Re: Securing debian box

To: debian-user@lists.debian.org
Subject: Re: Securing debian box
From: Franck Joncourt <joncourt_franck@yahoo.co.uk>
Date: Sat, 24 Feb 2007 09:43:46 +0100
Message-id: <[🔎] 45DFFAC2.5060105@yahoo.co.uk>
In-reply-to: <[🔎] 20070224080411.GA9190@elmo.gyod.net>
References: <[🔎] 45DF6524.8090808@dreampossible.ca> <[🔎] 20070224080411.GA9190@elmo.gyod.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander Wasmuth wrote:
> * Jim Hyslop wrote:
> 
>> PermitRootLogin no
>> RSAAuthentication no
>> PubkeyAuthentication yes
>> IgnoreRhosts yes
>> RhostsRSAAuthentication no
>> HostbasedAuthentication no
>> PermitEmptyPasswords no
>> ChallengeResponseAuthentication no
>> PasswordAuthentication no
>> UsePAM yes
>> Subsystem sftp /usr/lib/openssh/sftp-server
> 
> I've also added "Protocol 2" to omit ssh 1 and I set UsePam to no
> because I wasn't able to prohibit password authentication with PAM
> enabled.
> 
> Restricting the allowed users is probably a good idea, too:
> 
>  AllowUsers you
> 
> Also I am using iptables to limit the per-ip connection tries in a given
> amount of time: <http://www.debian-administration.org/articles/187>.
> 
> Cheers,
> Alex
> 
> 

Hi,

Using "Protocol 2" should be more secure.
About changing the port 22 for another one, I would prefer to use port
knocking(iptables rules or knockd package) or something like that :
http://www.cipherdyne.com/fwknop/

Here is an example :

>>>>>>>>>>>>>>>>
etch:/home/franck# telnet 192.168.0.1 22
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-8
^[
Protocol mismatch.
Connection closed by foreign host.

As you can see, I get the SSH banner when I listen on port 22, and so do
I when I change it for port 1022.

etch:/home/franck# telnet 192.168.0.1 1022
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-8
^[
Protocol mismatch.
Connection closed by foreign host.
<<<<<<<<<<<<<<<<<<

Here is the explanation :
http://www.openssh.com/faq.html#2.14

Hope it helps.

- --
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF  9A3C C490 534E 75C0 89FE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF3/rBxJBTTnXAif4RAumqAJwLxFf/cqkFTPPUxIUDC1kX6gyPjgCaAzdC
nhpOzgyL9kTYnWeCaolQTcQ=
=iKQt
-----END PGP SIGNATURE-----

___________________________________________________________ 
Try the all-new Yahoo! Mail. "The New Version is radically easier to use" � The Wall Street Journal 
http://uk.docs.yahoo.com/nowyoucan.html

Reply to:

References:
- Securing debian box
  - From: Jim Hyslop <jhyslop@dreampossible.ca>
- Re: Securing debian box
  - From: Alexander Wasmuth <alex@wasmuth.org>

Prev by Date: Re: Securing debian box
Next by Date: Run out of disk space on LVM
Previous by thread: Re: Securing debian box
Next by thread: Re: Securing debian box
Index(es):
- Date
- Thread