Tightening up ssh

Sun Mar 26 21:25:49 UTC 2006

Thank youi.
G/


fbsd_user wrote:

>The fact of life is there is no way to stop ssh logon attacks
>as long as you have port 22 open to the public internet.
>
>You all ready see ssh doing its job correctly by not
>allowing unauthorized logons.
>
>Review the questions archives, this subject has been beat
>to death the last 3 weeks.
>
>There are some port application that read the hosts.allow log and
>auto creates firewall rules to block that attacking ip address.
>But this is just busy work as it does not stop the packets
>hitting your front door or really add any additional security
>over what native ssh is providing you.
>
>A more popular method is to change the port number ssh uses and
>just have your remote ssh users use that port number when they
>remote logon to ssh.
>
>Now the mass majority of script kiddies & robots attackers will
>find port 22 closed and lose interest in you.
>Only an dedicated attacker who has it out for just you, and knows
>your ip address all ready would make the special effort to scan all
>the high order port numbers looking for a ssh response.
>
>Read the end of this doc for more details on how to change ssh's
>port number.
>
>Direct link to "Example of Host SSH & Win SSH Clients" is
>http://elibrary.fultus.com/technical/index.jsp?topic=/com.fultus.doc
>s.software/books/ssh_how-to/cover.html
>
>
>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Graham
>North
>Sent: Sunday, March 26, 2006 2:52 PM
>To: mark at mkproductions.org; questions freebsd
>Subject: Tightening up ssh
>
>
>Hi Mark:
>You recently wrote:
>
>"Users are encouraged to create single-purpose users with ssh keys
>and very narrowly defined sudo privileges instead of using root
>for automated tasks."
>
>Does this mean that there is a way to run ssh, but only allow
>certain users to use it.   My default seems to have been that if
>someone has a username and password they can access ssh (except root
>as "PermitRootLogin no" is the default).   The ssh port seems to be
>the most heavily attacked one on my machine and so I recently took
>to blocking port 22.   My preference would be to enable it to only
>one user and give them an obscure username and strong password.
>Root is not currently allowed access by default in the setup.
>
>Is this the approach that you alluded to above?   Can you point me
>to some information or provide some tips.
>Thanks,  Graham/
>
>--
>
>Kindness can be infectious - try it.
>
>Graham North
>Vancouver, BC
>www.soleado.ca
>
>
>
>
>
>  
>

-- 
Kindness can be infectious - try it.

Graham North
Vancouver, BC
www.soleado.ca


-------------- next part --------------
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.3.1/292 - Release Date: 3/24/2006