On Wed, 2007-10-03 at 15:40 -0500, Steve Siegfried wrote: > Lamar Owen wrote: > > > > On Wednesday 03 October 2007, Karl Larsen wrote: > > > I have sure heard a LOT about security updates and I have had my own > > > problems. For years I thought the only thing necessary was a good root > > > password. This year I found out with ssh around you need a good password > > > for your own login name. My problem was caused by having a super poor > > > login password which was my last name. Since the login name was karl it > > > followed. > > > > Also: run ssh on some port other than 22. This is accomplished by > > editing /etc/ssh/sshd_config and /etc/sysconfig/iptables (to add the port to > > iptables, assuming you're running iptables). If you know the IP addresses > > from which you will always be connecting, then set your firewall (both on any > > external router as well as in /etc/sysconfig/iptables) to only allow the IP > > addresses you want. > > > > Just changing from port 22 to some other port (and 222 or 2222 aren't good > > ones; anything above 1024 is fair game) will eliminate 90% or more of your > > risk. > > > > Also, set up RSA key security and eliminate password-based logins. This is a > > fairly lengthy setup; I'm sure there's a HOWTO in the archives (I'm getting > > ready to go home for the day, and do't have time to type it in; if you can't > > find it anywhere, I can write one up fairly quickly, as I've set this up on > > several boxes). Some might say to just do this and not worry about the > > listening port change; I prefer multilayered security (why I run SELinux in > > enforcing/targete mode on servers) when possible. > > > > With a nonstandard port you do have to remember to use the -p parameter of ssh > > to connect (and the -P parameter of scp) but in my opinion it's worth it. > > Changing ports for ssh isn't actually that hot of an idea. Most port scanners > can detect ssh implementations since they normally self-identify. For example, > if you're running ssh on the normal port (22), try executing: > /usr/bin/telnet YOUR.HOST.IP.ADDR 22 > and see what pops out. > > Hope this helps'idly, > > -S > You can always fake your banner, to fool an attacker. http://projects.vanscherpenseel.nl/documents/howto_banners.html Calin ================================================= I still miss Windows, but my aim is getting better.
