LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-08-2002, 09:40 PM   #1
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
Securing SSH


OK, recently I had to open my firewall a bit to allow more SSH connectivity. SO along with that I beefed up my SSH security. Mandatory PKI being one of them. I was wondering if any of you had some more ideas to make my SSH server more secure, hopefully without adding frustration. But thats more of my
decision. Here's my sshd_config file:

Port 22
Protocol 2
ListenAddress 192.168.0.1
ListenAddress xx.xx.38.237
AllowUsers <me only>
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 1024
LoginGraceTime 30
KeyRegenerationInterval 900
PermitRootLogin no
#Compression yes

IgnoreRhosts yes

StrictModes yes
X11Forwarding yes
X11DisplayOffset 0
KeepAlive yes

SyslogFacility AUTH
LogLevel INFO

RhostsAuthentication no
RhostsRSAAuthentication no
#HostbasedAuthentication yes
RSAAuthentication yes
#PubkeyAuthentication yes

PasswordAuthentication no
PermitEmptyPasswords no

#ChallengeResponseAuthentication no


#MaxStartups 10:30:60
Banner /etc/issue.net
VerifyReverseMapping yes

Subsystem sftp /usr/libexec/openssh/sftp-server



tarballedtux
 
Old 11-09-2002, 01:57 AM   #2
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Looking at the sshd_config man page I'd recommend:
Quote:
Port 22
AllowGroups users
AllowTcpForwarding no
AllowUsers markus
AuthorizedKeysFile .ssh/authorized_keys
Banner /etc/motd
ChallengeResponseAuthentication no
Ciphers blowfish-cbc
ClientAliveInterval 15
ClientAliveCountMax 4
Compression yes
GatewayPorts no
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts yes
IgnoreUserKnownHosts yes
KeepAlive no
KerberosAuthentication no
KeyRegenerationInterval 900
ListenAddress xxx.xxx.xxx.xxx:22
LoginGraceTime 15
LogLevel INFO
MaxStartups 5:50:100
PAMAuthenticationViaKbdInt no
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no
PermitUserEnvironment no
PrintLastLog no
PrintMotd no
Protocol 2
PubkeyAuthentication no
RhostsAuthentication no
RSAAuthentication no
ServerKeyBits 1024
StrictModes yes
Subsystem sftp /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UseLogin no
UsePrivilegeSeparation yes
VerifyReverseMapping yes
X11Forwarding no
As a side note I'd recommend using latest OpenSSH which is at this time 3.5

Last edited by markus1982; 11-09-2002 at 02:38 AM.
 
Old 11-15-2002, 02:29 PM   #3
Syncrm
Member
 
Registered: Aug 2001
Location: Lansing, Michigan
Distribution: slackware8+
Posts: 472

Rep: Reputation: 30
i increased ssh security by only allowing connections from certain (trusted) hosts. i used iptables for this on my firewall...
 
Old 11-16-2002, 04:45 AM   #4
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Quote:
OK, recently I had to open my firewall a bit to allow more SSH connectivity
I think this is the whole point. Allowing a wider range of hosts to connect, securing SSHD is neccessary more than with a very limited range of hosts.

Basically SSHD should be secured anyways so
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 02:50 AM
Wierd happenings when securing SSH mattp Linux - Security 13 10-07-2005 07:00 AM
Securing SSH ZilverZtream Linux - Security 5 12-10-2004 03:33 PM
securing ssh robberttheman Linux - Security 8 08-27-2004 07:36 AM
Securing a system and its SSH install for access from the outside TheOneKEA Linux - Security 4 07-07-2004 03:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration