[wellylug] Securing my ssh box

Jim Cheetham jim at gonzul.net
Wed Aug 23 09:28:24 NZST 2006


On Tue, Aug 22, 2006 at 01:29:04PM +0100, Hong Chyr wrote:
> I'm trying to secure my linux box, accessible via ssh by using public key
> authentication. I read in an article that by enabling public key auth and
> disabling password auth, it will secure the ssh access.

That is the first thing to do. The next is to disallow the root user
from logging in with ssh (PermitRootLogin no) and to restrict the valid
usernames that can use ssh to the actual accounts authorised (AllowUsers
john paul george ringo).

Then you might consider changing the port number that ssh runs on,
seeing as there are almost endless automated ssh login attacks on port
22. But that's security by obscurity only, and not necessarily a great
idea.

Also consider deploying something like DenyHosts
(http://denyhsts.sf.net), which will look at the ssh logs, spot people
trying to break in, and blacklist them (in tcpwrappers by default),
which prevents them from connecting to the machine at all. Blacklisting
is dangerous; you *must* ensure that it will not blacklist your own
connections, or else you will lose access to the machine.

-jim




More information about the wellylug mailing list