Re: Running ssh on unreserved ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/19/2011 05:45 PM, Rick Sewill wrote:
> On Saturday, February 19, 2011 04:28:11 am Anne Wilson wrote:
>> On Saturday 19 February 2011 10:20:30 Tim wrote:
>>> On Fri, 2011-02-18 at 16:07 -0500, Alex wrote:
>>>> I'd like to move it to a higher port to avoid the normal doorknob
>>>> rattling that occurs with ssh running on a public server.
>>>
>>> Even with it on a different port, you'd probably want to implement some
>>> firewalling that auto-bans an IP after few failed attempts.  That stops
>>> them from continually trying to get through.
>>>
>>> I think there was a package called fail2ban, or something similar, that
>>> did that automatically.
>>
>> Fail2ban is easy to set up, and I've seen it stop attempts here.
>>
>> Anne
> 
> The one time I suffered a rootkit on Linux was when someone
> used a bug in ssh to get into my system.  Fortunately, for me,
> I discovered the rootkit within hours of it happening and reloaded.
> 
> I am paranoid about ssh and welcome suggestions that increase my ssh 
> security configuration, in particular, and overall security, in general.
> 
> Currently, for ssh on my system, I do the following:
> 1) in my /etc/ssh/sshd_config file
>    a) I specify which users can use ssh (AllowUsers rsewill ...)
>    b) I explicitly specified only protocol 2 could be used until that
>        was the default in later versions of ssh.  (Protocol 2)
>    c) I switch to a non-standard port (Port ...)
>    d) I do not permit root logins, (PermitRootLogin no)
>    e) I ignore user known hosts (IgnoreUserKnownHosts yes)
>    f) I do not permit password authentication (PasswordAuthentication no)
> 
>    I do not permit kerberos authentication.
> 
>    This leaves public key authentication.
>    Please make sure the key bits are large enough, default is 2048 for RSA,
>    and make sure the person, with the private key, protects the private key.
> 
> 2) in iptables
>    a) I whitelist the IP addresses of those I permit coming in through ssh.

http://www.cipherdyne.org/fwknop/
this way you can have DROP policy without anything open..

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux