Any danger from these ports?

Paul Iadonisi pri.rhl3 at iadonisi.to
Sun Jan 9 00:35:00 UTC 2005 

On Sat, 2005-01-08 at 23:00 +0000, Paul wrote:

> > 1) Allow rsa key logins only.
> > 2) Restrict by IP address, if possible.
> > 3) Restrict by username if possible.
> > 4) Run sshd on a port other than 22.
> > 5) Use port knocking if you are really paranoid.  (Though that hasn't
> >    had enough field testing to trust it as the only security measure,
> >    for sure.)
> 
> Is there a simple to follow howto on all of these?

  Not that I know of, but here's some quickies:

1) RSA keys:
   On the any clients you want to have access to a particular server,
generate a key pair with 'ssh-keygen -t rsa'.  Then copy (via
sneaker.net for the truly paranoid, and then eat the floppy when your
done) your ~/.ssh/id_rsa.pub on the client to your
~/.ssh/authorized_keys on your server (or append, as appropriate).  Be
sure to 'chmod 600 ~/.ssh/authorized_keys.
   Edit /etc/ssh/sshd_config on your server and set PubkeyAuthentication
to yes and PasswordAuthentication to no.  Other things I usually change
are Protocol (2), PermitRootLogin (no), and PermitEMptyPasswords (no).
   Restart sshd on the server.
2) IP restrictions:
  I thought there was a way to put a list of IPs in
the /etc/ssh/sshd_config file, but I can't find it in the man page
anywhere.  Looks like sshd is linked with tcp_wrappers, however, so you
could just use /etc/hosts.{allow,deny} settings to set those
restrictions.  Just using iptables is also a possibility.
3) User restrictions:
  Change/add AllowUsers setting to /etc/ssh/sshd_config with a list of
allowed users.  Related options are DenyUsers, AllowGroups, and
DenyGroups.
4) Port setting:
  Change the 'Port' setting in /etc/ssh/sshd_config to something other
than 22.  1022 is a common alternative, which is a good reason to use
something *other* than 1022 :-).  Use 'ssh -p<newportnumber> <host>' to
connect to your ssh daemon after this change.
5) Do a google for "Port Knocking" :-)  Sorry, that's all I can help
with in that area.

  There are other, more paranoid settings you can change
in /etc/ssh/sshd_config, but I wouldn't go overboard.  You can make it
truly difficult for legitimate users to use your ssh daemon if you
really want to.

-- 
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets

More information about the fedora-test-list mailing list