On Mar 8, 2006, at 8:31 AM, Timothy A. Holmes wrote:
Good Morning Folks:
I have been doing some reading over the last day or two about a SSH
bot
attack that is occurring in some places. I will be the first to admit
that I have been a bit lax with my ssh security (allowing root logins
etc). This problem has inspired me to get things cleaned up, and
flying
right again. I have already modified my ssh config to prevent root
logins via ssh, so that hole is closed. In talking to a friend
yesterday, he suggested using key based authentication to further
protect my servers, which sounds like a great idea. The problem is
that
I have no idea how to set it up. A google search turned up the Gentoo
pages on keychain, which does not sound exactly like what he was
talking
about (he mentioned a key carried on a JUMP drive (usb stick))
I am using gentoo (and fedora (soon to be converted) servers) and
PUTTY.
If someone can offer suggestions, or point me in the right
direction, I
would be most appreciative.
step one...on the box you'll be connecting FROM, run ssh-keygen -t
rsa (or dsa). It will ask you the name of the file to save it to,
take the default. Put a passphrase on it.
step two...that created id_dsa.pub (which is what you get if you pick
dsa above) in your ~/.ssh directory. copy that id_dsa.pub up to a
server you want to connect to
step three...since you've turned off root logins, you have a user on
that box. copy that id_dsa.pub file into the ~/.ssh/authorized_keys
file on the target system. note that if you have to create that
directory yourself, you'll probably have to remove group-write
permissions before this will work.
step four...verify that in the target server's sshd_config file,
PubkeyAuthentication is set to yes
that should allow you to ssh targetservername...you'll be asked for a
password, but that's to access the key on your LOCAL box. add a -vv
and you'll see all kinds of cool stuff.
Note that I also move ssh from port 22 to some other port, and in my
local box, in .ssh, create a file called config. In that I put:
"Host *
User john
port xxx"
this says for all hosts i ssh to, use port 26, and username john at
the far end. you can replace the * with individual host names (as
resolved via dns or hosts file) to have different usernames on
different boxes and different ports per host.
I've had NO ssh portscans on my boxes since I moved them off of port
22. for security's sake, i won't tell you where I moved them to :)
--
gentoo-user@gentoo.org mailing list
