On Tue, 2006-05-23 at 13:37 -0400, fedora-list-request@xxxxxxxxxx wrote: > From: "Brian D. McGrew" <brian@xxxxxxxxxxxxx> > Subject: Securing SSH > To: "For users of Fedora Core releases" <fedora-list@xxxxxxxxxx> > Message-ID: > <14CFC56C96D8554AA0B8969DB825FEA0012B32A3@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> > > Content-Type: text/plain; charset="us-ascii" > > Good morning, > > I'm looking to tighten up my ssh configuration. I have to have SSH open > on the box at home so I can get to it from the office. I've found > several articles on securing ssh that include deny root access and > require 'wheel' group membership for su. > > Is changing the port to something non-standard a good idea? What else > can I do; can someone point me to a good write up on it? > > Thanks, > > :b! > > Brian D. McGrew { brian@xxxxxxxxxxxxx || brian@xxxxxxxxxxxxxxxxxxx } > -- > > This is a test. This is only a test! > Had this been an actual emergency, you would have been > told to cancel this test and seek professional assistance! > Ok, what a great idea... In most Unix environments, you do not allow "root" to access the system except from the local console. However, this does not deny you from running "sudo" or performing an "su -". Yes, you can change the port to something else to make it more secure. You would then need to change your firewall rules (hopefully you are running the firewall at home) to allow this port remote access. To change the port you will need to edit /etc/ssh/sshd_config. You should also change the line that says "PermitRootLogin yes" to "PermitRootLogin no". This will prevent root from logging on remotely. Additionally you should also change/add the following to lines if they are not present: MaxAuthTries 3 (usually set to 6) UsePAM yes (if not present add to the end of the file) Now to prevent DOS attacks and brute force SSH attacks you will need to edit /etc/pam.d/sshd and add the following to the end of the file: auth required pam_tally.so onerr=fail deny=3 unlock_time=900 account required pam_tally.so deny=3 Now you can issue the command as root or through sudo: service sshd restart or sudo /sbin/service sshd restart WARNING: If you are logged on through SSH you will be dropped. Also, remember to change your firewall rules before you restart the ssh daemon. You can also transfer your X-windows apps to your local system by doing the following: On your system: xhost + (allows remote X apps) ssh -Y remote_computer -p the_new_port Now once logged in, you can test this using : xclock You should then see the Xclock on your system from the remote system. Hope this was helpful..... -- Ed Gurski <ed@xxxxxxxxxx>