Securing SSH

Ed Gurski ed at gurski.com
Tue May 23 18:01:06 UTC 2006 

On Tue, 2006-05-23 at 13:37 -0400, fedora-list-request at redhat.com wrote:

> From: "Brian D. McGrew" <brian at visionpro.com>
> Subject: Securing SSH
> To: "For users of Fedora Core releases" <fedora-list at redhat.com>
> Message-ID:
> 	<14CFC56C96D8554AA0B8969DB825FEA0012B32A3 at chicken.machinevisionproducts.com>
> 	
> Content-Type: text/plain;	charset="us-ascii"
> 
> Good morning,
> 
> I'm looking to tighten up my ssh configuration.  I have to have SSH open
> on the box at home so I can get to it from the office.  I've found
> several articles on securing ssh that include deny root access and
> require 'wheel' group membership for su.
> 
> Is changing the port to something non-standard a good idea?  What else
> can I do; can someone point me to a good write up on it?
> 
> Thanks,
> 
> :b!
> 
> Brian D. McGrew { brian at visionpro.com || brian at doubledimension.com }
> --
> > This is a test.  This is only a test!
>   Had this been an actual emergency, you would have been
>   told to cancel this test and seek professional assistance!
> 
Ok, what a great idea... In most Unix environments, you do not allow
"root" to access the system except from the local console. However, this
does not deny you from running "sudo" or performing an "su -".

Yes, you can change the port to something else to make it more secure.
You would then need to change your firewall rules (hopefully you are
running the firewall at home) to allow this port remote access.

To change the port you will need to edit /etc/ssh/sshd_config. You
should also change the line that says "PermitRootLogin yes" to
"PermitRootLogin no". This will prevent root from logging on remotely.

Additionally you should also change/add the following to lines if they
are not present:

MaxAuthTries 3  (usually set to 6)
UsePAM yes  (if not present add to the end of the file)


Now to prevent DOS attacks and brute force SSH attacks you will need to
edit /etc/pam.d/sshd and add the following to the end of the file:

auth       required     pam_tally.so onerr=fail deny=3 unlock_time=900
account    required     pam_tally.so deny=3

Now you can issue the command as root or through sudo:

service sshd restart     or
sudo /sbin/service sshd restart

WARNING: If you are logged on through SSH you will be dropped. Also,
remember to change your firewall rules before you restart the ssh
daemon.

You can  also transfer your X-windows apps to your local system by doing
the following:

On your system:

xhost +   (allows remote X apps)
ssh -Y remote_computer -p the_new_port

Now once logged in, you can test this using :

xclock

You should then see the Xclock on your system from the remote system.


Hope this was helpful.....

-- 
Ed Gurski <ed at gurski.com>

More information about the fedora-list mailing list