On 02/19/2011 05:45 PM, Rick Sewill wrote: > On Saturday, February 19, 2011 04:28:11 am Anne Wilson wrote: >> On Saturday 19 February 2011 10:20:30 Tim wrote: >>> On Fri, 2011-02-18 at 16:07 -0500, Alex wrote: >>>> I'd like to move it to a higher port to avoid the normal doorknob >>>> rattling that occurs with ssh running on a public server. >>> >>> Even with it on a different port, you'd probably want to implement some >>> firewalling that auto-bans an IP after few failed attempts. That stops >>> them from continually trying to get through. >>> >>> I think there was a package called fail2ban, or something similar, that >>> did that automatically. >> >> Fail2ban is easy to set up, and I've seen it stop attempts here. >> >> Anne > > The one time I suffered a rootkit on Linux was when someone > used a bug in ssh to get into my system. Fortunately, for me, > I discovered the rootkit within hours of it happening and reloaded. > > I am paranoid about ssh and welcome suggestions that increase my ssh > security configuration, in particular, and overall security, in general. > > Currently, for ssh on my system, I do the following: > 1) in my /etc/ssh/sshd_config file > a) I specify which users can use ssh (AllowUsers rsewill ...) > b) I explicitly specified only protocol 2 could be used until that > was the default in later versions of ssh. (Protocol 2) > c) I switch to a non-standard port (Port ...) > d) I do not permit root logins, (PermitRootLogin no) > e) I ignore user known hosts (IgnoreUserKnownHosts yes) > f) I do not permit password authentication (PasswordAuthentication no) > > I do not permit kerberos authentication. > > This leaves public key authentication. > Please make sure the key bits are large enough, default is 2048 for RSA, > and make sure the person, with the private key, protects the private key. > > 2) in iptables > a) I whitelist the IP addresses of those I permit coming in through ssh. http://www.cipherdyne.org/fwknop/ this way you can have DROP policy without anything open..
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
