OT: New article: Let's block cracker using denyhosts
Guy Fraser
guy at incentre.net
Thu Mar 30 22:59:26 UTC 2006
On Thu, 2006-30-03 at 09:56 -0600, Jason L Tibbitts III wrote:
> I have a few comments about the article. (I package denyhosts for
> Fedora Extras.)
>
> You install it via yum, and at that point it is actually configured.
> A proper config file is already in /etc/denyhosts.cfg, although you
> can of course tweak it. And there's no need to copy anything into
> /etc/init.d, because it's already set up.
>
> So the procedure is just:
>
> yum install denyhosts
> (edit /etc/denyhosts.cfg to your liking)
> chkconfig denyhosts on
> service denyhosts start
>
> If you prefer to run denyhosts from cron instead of as a daemon, you
> can edit /etc/sysconfig/denyhosts and follow the instructions there.
> Other info related to the Fedora package is in
> /usr/share/doc/denyhosts*/README.fedora
Another quick trick that helps is to add a line to the bottom of :
/etc/ssh/sshd_config
AllowGroups staff
Assign only users allowed to use ssh to group staff. This makes any
user not in group staff appear to have an invalid password whether
or not it is. Of course you can use any group you want, this just
happens to be the one I use to allow ssh on my servers. The other
part is ensuring all users in group staff have _*GOOD*_ passwords.
I believe you can also disable ssh-agent and manually assign the
public keys to .ssh/known_hosts . I don't use this anymore it was
a PITA.
More information about the fedora-list
mailing list