...
Example of IP Tables configuration that will only allow UT campus networks to access a system remotely via SSH. The networks listed below include various wired, wireless, and VPN networks.
Note: To access these systems from off-campus, users will need to utilize the UT VPN client available at https://vpn.utexas.edu
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 128.62.0.0/16 -j ACCEPT
-A INPUT -s 128.83.0.0/16 -j ACCEPT
-A INPUT -s 129.114.0.0/16 -j ACCEPT
-A INPUT -s 129.116.0.0/16 -j ACCEPT
-A INPUT -s 146.6.0.0/16 -j ACCEPT
-A INPUT -s 172.29.0.0/16 -j ACCEPT
-A INPUT -s 198.213.192.0/18 -j ACCEPT
-A INPUT -s 206.76.64.0/18 -j ACCEPT
-A INPUT -s 10.144.0.0/12 -j ACCEPT
-A INPUT -s 146.6.248.0/21 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT
System Accounts
| Anchor | ||||
|---|---|---|---|---|
|
Files/Directory Permissions/Access
- Enable system accounting (install package sysstat).
- Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
- Check in /etc/sudoers to see who has sudo rights
- Check in /etc/groups to see what groups your users belong to
- Check in /etc/passwd and/or /etc/shadow for blank passwords
- All administrator or root access must be logged.
System Access, Authentication, and Authorization
- Enable the terminal security file to restrict root logins to system console only. Do not allow root logins via SSH.
- Ensure the following are set in /etc/pam.d/other:
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so
session required pam_deny.so
Warn will report alerts to syslog.