[wellylug] Securing my ssh box

Hong Chyr hongchyr at yahoo.co.uk
Wed Aug 23 13:15:50 NZST 2006


Thanks all for the replies. I've basically done all (disallow root, non-standard port, and now public key) except restrict user and DenyHosts. 

I guess that's the next stages. Thanks all. 

Cheers
Hong

Jim Cheetham <jim at gonzul.net> wrote: On Tue, Aug 22, 2006 at 01:29:04PM +0100, Hong Chyr wrote:
> I'm trying to secure my linux box, accessible via ssh by using public key
> authentication. I read in an article that by enabling public key auth and
> disabling password auth, it will secure the ssh access.

That is the first thing to do. The next is to disallow the root user
from logging in with ssh (PermitRootLogin no) and to restrict the valid
usernames that can use ssh to the actual accounts authorised (AllowUsers
john paul george ringo).

Then you might consider changing the port number that ssh runs on,
seeing as there are almost endless automated ssh login attacks on port
22. But that's security by obscurity only, and not necessarily a great
idea.

Also consider deploying something like DenyHosts
(http://denyhsts.sf.net), which will look at the ssh logs, spot people
trying to break in, and blacklist them (in tcpwrappers by default),
which prevents them from connecting to the machine at all. Blacklisting
is dangerous; you *must* ensure that it will not blacklist your own
connections, or else you will lose access to the machine.

-jim


-- 
Wellington Linux Users Group Mailing List: wellylug at lists.wellylug.org.nz
To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug


 		
---------------------------------
 All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.wellylug.org.nz/pipermail/wellylug/attachments/20060823/022fb23a/attachment.htm 


More information about the wellylug mailing list