Re: security advice wanted for home server
On Freitag 27 Februar 2009 14:07:02 andy baxter wrote:
> Sébastien NOBILI wrote:
> > Le vendredi 27 février 09 à 10:43, andy baxter a écrit :
> >> I can make sure that the server doesn't have any incoming ports open
> >> except http and ssh)
> >
> > I would use another port than 22 for the SSH. If your machine's ports are
> > being scanned and it appears port 22 is open, then you'll probably have a
> > lot of brute-force attacks to SSH.
>
> Is there any reason to do this given that I'm not planning to log in by
> ssh from outside my local network?
No.
> > Personally, I redirected on my router a high port number (1234, for
> > example) to port number 22 of my home server. No more brute-force
> > attacks.
> >
> > Just in case you didn't think about it, restrict SSH access to certain
> > users, in /etc/ssh/sshd_config :
> > PermitRootLogin no
> > AllowUsers your_login
>
> I've done PermitRootLogin; thanks for mentioning the other one. I was
> also trying:
>
> ListenAddress 10.0.0.3
>
> But this seemed to prevent even 10.0.0.3 from logging in, after a
> '/etc/init.d/ssh restart'
>
> Would ListenAddress 10.*.*.* (or 10.*) work?
No. ListenAddress is not the right option. Using ListenAdress, you can tell
sshd on which of the machine's network interfaces it shall listen. The IP
address you write there is the address assigned to the interface (use ifconfig
to find out these addresses).
I'd try some iptables rules or some lines in /etc/hosts.allow and/or
/etc/hosts.deny.
Paul
--
perl -e 'print pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
Reply to: