SSH safety
David L Norris
dave at webaugur.com
Sun Nov 14 12:45:08 UTC 2004
On Sun, 2004-11-14 at 07:40 +0100, J.L. Coenders wrote:
> I was wondering how safe it is to open the ssh port up to the internet. I am
> behind a router which is firewalled to block all traffic, unless I open it up
> and route it to my computer. Is it safe to open ssh up to the internet, so I
> can run applications of my home computer over the internet?
The primary security risk with SSH is password authentication with weak
passwords. Every compromised system I have seen was due to a
combination of weak passwords and services that leak usernames. (i.e.
SMTP returns "mailbox doesn't exist")
I see thousands of SSH login attempts each day on my machines. But with
a good SSH configuration they are harmless. There are numerous threads
in the list archives that cover configuring SSH in some detail. "man
sshd_config" is also helpful.
My suggestions for sshd_config:
Enable only "Protocol 2"
Use "AllowGroups sshusers" and add SSH users to sshusers group.
Set "PermitRootLogin no"
Use complex passwords or keys with "PasswordAuthentication no"
If you do allow passwords then I suggest choosing usernames that are not
easily guessed; avoid usernames such as your own name, family members
names, coworkers names, friends names, domain names, or any common names
like john, bob, bill, oracle, test, etc.
--
David Norris
http://www.webaugur.com/dave/
ICQ - 412039
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041114/f5b173fc/attachment-0001.sig>
More information about the fedora-list
mailing list