2009/10/29 Tom Horsley <tom.horsley@xxxxxxx>: > On Thu, 29 Oct 2009 09:59:27 -0400 > rgheck wrote: > >> On 10/28/2009 07:44 PM, Tom Horsley wrote: >> > On Wed, 28 Oct 2009 18:03:29 -0500 >> > Michael Cronenworth wrote: >> > >> > >> >> -Make sure your root password is not a dictionary word. >> >> >> > Better yet, make sure you only allow public key login from >> > outside the trusted local network. I've been setting up my >> > sshd that way for a long time now. >> > >> > >> Can you show how to do this? I only know how to make the choice globally. >> >> rh >> >> > > I globally disable various things in the main /etc/ssh/sshd_config > file, then I use a "Match" directive at the bottom, which for me > looks like: > > Match Address 127.0.0.1,192.168.1.* > Banner /etc/nohamster.txt > GSSApiAuthentication yes > KerberosAuthentication no > PasswordAuthentication yes > KbdInteractiveAuthentication no > RhostsRSAAuthentication no > RSAAuthentication no > > That overries the global settings for requests originating > from the matched IP addrs. I just mentioned this privately to someone. There are more vectors than just SSH, and the principal is the same. Unless you have no way into your network from the outside, (no VPN, no webservers, nothing), there's a potential for a bruteforce attack. Unfortunately, in our particular case, we can't restrict ssh to internal IP ranges, so we had to implement a different solution. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
