On Sun, 2004-11-14 at 07:40 +0100, J.L. Coenders wrote: > I was wondering how safe it is to open the ssh port up to the internet. I am > behind a router which is firewalled to block all traffic, unless I open it up > and route it to my computer. Is it safe to open ssh up to the internet, so I > can run applications of my home computer over the internet? The primary security risk with SSH is password authentication with weak passwords. Every compromised system I have seen was due to a combination of weak passwords and services that leak usernames. (i.e. SMTP returns "mailbox doesn't exist") I see thousands of SSH login attempts each day on my machines. But with a good SSH configuration they are harmless. There are numerous threads in the list archives that cover configuring SSH in some detail. "man sshd_config" is also helpful. My suggestions for sshd_config: Enable only "Protocol 2" Use "AllowGroups sshusers" and add SSH users to sshusers group. Set "PermitRootLogin no" Use complex passwords or keys with "PasswordAuthentication no" If you do allow passwords then I suggest choosing usernames that are not easily guessed; avoid usernames such as your own name, family members names, coworkers names, friends names, domain names, or any common names like john, bob, bill, oracle, test, etc. -- David Norris http://www.webaugur.com/dave/ ICQ - 412039
Attachment:
signature.asc
Description: This is a digitally signed message part
