Re: blocking ssh Root Logins - hosts
On Mon, 21 Mar 2005, Roberto C. Sanchez wrote:
> Add 'PermitRootLogin no' to /etc/ssh/sshd_config and restart ssh.
> As a caveat, make user to include the AllowUsers directive with at
> least one user that should *always* be able to log in remotely.
ditto to what others said and than.. for added paranoia
/etc/hosts.deny
ALL : ALL
- note that somethings ( like nfs mounts ) will break if you
turn on (tcpwrappers) inetd
restart inetd ... see if you can login .. you shouldn't be able to
if tcpwrappers is compiled in that sshd binaries
- if it allows you in .. you might want to recompile
sshd with tcpwrappers
/etc/hosts.allow
sshd : 192.168.11.123
# if you allow nfs
portmapper : ...
mount : ...
restart inetd and now its safer ... that only *.123 can login as a user
and no other sniffers even if they knew your login/pwd
or is ssh keys better .... w/ ip# restrictions
in either case, hosts.deny should be denying everything as default
and if they can hijack your ip# and come in anyway...
"call the seals to come fix the penguin" :-)
c ya
alvin
Reply to: