Date: Tue, 6 Oct 2009 15:49:16 -0400 From: jhell <jhell@DataIX.net> To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: olli hauer <ohauer@gmx.de>, FreeBSD Security <freebsd-security@freebsd.org>, Peter <fbsdq@peterk.org>, smithi@nimnet.asn.au, Marian Hettwer <MH@kernel32.de> Subject: Re: openssh concerns Message-ID: <alpine.BSF.2.00.0910061443060.51437@qvzrafvba.5c.ybpny> In-Reply-To: <86vdis99ie.fsf@ds4.des.no> References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de> <bd3cc292fc07e3e63181ab4fb59fa8e7.squirrel@webmail.pknet.net> <86vdis99ie.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 6 Oct 2009 11:06 +0200, des@ wrote:
> "Peter" <fbsdq@peterk.org> writes:
>> Or combine that with portknocking - Only open port 22 after X number of
>> attempts to connect on port 1234:
>
> As has already been explained, that's no good if you need to ssh in
from
> behind a corporate firewall that blocks everything except 20, 22, 80 and
> 443.
>
> DES
>
Don't forget about making good use of the following configuration
turntables. You can enforce a default policy of deny by just saying that a
user must be in the group of AllowGroups. This does enforce a little bit
more of a administrative overhead but that's for your staff and policy to
decide.
AllowGroups
AllowUsers
DenyGroups
DenyUsers
Collect tried user names and don't allow those to be added to your system
as legitimate users is another approach. Configuring pw(8) and adduser(8)
for this will be a good exercise.
--
%{----------------------------------------------------+
| dataix.net!jhell 2048R/89D8547E 2009-09-30 |
| BSD since FreeBSD 4.2 Linux since Slackware 2.1 |
| 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E |
+----------------------------------------------------%}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0910061443060.51437>