From owner-freebsd-questions@FreeBSD.ORG Sun Mar 26 21:25:49 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32A7D16A41F for ; Sun, 26 Mar 2006 21:25:49 +0000 (UTC) (envelope-from northg@shaw.ca) Received: from pd5mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5632A43D53 for ; Sun, 26 Mar 2006 21:25:48 +0000 (GMT) (envelope-from northg@shaw.ca) Received: from pd4mr1so.prod.shaw.ca (pd4mr1so-qfe3.prod.shaw.ca [10.0.141.212]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IWR00EE37IW3DA0@l-daemon> for freebsd-questions@freebsd.org; Sun, 26 Mar 2006 14:25:45 -0700 (MST) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd4mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IWR009UG7IW1L90@pd4mr1so.prod.shaw.ca> for freebsd-questions@freebsd.org; Sun, 26 Mar 2006 14:25:44 -0700 (MST) Received: from [192.168.1.101] ([24.85.136.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IWR004LO7IWR1F0@l-daemon> for freebsd-questions@freebsd.org; Sun, 26 Mar 2006 14:25:44 -0700 (MST) Received: from 127.0.0.1 (AVG SMTP 7.1.385 [268.3.1/292]); Sun, 26 Mar 2006 13:25:45 -0800 Date: Sun, 26 Mar 2006 13:25:45 -0800 From: Graham North In-reply-to: To: fbsd_user@a1poweruser.com Message-id: <442706D9.60407@shaw.ca> MIME-version: 1.0 Content-type: multipart/mixed; boundary="=======AVGMAIL-442706D97C6B=======" X-Accept-Language: en-us, en References: User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: mark@mkproductions.org, questions freebsd Subject: Re: Tightening up ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Mar 2006 21:25:49 -0000 --=======AVGMAIL-442706D97C6B======= Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thank youi. G/ fbsd_user wrote: >The fact of life is there is no way to stop ssh logon attacks >as long as you have port 22 open to the public internet. > >You all ready see ssh doing its job correctly by not >allowing unauthorized logons. > >Review the questions archives, this subject has been beat >to death the last 3 weeks. > >There are some port application that read the hosts.allow log and >auto creates firewall rules to block that attacking ip address. >But this is just busy work as it does not stop the packets >hitting your front door or really add any additional security >over what native ssh is providing you. > >A more popular method is to change the port number ssh uses and >just have your remote ssh users use that port number when they >remote logon to ssh. > >Now the mass majority of script kiddies & robots attackers will >find port 22 closed and lose interest in you. >Only an dedicated attacker who has it out for just you, and knows >your ip address all ready would make the special effort to scan all >the high order port numbers looking for a ssh response. > >Read the end of this doc for more details on how to change ssh's >port number. > >Direct link to "Example of Host SSH & Win SSH Clients" is >http://elibrary.fultus.com/technical/index.jsp?topic=/com.fultus.doc >s.software/books/ssh_how-to/cover.html > > >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Graham >North >Sent: Sunday, March 26, 2006 2:52 PM >To: mark@mkproductions.org; questions freebsd >Subject: Tightening up ssh > > >Hi Mark: >You recently wrote: > >"Users are encouraged to create single-purpose users with ssh keys >and very narrowly defined sudo privileges instead of using root >for automated tasks." > >Does this mean that there is a way to run ssh, but only allow >certain users to use it. My default seems to have been that if >someone has a username and password they can access ssh (except root >as "PermitRootLogin no" is the default). The ssh port seems to be >the most heavily attacked one on my machine and so I recently took >to blocking port 22. My preference would be to enable it to only >one user and give them an obscure username and strong password. >Root is not currently allowed access by default in the setup. > >Is this the approach that you alluded to above? Can you point me >to some information or provide some tips. >Thanks, Graham/ > >-- > >Kindness can be infectious - try it. > >Graham North >Vancouver, BC >www.soleado.ca > > > > > > > -- Kindness can be infectious - try it. Graham North Vancouver, BC www.soleado.ca --=======AVGMAIL-442706D97C6B======= Content-Type: text/plain; x-avg=cert; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Content-Description: "AVG certification" No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.1/292 - Release Date: 3/24/2006 --=======AVGMAIL-442706D97C6B=======--