More SSH 'trolling'
Scot L. Harris
webid at cfl.rr.com
Thu Oct 14 17:07:17 UTC 2004
On Thu, 2004-10-14 at 10:40, Andrey Andreev wrote:
> Wouter van Vliet wrote:
> > As for limiting ssh access only to those who need it, how would that
> > be done and how can I restrict on IP and user? I've found this page
> > http://doc.trustix.org/cgi-bin/trustixdoc.cgi?Restrict_SSH_Per_User
> > which explains about allowing only certain users. It's cool. Now, what
> > would be the user/ip combi approach?
>
> I make my firewall do that.
That is good but having sshd restrict who can login in addition to the
firewall gives you two lines of defense against someone. If they happen
to get past the firewall then they have to get past your sshd
configuration as well.
In /etc/sshd/sshd_config you want to have the following lines:
PermitRootLogin no
AllowUsers selectusernames
Replace selectusernames with actual user ids that you want to permit ssh
access. This gives you a single point to list allowed users but you
should still setup most accounts in /etc/passwd with no shell access
(yet another line of defense).
Another thing you might consider is changing the port you run ssh on.
Instead of the default port 22 you can shift it to some higher unused
port. Not really the best security as people can still scan for open
ports and determine that ssh is running on it. But it will prevent the
scipt kiddies that are pounding on known ports (22) from bothering your
system.
In the same sshd_config file you can add a line like:
Port 7666
and you would connect to this system using:
ssh -p 7666 computername
Yet another hurdle someone has to get past to attempt access to your
system.
--
Scot L. Harris
webid at cfl.rr.com
What awful irony is this?
We are as gods, but know it not.
More information about the fedora-list
mailing list