Re: Securing SSH

[Luca Falavigna <fala83 () libero it>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are my /etc/ssh/sshd_config file:

#Protocols
Protocol 2      

# Authentication:
PermitRootLogin no
StrictModes yes
RSAAuthentication no            
PubkeyAuthentication yes        
AuthorizedKeysFile .ssh/authorized_keys
RhostsAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
KeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression yes
MaxStartups 1
Banner /etc/motd
VerifyReverseMapping no
Subsystem       sftp    /usr/lib/ssh/sftp-server

In Protocol section, enable ONLY 2. 1 isn't so secure and there is a
risk of a m-i-t-m attack (see http://ettercap.sourceforge.net)
In Authentication only enable PubkeyAuthentication: this option grants
access only to an user who has a RSA or DSA private certificate in his
HOME/.ssh directory and the correspondant public one in server's
HOME/.ssh/ (its name must be authorized_keys or the same in the
AutorizedKeysFile option). If doesn't, he can't login!
You can grant X11 forwarding if you think it's useful: X11 connections
will be forwarded using SSH protocol, granting a great security.
You can also grant FTP-like access enabling the last option Subsystem

If you want more explanations wou can type man sshd and man sshd_config

I hope this can help you!



Luca





Roland Venter ha scritto:
| I need to manage several servers remotely via SSH, I'm interested in
ways to
| secure the connection and prevent unauthorised access.
|
| My thoughts:
| Limit access to only allow remote connections from our management network
| via iptables rules. Works but what if our ISP changes our fixed IP, which
| means we are effectively locked out from all the servers and requires
a site
| visit to update the rules.
|
| We also need to provide access to engineers working from home using
dialup,
| etc
|
| Some sort of client certificates to supplement username and password,
|
| Recommendations on securing the SSH daemon etc
|
| Any ideas and tips or random thoughts appreciated
|
| Cheers,
| Roland
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBQAQIVsExircinXweAQKRgAf+O8ZValmH3GHJr94t59PRsrak95PRmb4W
kQKqklLOmarfyQK25ZNfSXHqttj+DhhLibIUJbEOblHG4UnFAy8L9cxLDBy8Zb+b
GoVX09rGzO0yqnNo2jy5y+u3eHi72S3eZRN39gskCmQW3J96WnmileUh1Z/MXtbQ
d58SU0p2Y0BQfKfi7dGakwDSIBPs1PNcWceljliS3dyy6cT0KcF5OssOLI/KZ7bG
qQ3EVvEhAUh3fNRubTa5ZIHCHefj/zc04j+gA/cFgnLgLqJ4cVHdLHkjmRedIJX+
ynSufubgt7g6bJrsY4jdJC+o1zj9gs4HIQ9/6jcsf8W7dCsH516hUQ==
=M1o+
-----END PGP SIGNATURE-----



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------