated with the library libwrap.so we can implement TCP wrapper concept. So we can allow/deny some specific IP/Host by putting entries into /etc/hosts.allow and /etc/hosts.deny file. For that we need to put an entry at the end of the file like
               sshd : 192.168.1.5 192.168.1. 8

to allow or deny the IP 192.168.1.5 and 192.168.1.8 to connect the server using SSH.

15. Disable .rhosts Files
The rhosts file specifies which remote computer or users can access a local account using rsh or
rcp commands. So you can disable this. To disable this

a. Open /etc/ssh/ sshd_config file

b. Search for the line containing IgnoreRhosts and make it to yes

         IgnoreRhosts  yes

16. Reduce MaxStartups
MaxStartup means the ability of SSH server to handle unauthorized access to a server at a given instance. This will help in coordinated attack from different server at same time. To achieve this

a. Open /etc/ssh/ sshd_config file

b. Search for the line containing MaxStartup and replace it as

MaxStartups 4:10:8


Here the 4:10:8 tells the ssh server to, “allow 4 users to attempt logging in at the same time, and to randomly and increasingly drop connection attempts between 4 and the maximum of 8”. Note: this should be increased on servers with substantial numbers of valid ssh users logging in.

17. Hide openssh version
This step is not only applicable for SSH but also applicable for all the services running on the system. As no tools/software/packages is free of bugs. This is why people release different versions. If you are running an older version of SSH and hacker knows this he will first try to find out the bugs in this version and using those info he may attack on the particular port. To achive this you have to make changes in source code of ssh and recompile it.

18.  Forward X11 only  if needed
By default, the X11Forwarding directive is set to yes. If you don’t need this, set it to no. If you don’t need this you should disable this. To disable this

a.Open /etc/ssh/ sshd_config file

b.Search for X11Forwarding  and edit as

X11Forwarding   no


For X11 forwarding to work, the ForwardX11 declaration or the ForwardX11Trusted declaration must also be set to yes in /etc/ssh/ssh_config client configuration file.SO to disable you can make it no from this file.

19.  Enable a Warning Banner
Set a warning banner for ssh connection in consultation with your legal advisor in order to warn authorized user what legel action you can take against them. To do this defines a text file location in sshd_config file which contains the warning messages. To do this

a. Open /etc/ssh/ sshd_config file

b. Search for the line containing Banner and edit as given below

Banner /etc/issue

Now you can edit the /etc/issue file to put your warnings.

20. Use Logwatch
Make sure to set LogLevel to INFO or DEBUG in sshd_config. I recommend keeping it INFO as it will give you more details. You can use logwatch to manage the SSH logs. To do this

a.Open /etc/ssh/ sshd_config file

b.Change the line containing LogLevel to info

LogLevel INFO


What else you can do?

–Install some security tools to protect your server from brute force attack

–Patch your operating system

–Remove unnecessary packages / software.

–Harden the kernel against synflood and basic DOS attacks.

–Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).

— Ensure /tmp is in its own partition with noexec, nosuid.   

–Ensure kernel and software is up to date.

–Remove unnecessary users and groups.

–Install chkrootkit and tripwire.