Настройка фаервола в Linux от А до Я

Настройка SSH

/etc/ssh/sshd_config

# Prevent root logins:
PermitRootLogin no

SSH logins can be limited to only certain users who need remote access. If you have many user accounts on the system then it makes sense to limit remote access to only those that really need it thus limiting the impact of a casual user having a weak password. Add an AllowUsers line followed by a space separated list of usernames to /etc/ssh/sshd_config. For example:

AllowUsers alice bob

and restart the sshd service.

# Protocol 2,1
Protocol 2

# Run ssh on a non-standard port:
Port 2345 #Change me

Here's another example, this time using iptables limit module to limit the the number of connections to the ssh port to 3 per minute:

iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --syn -j DROP

The first line will accept new connections on port 22 provided that IP address hasn't made more than 3 connection attempts in the last minute. If more than 3 connection attempts have been made within the last minute, then the second line will DROP the connection.

Don't forget to change the port as appropriate if you are running ssh on a non-standard port. Where possible, filtering at the firewall is an extremely effective method of securing access to an ssh server.

Настройка параметров ядра

kernel.exec-shield=1
kernel.exec-shield-randomize=1
kernel.randomize_va_space=1

linux-{version}/Documentation/networking/ip-sysctl.txt здесь можно найти описание всех параеметров ядра которые можно настраивать без его перекомпиляции, это так называемые run-time параметры.