Re: Securing debian box
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alexander Wasmuth wrote:
> * Jim Hyslop wrote:
>
>> PermitRootLogin no
>> RSAAuthentication no
>> PubkeyAuthentication yes
>> IgnoreRhosts yes
>> RhostsRSAAuthentication no
>> HostbasedAuthentication no
>> PermitEmptyPasswords no
>> ChallengeResponseAuthentication no
>> PasswordAuthentication no
>> UsePAM yes
>> Subsystem sftp /usr/lib/openssh/sftp-server
>
> I've also added "Protocol 2" to omit ssh 1 and I set UsePam to no
> because I wasn't able to prohibit password authentication with PAM
> enabled.
>
> Restricting the allowed users is probably a good idea, too:
>
> AllowUsers you
>
> Also I am using iptables to limit the per-ip connection tries in a given
> amount of time: <http://www.debian-administration.org/articles/187>.
>
> Cheers,
> Alex
>
>
Hi,
Using "Protocol 2" should be more secure.
About changing the port 22 for another one, I would prefer to use port
knocking(iptables rules or knockd package) or something like that :
http://www.cipherdyne.com/fwknop/
Here is an example :
>>>>>>>>>>>>>>>>
etch:/home/franck# telnet 192.168.0.1 22
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-8
^[
Protocol mismatch.
Connection closed by foreign host.
As you can see, I get the SSH banner when I listen on port 22, and so do
I when I change it for port 1022.
etch:/home/franck# telnet 192.168.0.1 1022
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-8
^[
Protocol mismatch.
Connection closed by foreign host.
<<<<<<<<<<<<<<<<<<
Here is the explanation :
http://www.openssh.com/faq.html#2.14
Hope it helps.
- --
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF3/rBxJBTTnXAif4RAumqAJwLxFf/cqkFTPPUxIUDC1kX6gyPjgCaAzdC
nhpOzgyL9kTYnWeCaolQTcQ=
=iKQt
-----END PGP SIGNATURE-----
___________________________________________________________
Try the all-new Yahoo! Mail. "The New Version is radically easier to use" � The Wall Street Journal
http://uk.docs.yahoo.com/nowyoucan.html
Reply to: