Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You sure do need an ssh server if you want to ssh in to your box. There's a bunch of documentation on the server if you unpackage the source, providing you compile it from source. Even if you don't, there should be a bunch of documentation in the distribution you use.
For the most part, pretty much all the major distributions have as a default ssh server install. There's a system wide configuration file called ssh_config that you can look at that's pretty well commented. Then there's user ssh configuration files.
Just look through your tree for stuff related to ssh, 'locate ssh' more stuff than you can shake a stick at should show up.
Just want to clarify one point: The relevant file is sshd_config. The ssh_config file is the ssh client configuration. Whereas the sshd_config file is the server (or ssh daemon) configuration file.
And, on the subject of 'locking down' your ssh server, two things to implement are:
a) Change the line which reads 'Protocol 1,2' in sshd_config to 'Protocol 2'.
b) Change the line which reads 'PermitRootLogin yes' to 'PermitRootLogin no'. It is more secure to log in as a regular user, then su to root if necessary.
Making that change will instruct sshd to not accept connections using protocol 1, which has been superseded by protocol 2. The following is an excerpt from a nessus scan run on a server which allows both:
Quote:
Warning found on port ssh (22/tcp)
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Notice the risk from this is considered low. However, IMHO it's a simple fix, so why leave even a remote vulnerability. Give it a try, then if your ssh client can't connect, you can either get a newer client, or change the config back to allow protocol 1.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.