Security linux osx Preventing SSH Brute Force attacks: http://ping.fm/l3MgX
http://ping.fm/LKfVj preventing brute force ssh dictionary attacks
We want to install a GIT repository on a MacOs Snow Leopard machine using MacPorts to get GIT. The repository is accessible via SSH.
Furthermore, we want to harden ssh access by prohibiting password authentication in favor of key-only authentication. So all users who shall be able to access to this repository must have their private and public keys generated using
ssh-keygen -t rsa
and stored both keys in their own ~/.ssh dir. The public key must be added to the ~/.ssh/authorized_keys file of user git.
—————————————-
I. Getting GIT up and running with a ssh git user
1. Install GIT on OsX Leopard via MacPorts (www.macports.org)
sudo port install git-core
2. create a git user and group:
a. Find an unused uid and gid
sudo dscl . list /Users uid
sudo dscl . list groups gid
(check that, say, 490, is unused in both)
2. Create the git group
sudo dscl . create groups/git
sudo dscl . create groups/git gid 490
3. Create the git user
sudo dscl . create users/git
sudo dscl . create users/git uid 490
sudo dscl . create users/git NFSHomeDirectory /Users/git
sudo dscl . create users/git gid 490
sudo dscl . create users/git UserShell /bin/bash
sudo dscl . create users/git Password ‘*’
4. Create the git home directory (make this location match the end of line 3 above)
sudo mkdir /Users/git
sudo chown git:git /Users/git
5. Add public keys of user(s)
cd /Users/git
sudo su git
mkdir .ssh
cd .ssh
(assuming public key of user A is in /tmp/a.pub)
cat /tmp/a.pub » authorized_keys
(and redo this for all users)
6. Configure /etc/sshd_config for key only access
sudo vim /etc/sshd_config and edit to:
Port 22
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
UsePAM no
Subsystem sftp /usr/libexec/sftp-server
UseDNS no
7. Restart ssh daemon
sudo /sbin/service ssh stop
sudo /sbin/service ssh start
8. Make sure your git path is in .bashrc and .bash_login:
echo “export PATH=/opt/local/libexec/git-core:/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/usr/X11/bin” > /Users/git/.bashrc
cp /Users/git/.bashrc /Users/git/.bash_login
9. Create a dir for your repositories in git home dir
mkdir /Users/git/repos
——————————————————
II. Creating a new repository on the server
Strategy here is to create a blank repository MYREPONAME.git in the /Users/git/repos dir and to push a client generated repo into it.
1. Create the blank repo on the server
(ON THE SERVER:)
mkdir /Users/git/repos/MYREPONAME.git
cd /Users/git/repos/MYREPONAME.git
git —bare init
git —bare update-server-info
cp hooks/post-update.sample hooks/post-update
chmod a+x hooks/post-update
touch git-daemon-export-ok
2. Create the local repo on the client
(ON THE CLIENT:)
mkdir MYREPONAME
cd MYREPONAME
git init
echo “Sample” > sample.txt (or, indeed, copy existing code to here)
git add .
git commit -m “Init”
3. Now push the local
(ON THE CLIENT)
git push git@GITSERVER:/Users/git/repos/MYREPONAME.git master
4. And, of course, pulling works as easy as:
git clone git@GITSERVER:/Users/git/repos/MYREPONAME.git
