Thanks all for the replies. I've basically done all (disallow root, non-standard port, and now public key) except restrict user and DenyHosts. <br><br>I guess that's the next stages. Thanks all. <br><br>Cheers<br>Hong<br><br><b><i>Jim Cheetham <jim@gonzul.net></i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> On Tue, Aug 22, 2006 at 01:29:04PM +0100, Hong Chyr wrote:<br>> I'm trying to secure my linux box, accessible via ssh by using public key<br>> authentication. I read in an article that by enabling public key auth and<br>> disabling password auth, it will secure the ssh access.<br><br>That is the first thing to do. The next is to disallow the root user<br>from logging in with ssh (PermitRootLogin no) and to restrict the valid<br>usernames that can use ssh to the actual accounts authorised (AllowUsers<br>john paul george ringo).<br><br>Then you might consider changing the port
number that ssh runs on,<br>seeing as there are almost endless automated ssh login attacks on port<br>22. But that's security by obscurity only, and not necessarily a great<br>idea.<br><br>Also consider deploying something like DenyHosts<br>(http://denyhsts.sf.net), which will look at the ssh logs, spot people<br>trying to break in, and blacklist them (in tcpwrappers by default),<br>which prevents them from connecting to the machine at all. Blacklisting<br>is dangerous; you *must* ensure that it will not blacklist your own<br>connections, or else you will lose access to the machine.<br><br>-jim<br><br><br>-- <br>Wellington Linux Users Group Mailing List: wellylug@lists.wellylug.org.nz<br>To Leave: http://lists.wellylug.org.nz/mailman/listinfo/wellylug<br></blockquote><br><p> 
<hr size=1>
<a href="http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/pc_mag/*http://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html">All new Yahoo! Mail</a> "The new Interface is stunning in its simplicity and ease of use." - PC Magazine