Re: Security basics

Lamar Owen wrote:

On Wednesday 03 October 2007, Karl Larsen wrote:
I have sure heard a LOT about security updates and I have had my own
problems. For years I thought the only thing necessary was a good root
password. This year I found out with ssh around you need a good password
for your own login name. My problem was caused by having a super poor
login password which was my last name. Since the login name was karl it
followed.

Also: run ssh on some port other than 22. This is accomplished by
editing /etc/ssh/sshd_config and /etc/sysconfig/iptables (to add the port to
iptables, assuming you're running iptables). If you know the IP addresses
from which you will always be connecting, then set your firewall (both on any
external router as well as in /etc/sysconfig/iptables) to only allow the IP
addresses you want.

Just changing from port 22 to some other port (and 222 or 2222 aren't good
ones; anything above 1024 is fair game) will eliminate 90% or more of your
risk.

Also, set up RSA key security and eliminate password-based logins. This is a
fairly lengthy setup; I'm sure there's a HOWTO in the archives (I'm getting
ready to go home for the day, and do't have time to type it in; if you can't
find it anywhere, I can write one up fairly quickly, as I've set this up on
several boxes). Some might say to just do this and not worry about the
listening port change; I prefer multilayered security (why I run SELinux in
enforcing/targete mode on servers) when possible.

With a nonstandard port you do have to remember to use the -p parameter of ssh
to connect (and the -P parameter of scp) but in my opinion it's worth it.

Changing ports for ssh isn't actually that hot of an idea. Most port scanners
can detect ssh implementations since they normally self-identify. For example,
if you're running ssh on the normal port (22), try executing:
/usr/bin/telnet YOUR.HOST.IP.ADDR 22
and see what pops out.

Hope this helps'idly,

-S

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Security basics
    ... login password which was my last name. ... run ssh on some port other than 22. ... can detect ssh implementations since they normally self-identify. ...
    (Fedora)
  • Re: Security basics
    ... scanners can detect ssh implementations since they normally self-identify. ... Changing the port on which ssh listens is an excellent idea. ... This puts one more stumbling block in the way of the attacker; all security ...
    (Fedora)
  • Re: ssh gives "Permission denied, please try again"
    ... port 22 on your internal machine, so you will need to keep ssh up to ... I configure the router to forward a different external port to 22 on my ... For good measure pick usernames that are none obvious, ... root/password: 163 times ...
    (uk.comp.os.linux)
  • [NEWS] SSH service at Dell DRAC4 Denial of Service (Mocana)
    ... SSH service at Dell DRAC4 Denial of Service ... Dell Remote Access Card 4 allows customers to effectively manage ... After the use of such a port scanner, ...
    (Securiteam)
  • Re: SSH port 22 is invisible from the internet!! :(
    ... I want to allow a remote user to login with ssh on to my system. ... I use iptables as a firewall and have added a rule to open the port 22: ...
    (Debian-User)