Securing SSH



I REALLY like secure shell (SSH) for remote access to linux machines. You can do more than just a “telnet” like remote shell with it. (Port forwarding.) However, the default configuraton for the openssh-server is sometimes a bit less tight than I would like. For that reason on a new install, I usually like to make a few changes. I don’t know if I’ve mentioned this before, but I haven’t devoted a post JUST to this, so… here we go.


Under mandriva, the config file for the openssh server is at /etc/ssh/sshd_config First off, I like to make sure that just version 2 of the SSH protocol is used. This may break compatiblity with older clients that don’t support version 2. In a nutshell, v. 2 is a more secure implemenation
, and in my case, I don’t use anything that doesn’t support version 2… so… the following gets changed in the sshd_config – protocol 2,1 is commented out and protocol 2 added.

#Protocol 2,1
Protocol 2

Next, I like to make sure that root login is disabled…

PermitRootLogin no

After all, every system has a root user, why make it a bit easier for someone to brute force their way in?

I also like to setup a group called sshusers and limit access to just those that need to remotely get in.

AllowGroups sshusers

This way if I have a lame test account with an equally lame password, it can’t be remotely exploited this way (unless I’m dumb enough to add them to sshusers…)

The AllowUsers directive is another way to do this…
AllowUsers user1, user2, user3

These are just a couple steps you can take to tighten up your ssh server setup. For more on SSH usage and configuration you might consult the manual (man) pages, or may I suggest SSH, The Secure Shell: The Definitive Guide

Related Posts

Blog Traffic Exchange Related Posts
  • Denyhosts as an added defence to ssh server A couple days ago I had a brief article on the vandals banging away at the door of my ssh server. Like I said, I've, at times, been fairly smug abou the futility of their actions, but.... the persistance concerns me. Let me be more specific, I keep a fairly......
  • How to Remove KeepCop | Keep Cop Removal Guide KeepCop is yet another of those rogue antivirus applications that seem to be such a plague on computer users today. These rogue security applications usually installed without permission, or by means of trickery claiming to be a video codec or flash player update. Further they will start out on your......
  • VNC or Tightvnc for remote pc access I was surprised to do a search and find that I haven't mentioned tightvnc before (or even merely VNC as a useful tool.) Ok - here's the scenario, you need a way to get remote pc access, or remotely view a desktop, maybe it's a Windows machine and you're using......
Blog Traffic Exchange Related Websites
  • Comparison Between Free Of Charge And Paid Web Comparison between free of charge and paid Web security software has turn into a main subject of discussion amongst probably the most of all computer users recently. Numerous people who have employed both free of charge as well as paid Web security software place their strong opinions. Although many people......
  • Acoustic Guitar Accessories Regardless of whatever type of acoustic guitar you end up getting, the accessories that you choose are going to play a vital role in protecting the investment that you make. As you read through this list of accessories and equipment for your acoustic guitar, keep this in mind: Not all......
  • Microsoft Security Bulletin MS10-046 - Critical Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) Published: August 02, 2010¬†|¬†Updated: August 03, 2010 Version: 1.1 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site