Date: Sun, 26 Mar 2006 15:53:58 -0500 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Graham North" <northg@shaw.ca>, <mark@mkproductions.org>, "questions freebsd" <freebsd-questions@freebsd.org> Subject: RE: Tightening up ssh Message-ID: <MIEPLLIBMLEEABPDBIEGEEDPHDAA.fbsd_user@a1poweruser.com> In-Reply-To: <4426F0EB.5040109@shaw.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
The fact of life is there is no way to stop ssh logon attacks as long as you have port 22 open to the public internet. You all ready see ssh doing its job correctly by not allowing unauthorized logons. Review the questions archives, this subject has been beat to death the last 3 weeks. There are some port application that read the hosts.allow log and auto creates firewall rules to block that attacking ip address. But this is just busy work as it does not stop the packets hitting your front door or really add any additional security over what native ssh is providing you. A more popular method is to change the port number ssh uses and just have your remote ssh users use that port number when they remote logon to ssh. Now the mass majority of script kiddies & robots attackers will find port 22 closed and lose interest in you. Only an dedicated attacker who has it out for just you, and knows your ip address all ready would make the special effort to scan all the high order port numbers looking for a ssh response. Read the end of this doc for more details on how to change ssh's port number. Direct link to "Example of Host SSH & Win SSH Clients" is http://elibrary.fultus.com/technical/index.jsp?topic=/com.fultus.doc s.software/books/ssh_how-to/cover.html -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Graham North Sent: Sunday, March 26, 2006 2:52 PM To: mark@mkproductions.org; questions freebsd Subject: Tightening up ssh Hi Mark: You recently wrote: "Users are encouraged to create single-purpose users with ssh keys and very narrowly defined sudo privileges instead of using root for automated tasks." Does this mean that there is a way to run ssh, but only allow certain users to use it. My default seems to have been that if someone has a username and password they can access ssh (except root as "PermitRootLogin no" is the default). The ssh port seems to be the most heavily attacked one on my machine and so I recently took to blocking port 22. My preference would be to enable it to only one user and give them an obscure username and strong password. Root is not currently allowed access by default in the setup. Is this the approach that you alluded to above? Can you point me to some information or provide some tips. Thanks, Graham/ -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEDPHDAA.fbsd_user>