Comments on: HOWTO: Five steps to a more secure SSH http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/ www.thinkhole.org Tue, 02 Feb 2010 16:30:08 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Giuseppe http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-200641 Giuseppe Wed, 24 Sep 2008 12:58:19 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-200641 Uhm... I'm a novice! I did all the good suggestions above... Now I'm not able to log using Putty anymore... I changed the port... HELP ! Uhm… I’m a novice! I did all the good suggestions above… Now I’m not able to log using Putty anymore…
I changed the port…
HELP !

]]> By: Gregg Lain http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-191433 Gregg Lain Sun, 24 Aug 2008 23:50:07 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-191433 Nice writeup - thanks for the extra stuff about the ssh keys - yes w/o a password if the box is stolen, its done. I read this somewhere and works great: Change port from 22 to 1025+ With Portsentry, it scans for daemonized ports - since 22 is no longer being used - and if the firewall allows port 22 incoming, now you have a honeypot for SSH hackers. Portensetry - up portsentry to scan up to say 25000 or so - against the documentation. I noticed most portscanners start at 1025 where the default portsentry stops... Nice writeup – thanks for the extra stuff about the ssh keys – yes w/o a password if the box is stolen, its done.

I read this somewhere and works great:
Change port from 22 to 1025+
With Portsentry, it scans for daemonized ports – since 22 is no longer being used – and if the firewall allows port 22 incoming, now you have a honeypot for SSH hackers.
Portensetry – up portsentry to scan up to say 25000 or so – against the documentation. I noticed most portscanners start at 1025 where the default portsentry stops…

]]> By: renato gallo http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-109400 renato gallo Thu, 25 Oct 2007 05:41:25 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-109400 at my job they passed me a ppk file, now I need to import it in my gentoo machine.... howto ? at my job they passed me a ppk file, now I need to import it in my gentoo machine…. howto ?

]]> By: Asrol http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-94879 Asrol Fri, 31 Aug 2007 18:04:52 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-94879 Question: # burkass Says: August 24th, 2007 at 2:36 pm by the way can i allow 1 ip address. btw i just want only 192.168.0.1 to control my comp via ssh. how can i do it ? Answer: User TCP Wrappers. Command ; vi /etc/hosts.deny # add line ALL:ALL vi /etc/hosts.allow # add line sshd:192.168.0.1 More -- Change the ssh default port from 22 port to others, such as port 2995 cd /etc/ssh/ vi sshd_config Find Port 22 and replace with; Port 2995 Dont use root to login. cd /etc/ssh/ vi sshd_config Find PermitRootLogin and change to ; PermitRootLogin no after all, killall -XUP xinetd /etc/init.d/sshd restart Hope its useful to others too regards thanks Question:

# burkass Says:
August 24th, 2007 at 2:36 pm

by the way can i allow 1 ip address.

btw i just want only 192.168.0.1 to control my comp via ssh.
how can i do it ?

Answer:

User TCP Wrappers.

Command ;

vi /etc/hosts.deny
# add line
ALL:ALL

vi /etc/hosts.allow
# add line
sshd:192.168.0.1

More –

Change the ssh default port from 22 port to others, such as port 2995

cd /etc/ssh/
vi sshd_config
Find Port 22 and replace with;

Port 2995

Dont use root to login.

cd /etc/ssh/
vi sshd_config

Find PermitRootLogin and change to ;

PermitRootLogin no

after all,

killall -XUP xinetd
/etc/init.d/sshd restart

Hope its useful to others too

regards

thanks

]]> By: burkass http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-92848 burkass Fri, 24 Aug 2007 19:36:01 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-92848 by the way can i allow 1 ip address. btw i just want only 192.168.0.1 to control my comp via ssh. how can i do it ? by the way can i allow 1 ip address.

btw i just want only 192.168.0.1 to control my comp via ssh.
how can i do it ?

]]> By: Tim Archer http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-52510 Tim Archer Tue, 10 Apr 2007 00:15:17 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-52510 I also have a small writeup on some minor changes I make to secure SSH (disable root login, change login grace time, change protocol, change port, etc) My writeup is at: <a href="http://timarcher.com/?q=node/46" rel="nofollow">http://timarcher.com/?q=node/46</a> I hope it helps somebody! I also have a small writeup on some minor changes I make to secure SSH (disable root login, change login grace time, change protocol, change port, etc)

My writeup is at:
http://timarcher.com/?q=node/46

I hope it helps somebody!

]]> By: rob http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-12230 rob Thu, 02 Nov 2006 16:38:13 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12230 You should add a section on role-based keys: limiting what commands can be run by a given key. It's great for role-based accounts such as for remote backup, and a good alternative to disabling root logins entirely. You should add a section on role-based keys: limiting what commands can be run by a given key. It’s great for role-based accounts such as for remote backup, and a good alternative to disabling root logins entirely.

]]> By: mikep http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-12158 mikep Thu, 02 Nov 2006 02:50:59 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12158 Re: alternate ports: For unix/command line ssh, edit/create ~/.ssh/config and make a section that looks like: host 192.168.1.3 Port 8022 Compression yes CompressionLevel 9 Plus whatever other config changes that are different for this host, then when you ssh to that IP (or hostname), it will automatically use port 8022 instead of the default 22. You can also put your port forwards, different ciphers, etc, basically, whatever you can set in the system-wide ssh_config can be set here. Re: alternate ports:

For unix/command line ssh, edit/create ~/.ssh/config and make a section that looks like:

host 192.168.1.3
Port 8022
Compression yes
CompressionLevel 9

Plus whatever other config changes that are different for this host, then when you ssh to that IP (or hostname), it will automatically use port 8022 instead of the default 22. You can also put your port forwards, different ciphers, etc, basically, whatever you can set in the system-wide ssh_config can be set here.

]]> By: 5 Steps To Secure SSH at Information Technology Blog http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-12122 5 Steps To Secure SSH at Information Technology Blog Wed, 01 Nov 2006 16:47:00 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12122 [...] Original Story: Link [...] [...] Original Story: Link [...]

]]> By: Jay http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/comment-page-1/#comment-12099 Jay Wed, 01 Nov 2006 14:03:36 +0000 http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh/#comment-12099 I agree with Mark, you shouldn't be allowing connections from anywhere to your ssh port. It's trivial to do and is worth more to secure your system than most of these other suggestions combined. I agree with Mark, you shouldn’t be allowing connections from anywhere to your ssh port. It’s trivial to do and is worth more to secure your system than most of these other suggestions combined.

]]>