Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-21-2006, 01:36 PM
|
#1
|
LQ Newbie
Registered: Jul 2005
Posts: 13
Rep:
|
allow SSH service securely
How do I best allow for an ssh access to my home desktop,
w/ minimum security risk?
1) what router would you recommend?
2) open port 33243 for example at the router and forward it to sshd port?
3) stronger username/password..
What else? Am I doing something wrong/ missing something?
Thanks,
Nick
|
|
|
04-21-2006, 01:42 PM
|
#2
|
Member
Registered: May 2004
Location: Atlanta, GA USA
Distribution: Redhat ES4, FC4, FC5, slax, ubuntu, knoppix
Posts: 155
Rep:
|
Cynick,
Make sure you configure the ssh server to only except connections via sshv2. By moving it to a different port that will help you as well. Another idea is only allow the user id or id's you want to have access. In your sshd.conf you can put in either users or groups to have access.
Change your password frequently and make it a strong password. You can also look into using shared keys. However, I am not sure how to implement that.
|
|
|
04-21-2006, 02:48 PM
|
#3
|
Member
Registered: Oct 2003
Location: Canada
Distribution: ArchLinux && Slackware 10.1
Posts: 298
Rep:
|
Another option, if you always use the same computer for remote connection, is to allow ssh access to the specific ip address of that workstation, so that it makes it all that more difficult for someone to access your machine via ssh ... unless they are cracking from your office.
|
|
|
04-21-2006, 10:43 PM
|
#4
|
Senior Member
Registered: Aug 2005
Posts: 1,755
Rep:
|
* make sure root login is disabled ("PermitRootLogin no" in sshd_config)
* if possible, disable passwords altogether and only use public keys
* install DenyHosts; packages exist on most distros
|
|
|
04-21-2006, 11:22 PM
|
#5
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Take a look at the "man sshd_config" man page. The entries for AllowUsers and DenyUsers can be used to control who and from where a user can log in. There are also AllowGroups and DenyGroups entries which can be used if there are many users who are allowed to log in. You could make a new group and use it to control access, by only allowing members of the group to log in. This makes it easy to control who can and can't log in via sshy by controlling who is a member of this group. This config uses the "*" and "?" wild cards. In the very least, the system users should be listed in DenyUsers
I'm not certain if the UsePAM option would affect this access control.
Last edited by jschiwal; 04-21-2006 at 11:59 PM.
|
|
|
All times are GMT -5. The time now is 10:58 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|