ssh

Tag: ssh

Securing Secure Shell

by Glen on Feb.21, 2009, Tags: linux, security, ssh

ssh

One of my favorite and most often used services is openSSH. While openSSH is generally known as being secure it never hurts to tweak a few extra settings.

Here are a few changes I generally do to help ensure openSSH is in tip top shape.

Use a strong password. My preference is to use randomly generated passwords of 20 plus alphanumeric characters with their own special blend of special characters. That should thwart most password crackers.
Change the port sshd listens on. Using port 22 hangs a sign out on your server saying I use sshd. While changing the port won’t stop anyone from figuring out you are running the service it will make them work harder. You can do this by changing the following in /etc/ssh/sshd_config:
Port 1234
Get rid of root logins. There is absolutely no reason to log in as root when you can use ’sudo’ or ’su’ to elevate a wheel user to root privileges. To set this change the following line in /etc/ssh/sshd_config:
PermitRootLogin no
Disable the antiquated Protocol 1 by changing to the Protocol line in /etc/ssh/sshd_config from ‘Protocol 1,2′ to the following:
Protocol 2
Another option would be to block lame dictionary attacks with denyhosts or ConfigServer Firewall/Login Failure Dameon. ConfigServer firewall has the added benefit of adding a friendly interface to help managing IPtables. Blocking login failures can sometimes be overkill if you are already have other restrictions in place like using keys only or using the AllowUsers directive in your /etc/ssh/sshd_config
If you prefer to use keys instead of password the following changes to /etc/ssh/sshd_config are a good start in tightening things up. If you are going to have any accounts that use password authentication you’ll be locked out of the server making these changes. So only do so if you are using keys to log in:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no
If you prefer to leave password authentication on then the AllowUser directive is for you. Below are a few examples this directive in play.
AllowUsers iizwheel@* AllowUsers fjones@* AllowUsers *@123.456.7.8 AllowUsers *@222.333.444.*

If anyone has further suggestions on securing openSSH please let me know.

Later I plan on doing posts on creating and using ssh keys, setting up DenyHosts, and setting up ConfigServer Firewall in future.

Leave a Comment :linux, security, ssh more...

Hello. Welcome to StellarTech Blog!
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed.
Blog Authors
Tags
cakephp cisco cli ddos desktop developement family freebsd freelance gadgets hosting javascript linux list networking news openvpn pfsense phishing php ramblings resources router samba security site software reviews ssh streaming tutorials ubuntu video vista w2k3 windows
Now Playing
Space (I Believe In) by Pixies
from the album Trompe le Monde.
0 days ago via last.fm.
Recent Activies
- Watched a video on Hulu.
- Watched a video on Hulu.
- Watched a video on Hulu.
- Watched a video on Hulu.
- Watched a video on Hulu.
- Watched a video on Hulu.
- Watched a video on Hulu.
- Watched a video on Hulu.
- Watched a video on Hulu.
- Watched a video on Hulu.

Securing Secure Shell

StellarTech Blog

Tag: ssh

Hello. Welcome to StellarTech Blog!

Blog Authors

Now Playing

Recent Activies

Amazon Wish List

Looking for something?

My Favorites Sites

Archives