On Tue, Feb 14, 2006 at 01:32:29PM +1100, Voytek Eymont wrote:
>
> On Tue, February 14, 2006 11:52 am, Matthew Hannigan wrote:
> > On Tue, Feb 14, 2006 at 12:05:25PM +1100, Dave Kempe wrote:
> >> Voytek Eymont wrote:
>
> > You probably want DenyHosts : http://denyhosts.sourceforge.net/
>
> > But you're far better off whitelisting than blacklisting, if you can.
> > I only accept ssh connections to my box from a few machines.
>
> thanks
> as is, I'm the sole ssh user, though, I do use it from several hosts, not
> all known in advance to me
>
> where do I enter 'approved' hosts ?
You can do it in at least 2 places. do both if you like...
1. /etc/hosts.allow, /etc/hosts.deny (these files are part of 'tcp_wrappers',
do 'man hosts.allow' to find out more.
Put sshd: ALL in /etc/hosts.deny and sshd:<whatever> in hosts.allow
This is part of what the 'denyhosts' program mentioned above does
for you dynamically.
2. iptables (i.e. firewall)
Do you have iptables/firewalling on? If so read on, if not, you probably need
to think hard about what you need to let in. Set up a basic one with
'system-config-security'
Then add one ore more lines like:
-A RH-Firewall-1-INPUT -m state -s <allowed-host-or-network-here>
--state NEW -m tcp -p tcp --dport 22 -j ACCEPT
in /etc/sysconfig/iptables,
Make sure a line like
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
is towards then end.
Then 'service iptables restart'
Also don't do this remotely just in case you lock yourself out.
>
> my current sshd_config has:
>
> -----------
> Protocol 2
> AllowUsers voytek
good!
> SyslogFacility AUTHPRIV
> X11Forwarding yes
> Subsystem sftp /usr/libexec/openssh/sftp-server
> -----------
> I guess I should get rid of the X11 line ?
doesn't matter
> what else should I do here ?
> do I need sftp-server ?
again doesn't matter, you may as well leave it.
you may want sftp access. (sftp is ssh transfers made to look a bit like ftp)
Matt
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
