[linuxtechbiz] Securing SSH Server

Thu, 02 Feb 2006 02:52:28 -0800

Title: Message
Have collected few points from various sites to protect your servers from brute force attack on ssh. Should be helpful to you.
 
==============
1. Use chrootssh to isolate your SSH users from the rest of the system.
http://chrootssh.sourceforge.net/index.php
 
2. blockhosts.py small python script added to your cron tab adds an offending host to your hosts.deny after say 3 failed login attempts. otherwise try BFD (Brute force detection) available at http://www.rfxnetworks.com/bfd.php
 
3. If possible, accept ssh traffic from know sources only. Set such rule in Firewall.
 
4. configure SSH to only allow certain users by adding the
following line to your sshd_config:
 
AllowUsers dave
 
5. move ssh from 2222 to something else like 60001.
 
6. Use Strong Passwords that shouldn't be easily guessable or dictionary words.
 
7. Modify your /etc/ssh/sshd_config
PermitRootLogin no
To disallow root login to ssh.
 
8. Use Puplickey-Authentication for remote user with strong passphrase and keep the key at different media like CD, floppy etc.
http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Public-Key_Authentication-2.html
 
9. Modify sshd_config to
Protocol 2
and delete 1 since there are known exploits for that.
 
10. Secured options in sshd_config file
 
AllowGroups  users
AllowUsers  markus #As listed in point 4
ChallengeResponseAuthentication  no
ClientAliveInterval  15
DenyGroups  root
DenyUsers  root
KeepAlive  no #To secure against spoofing
ListenAddress  192.168.0.1
LoginGraceTime  60
MaxStartups  2:50:10
PasswordAuthentication  no
PermitRootLogin  no #As listed in point 7
Protocol  2 #As listed in point 9
PubkeyAuthentication  yes #As listed in point 8
 

Many Thanks
Dhruv
 

YAHOO! GROUPS LINKS



Reply via email to