Securing Linux: Part 2
Welcome back to an exciting odyssey in making your Linux box more secure.
In the previous article we dealt with various issues like BIOS security
passwords, securing your LILO prompt with a password, restricting the use
of "setuid" and "setgid" programs etc. We also dealt with common user
habits that compromise security on networks as well as some other aspects
of securing your Linux installation.
As we have mentioned earlier and repeat again, "The only secure machine is
one unplugged from the electrical point." Another point we would like to
stress upon is "Security is not a solution but a way of life."
Quotes apart, lets move on to the next leg of our journey.
A quick reminder before we begin, the words "daemons" and "services" are
interchangeable and mean the same.
We'll begin by covering a few elementary aspects of SSH, you should also
check out our more detailed article on SSH on the site.
Authentication over your local network using plain text passwords is passé.
SSH is a more secure replacement of the telnet and ftp services that you
run on your Linux server. SSH uses the public key - private key concept,
wherein the private key is generated on your machine and the public key
generated by you is distributed to those clients who would like to connect
to you remotely. Unlike telnet and ftp, SSH encrypts all the data that it
transfers over the network, hence even if someone intercepts the packets,
the information would be useless, as everything would be encrypted. This
enhances your security to a certain extent. SSH is an indispensable tool
for all those who regularly use telnet and ftp sessions either locally or
remotely to transfer data.
To install SSH you would require the following packages.
For installation of the OpenSSH and OpenSSL packages and other details
refer the previous article on OpenSSH installation at our site.
Now lets see how we can use SSH to connect to a remote machine and initiate
an encrypted telnet session.
bash# ssh -l username my.machine.com
The command to copy files to a remote machine could be done by the