Security Basics mailing list archives
Re: Securing SSH
From: Luca Falavigna <fala83 () libero it>
Date: Tue, 13 Jan 2004 16:01:47 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are my /etc/ssh/sshd_config file: #Protocols Protocol 2 # Authentication: PermitRootLogin no StrictModes yes RSAAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts no PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes PrintMotd yes PrintLastLog yes KeepAlive yes UseLogin no UsePrivilegeSeparation yes PermitUserEnvironment no Compression yes MaxStartups 1 Banner /etc/motd VerifyReverseMapping no Subsystem sftp /usr/lib/ssh/sftp-server In Protocol section, enable ONLY 2. 1 isn't so secure and there is a risk of a m-i-t-m attack (see http://ettercap.sourceforge.net) In Authentication only enable PubkeyAuthentication: this option grants access only to an user who has a RSA or DSA private certificate in his HOME/.ssh directory and the correspondant public one in server's HOME/.ssh/ (its name must be authorized_keys or the same in the AutorizedKeysFile option). If doesn't, he can't login! You can grant X11 forwarding if you think it's useful: X11 connections will be forwarded using SSH protocol, granting a great security. You can also grant FTP-like access enabling the last option Subsystem If you want more explanations wou can type man sshd and man sshd_config I hope this can help you! Luca Roland Venter ha scritto: | I need to manage several servers remotely via SSH, I'm interested in ways to | secure the connection and prevent unauthorised access. | | My thoughts: | Limit access to only allow remote connections from our management network | via iptables rules. Works but what if our ISP changes our fixed IP, which | means we are effectively locked out from all the servers and requires a site | visit to update the rules. | | We also need to provide access to engineers working from home using dialup, | etc | | Some sort of client certificates to supplement username and password, | | Recommendations on securing the SSH daemon etc | | Any ideas and tips or random thoughts appreciated | | Cheers, | Roland -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBQAQIVsExircinXweAQKRgAf+O8ZValmH3GHJr94t59PRsrak95PRmb4W kQKqklLOmarfyQK25ZNfSXHqttj+DhhLibIUJbEOblHG4UnFAy8L9cxLDBy8Zb+b GoVX09rGzO0yqnNo2jy5y+u3eHi72S3eZRN39gskCmQW3J96WnmileUh1Z/MXtbQ d58SU0p2Y0BQfKfi7dGakwDSIBPs1PNcWceljliS3dyy6cT0KcF5OssOLI/KZ7bG qQ3EVvEhAUh3fNRubTa5ZIHCHefj/zc04j+gA/cFgnLgLqJ4cVHdLHkjmRedIJX+ ynSufubgt7g6bJrsY4jdJC+o1zj9gs4HIQ9/6jcsf8W7dCsH516hUQ== =M1o+ -----END PGP SIGNATURE----- ---------------------------------------------------------------------------Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Securing SSH Roland Venter (Jan 09)
- Re: Securing SSH security (Jan 12)
- Re: Securing SSH Jude Naidoo (Jan 12)
- RE: Securing SSH Vinicius Moreira Mello (Jan 12)
- Re: Securing SSH Kevin Saenz (Jan 12)
- RE: Securing SSH Ethan King (Jan 12)
- Re: Securing SSH Brian C. Lane (Jan 12)
- Re: Securing SSH Miles Stevenson (Jan 12)
- Re: Securing SSH Joerg Over Dexia (Jan 12)
- Re: Securing SSH Kaushik Mukherjee (Jan 13)
- Re: Securing SSH Luca Falavigna (Jan 13)
- <Possible follow-ups>
- RE: Securing SSH Shawn Jackson (Jan 14)