On Thu, 2004-10-14 at 10:40, Andrey Andreev wrote: > Wouter van Vliet wrote: > > As for limiting ssh access only to those who need it, how would that > > be done and how can I restrict on IP and user? I've found this page > > http://doc.trustix.org/cgi-bin/trustixdoc.cgi?Restrict_SSH_Per_User > > which explains about allowing only certain users. It's cool. Now, what > > would be the user/ip combi approach? > > I make my firewall do that. That is good but having sshd restrict who can login in addition to the firewall gives you two lines of defense against someone. If they happen to get past the firewall then they have to get past your sshd configuration as well. In /etc/sshd/sshd_config you want to have the following lines: PermitRootLogin no AllowUsers selectusernames Replace selectusernames with actual user ids that you want to permit ssh access. This gives you a single point to list allowed users but you should still setup most accounts in /etc/passwd with no shell access (yet another line of defense). Another thing you might consider is changing the port you run ssh on. Instead of the default port 22 you can shift it to some higher unused port. Not really the best security as people can still scan for open ports and determine that ssh is running on it. But it will prevent the scipt kiddies that are pounding on known ports (22) from bothering your system. In the same sshd_config file you can add a line like: Port 7666 and you would connect to this system using: ssh -p 7666 computername Yet another hurdle someone has to get past to attempt access to your system. -- Scot L. Harris webid@xxxxxxxxxx What awful irony is this? We are as gods, but know it not.
