Date: Sun, 26 Mar 2006 13:25:45 -0800 From: Graham North <northg@shaw.ca> To: fbsd_user@a1poweruser.com Cc: mark@mkproductions.org, questions freebsd <freebsd-questions@freebsd.org> Subject: Re: Tightening up ssh Message-ID: <442706D9.60407@shaw.ca> In-Reply-To: <MIEPLLIBMLEEABPDBIEGEEDPHDAA.fbsd_user@a1poweruser.com> References: <MIEPLLIBMLEEABPDBIEGEEDPHDAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=======AVGMAIL-442706D97C6B======= Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thank youi. G/ fbsd_user wrote: >The fact of life is there is no way to stop ssh logon attacks >as long as you have port 22 open to the public internet. > >You all ready see ssh doing its job correctly by not >allowing unauthorized logons. > >Review the questions archives, this subject has been beat >to death the last 3 weeks. > >There are some port application that read the hosts.allow log and >auto creates firewall rules to block that attacking ip address. >But this is just busy work as it does not stop the packets >hitting your front door or really add any additional security >over what native ssh is providing you. > >A more popular method is to change the port number ssh uses and >just have your remote ssh users use that port number when they >remote logon to ssh. > >Now the mass majority of script kiddies & robots attackers will >find port 22 closed and lose interest in you. >Only an dedicated attacker who has it out for just you, and knows >your ip address all ready would make the special effort to scan all >the high order port numbers looking for a ssh response. > >Read the end of this doc for more details on how to change ssh's >port number. > >Direct link to "Example of Host SSH & Win SSH Clients" is >http://elibrary.fultus.com/technical/index.jsp?topic=/com.fultus.doc >s.software/books/ssh_how-to/cover.html > > >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Graham >North >Sent: Sunday, March 26, 2006 2:52 PM >To: mark@mkproductions.org; questions freebsd >Subject: Tightening up ssh > > >Hi Mark: >You recently wrote: > >"Users are encouraged to create single-purpose users with ssh keys >and very narrowly defined sudo privileges instead of using root >for automated tasks." > >Does this mean that there is a way to run ssh, but only allow >certain users to use it. My default seems to have been that if >someone has a username and password they can access ssh (except root >as "PermitRootLogin no" is the default). The ssh port seems to be >the most heavily attacked one on my machine and so I recently took >to blocking port 22. My preference would be to enable it to only >one user and give them an obscure username and strong password. >Root is not currently allowed access by default in the setup. > >Is this the approach that you alluded to above? Can you point me >to some information or provide some tips. >Thanks, Graham/ > >-- > >Kindness can be infectious - try it. > >Graham North >Vancouver, BC >www.soleado.ca > > > > > > > -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca --=======AVGMAIL-442706D97C6B======= Content-Type: text/plain; x-avg=cert; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Content-Description: "AVG certification" No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.1/292 - Release Date: 3/24/2006 --=======AVGMAIL-442706D97C6B=======--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?442706D9.60407>