SSHD_config question
John K Masters
johnmasters at me.com
Thu Aug 14 21:00:43 UTC 2008
On 21:29 Thu 14 Aug , Adam Funk wrote:
> On 2008-08-14, Knapp wrote:
>
> [MaxStartups option in sshd_config]
>
> > I hope, pray, that my system has strong security at this point with ssh
> > locked down hard and Firestarter locking out most other things. Have I
> > missed anything?
>
> Change "PermitRootLogin yes" to "PermitRootLogin no". It's also a
> good idea to allow login by SSH keys only; generate a keypair using
> ssh-keygen (there are some good HOWTOs on the web) and test the key
> from a remote machine, then (after testing!) change
> "PasswordAuthentication yes" to "PasswordAuthentication no". This
> makes dictionary-based cracking impossible.
>
If you do this then make sure you have another way in for when you
delete your key. It WILL happen. I speak from experience :)
> If you're running it on port 22 (the default), you will get a lot of
> noise in your logs from bots trying to log in using root and common
> account names. You can stop that by running it on a high-numbered
> port. (This is security by obscurity and you should not *rely* on it,
> but it definitely reduces log noise.)
>
I use logcheck to mail me every hour and fail2ban to permanently ban
after 3 failed attempts.
--
Regards, John
More information about the ubuntu-users
mailing list