Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I FINALLY got openssh-2.9p2 to work this week and before I open up its external port to the world, I have one thing to ask? How can I make it more secure? Currently I'm using the system passwords to login, but I think there is something better I'm not sure. Anyway here is my ssh_conig:
# This sshd was compiled with PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging
RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# Uncomment to enable PAM keyboard-interactive authentication
#PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
Some general measures:
- Use public key authentication (harder to crack, use pass phrases not paswords),
- don't use fallback (Protocol 2,1), just use "protocol 2" (Prot 1 should be phased out as "less secure"),
- When you know your users will be coming in from specific addresses, add 'em to hosts.allow when ssh is compiled with --with-libwrap (TCP Wrappers), or add em to your firewall (better trust relation with remote hosts).
For the truely (and right so) paranoid:
- Lower login grace time (less guessing time),
- Lower keyregen interval (grabbed key when used for decoding traffic will change more often=better,
- Set maxstartups (basically the direcitve's name is misleading, its value gives you some form of connection throttling)
- reversemapping=yes (check by resolving remote host credentials)
You probably didn't read man ssh(d) well. For public key with Protocol 2 auth you will need to add the contents of public key ~/.ssh/id_dsa.pub to/from your remote account. Also the "ssh-keygen -t rsa" isn't necessary, it's only public keygenning for Protocol 1. Also look into the PreferredAuthentication directive (man sshd, IIRC).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.