Firewalls were covered in Chapter 5, Permissions, Access, and Security, and so this will just be a brief recap. If you are running a home system and using a good router, the default settings for iptables is probably all you need. It may require some tweaking, for example, to use a scanner, but for the most part you are probably safe from hackers. On the other hand, if you are the system administrator for a large company, iptables is probably not enough. I would investigate using a hardware intrusion appliance or some other method, to insure data and system security.

It is highly suggested that a router with a built-in firewall be used at all times. By no means would I connect a system directly to the Internet. While a typical Linux system may survive this, I have seen Windows boxes get infected with a virus in less than 30 minutes.

The default router settings are probably already strong enough to keep out the typical hacker. To be sure, and just to get an idea of what is going on inside your router, it's a good idea to login and check everything from time-to-time. On most routers, pointing your browser to 192.168.1.1 will bring up the login screen. In most cases, an ID and password are required.

The who command can be used in Linux to show the username, tty, date, time and IP address of each user on the system, as shown in the following screenshot:

Here is another thing you can do to help prevent an intrusion. It is a good idea to deny root access by ssh/scp because hackers will usually attempt to break in as root. This can be accomplished by editing the /etc/ssh/sshd_config file. Locate the line that says #PermitRootLogin yes and change it to PermitRootLogin no. Don't forget to remove the # (pound sign). You will also need to restart sshd. Now, any attempt to login as root will fail. I have all of my machines set up this way as an added precaution.

One last thing, any time someone logs (or attempts to log) into your system, a record is made of it. On Fedora this is put into the /var/log/secure file. You can check this file from time-to-time, or monitor it by using the tail -f /var/log/secure command.

And now for a bonus. The following is a simple script I use to watch for unauthorized access to my machine:

#!/bin/sh
tput clear
echo "jwho by Lewis 10/23/2011"
numusers=`who | wc -l`
while [ 1 ]
do
  rc=`who | wc -l`       # get number of users
  if [ $rc -gt $numusers ] ; then
    echo "Someone new has logged on!!!!!!!!!!!"
    date
    who
    jalert5 &            # see below
    numusers=$rc
  elif [ $rc -lt $numusers ] ; then
    echo "Someone logged off."
    date
    numusers=$rc
  fi
  sleep 5
done

Basically what this does is check every 5 seconds to see if the number of users have changed. If it has increased, the jalert5 script is run in the background. It plays a really obnoxious WAV file every 5 seconds until I turn it off. This will also fire every time you open a new session, so you will probably want to run it last after a boot up.