Comments on: HOWTO: Five steps to a more secure SSH http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/ There should be one obvious way to do it. Fri, 25 Jul 2008 03:53:42 +0000 http://wordpress.org/?v=2.6 By: renato gallo http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-109400 renato gallo Thu, 25 Oct 2007 05:41:25 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-109400 at my job they passed me a ppk file, now I need to import it in my gentoo machine.... howto ? at my job they passed me a ppk file, now I need to import it in my gentoo machine…. howto ?

]]> By: Asrol http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-94879 Asrol Fri, 31 Aug 2007 18:04:52 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-94879 Question: # burkass Says: August 24th, 2007 at 2:36 pm by the way can i allow 1 ip address. btw i just want only 192.168.0.1 to control my comp via ssh. how can i do it ? Answer: User TCP Wrappers. Command ; vi /etc/hosts.deny # add line ALL:ALL vi /etc/hosts.allow # add line sshd:192.168.0.1 More -- Change the ssh default port from 22 port to others, such as port 2995 cd /etc/ssh/ vi sshd_config Find Port 22 and replace with; Port 2995 Dont use root to login. cd /etc/ssh/ vi sshd_config Find PermitRootLogin and change to ; PermitRootLogin no after all, killall -XUP xinetd /etc/init.d/sshd restart Hope its useful to others too regards thanks Question:

# burkass Says:
August 24th, 2007 at 2:36 pm

by the way can i allow 1 ip address.

btw i just want only 192.168.0.1 to control my comp via ssh.
how can i do it ?

Answer:

User TCP Wrappers.

Command ;

vi /etc/hosts.deny
# add line
ALL:ALL

vi /etc/hosts.allow
# add line
sshd:192.168.0.1

More –

Change the ssh default port from 22 port to others, such as port 2995

cd /etc/ssh/
vi sshd_config
Find Port 22 and replace with;

Port 2995

Dont use root to login.

cd /etc/ssh/
vi sshd_config

Find PermitRootLogin and change to ;

PermitRootLogin no

after all,

killall -XUP xinetd
/etc/init.d/sshd restart

Hope its useful to others too

regards

thanks

]]> By: burkass http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-92848 burkass Fri, 24 Aug 2007 19:36:01 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-92848 by the way can i allow 1 ip address. btw i just want only 192.168.0.1 to control my comp via ssh. how can i do it ? by the way can i allow 1 ip address.

btw i just want only 192.168.0.1 to control my comp via ssh.
how can i do it ?

]]> By: Tim Archer http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-52510 Tim Archer Tue, 10 Apr 2007 00:15:17 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-52510 I also have a small writeup on some minor changes I make to secure SSH (disable root login, change login grace time, change protocol, change port, etc) My writeup is at: <a href="http://timarcher.com/?q=node/46" rel="nofollow">http://timarcher.com/?q=node/46</a> I hope it helps somebody! I also have a small writeup on some minor changes I make to secure SSH (disable root login, change login grace time, change protocol, change port, etc)

My writeup is at:
http://timarcher.com/?q=node/46

I hope it helps somebody!

]]> By: rob http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12230 rob Thu, 02 Nov 2006 16:38:13 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12230 You should add a section on role-based keys: limiting what commands can be run by a given key. It's great for role-based accounts such as for remote backup, and a good alternative to disabling root logins entirely. You should add a section on role-based keys: limiting what commands can be run by a given key. It’s great for role-based accounts such as for remote backup, and a good alternative to disabling root logins entirely.

]]> By: mikep http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12158 mikep Thu, 02 Nov 2006 02:50:59 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12158 Re: alternate ports: For unix/command line ssh, edit/create ~/.ssh/config and make a section that looks like: host 192.168.1.3 Port 8022 Compression yes CompressionLevel 9 Plus whatever other config changes that are different for this host, then when you ssh to that IP (or hostname), it will automatically use port 8022 instead of the default 22. You can also put your port forwards, different ciphers, etc, basically, whatever you can set in the system-wide ssh_config can be set here. Re: alternate ports:

For unix/command line ssh, edit/create ~/.ssh/config and make a section that looks like:

host 192.168.1.3
Port 8022
Compression yes
CompressionLevel 9

Plus whatever other config changes that are different for this host, then when you ssh to that IP (or hostname), it will automatically use port 8022 instead of the default 22. You can also put your port forwards, different ciphers, etc, basically, whatever you can set in the system-wide ssh_config can be set here.

]]> By: 5 Steps To Secure SSH at Information Technology Blog http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12122 5 Steps To Secure SSH at Information Technology Blog Wed, 01 Nov 2006 16:47:00 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12122 [...] Original Story: Link [...] [...] Original Story: Link [...]

]]> By: Jay http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12099 Jay Wed, 01 Nov 2006 14:03:36 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12099 I agree with Mark, you shouldn't be allowing connections from anywhere to your ssh port. It's trivial to do and is worth more to secure your system than most of these other suggestions combined. I agree with Mark, you shouldn’t be allowing connections from anywhere to your ssh port. It’s trivial to do and is worth more to secure your system than most of these other suggestions combined.

]]> By: John http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12060 John Wed, 01 Nov 2006 04:13:31 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12060 @Swoosh: I believe that's basically what <a href="http://www.hexten.net/pam_abl/" rel="nofollow" rel="nofollow" rel="nofollow" rel="nofollow">pam_abl</a> does, and is certainly a good alternative to DenyHosts if you are looking for one. (And if you don't mind missing out on DenyHosts' synchronization abilities.) - John @Swoosh:

I believe that’s basically what pam_abl does, and is certainly a good alternative to DenyHosts if you are looking for one. (And if you don’t mind missing out on DenyHosts’ synchronization abilities.)

- John

]]> By: Swoosh http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12054 Swoosh Wed, 01 Nov 2006 02:31:02 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12054 Another good thing to look into (for securiing SSH over Linux) is PAM. Its pratical use would be to block a host after 4 unsucessfull login attempts, and then keep it blocked untill you physically unblock them (or set up a cron.hourly scripit to do it every hour) Another good thing to look into (for securiing SSH over Linux) is PAM. Its pratical use would be to block a host after 4 unsucessfull login attempts, and then keep it blocked untill you physically unblock them (or set up a cron.hourly scripit to do it every hour)

]]>