SSHD_config question

Charlie Brune Ubuntu at BruneWorld.com
Fri Aug 15 01:30:43 UTC 2008


John K Masters wrote:
> On 21:29 Thu 14 Aug     , Adam Funk wrote:
>   
>> On 2008-08-14, Knapp wrote:
>>
>> [MaxStartups option in sshd_config]
>>
>>     
>>> I hope, pray, that my system has strong security at this point with ssh
>>> locked down hard and Firestarter locking out most other things. Have I
>>> missed anything?
>>>       
>> Change "PermitRootLogin yes" to "PermitRootLogin no".  It's also a
>> good idea to allow login by SSH keys only; generate a keypair using
>> ssh-keygen (there are some good HOWTOs on the web) and test the key
>> from a remote machine, then (after testing!) change
>> "PasswordAuthentication yes" to "PasswordAuthentication no".  This
>> makes dictionary-based cracking impossible.
>>
>>     
>
> If you do this then make sure you have another way in for when you
> delete your key. It WILL happen. I speak from experience :)
>
>   
>> If you're running it on port 22 (the default), you will get a lot of
>> noise in your logs from bots trying to log in using root and common
>> account names.  You can stop that by running it on a high-numbered
>> port.  (This is security by obscurity and you should not *rely* on it,
>> but it definitely reduces log noise.)
>>
>>     
>
> I use logcheck to mail me every hour and fail2ban to permanently ban 
> after 3 failed attempts.
>
>  
>   
Note that you can have more than one "port" command defined.  For 
example, you can use something like:
port 22
port 2221

That way, you can use port 22 inside your firewall and only open up port 
2221 for remote SSH access.

You should also limit logins to specific users or groups, if you can.  
For example, use something like:
allowusers fred

and only the user "fred" will be able to ssh in to your system.






More information about the ubuntu-users mailing list