Re: Securing SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I don't know how to use the firewall to control access to ssh. How do you?

I have been using tcpwrappers to achieve this effect.  I had guessed
this was old fashioned because FC5 did not install xinetd
automatically.  Anyway, here is how I have protected ssh in the past.

in /etc/hosts.deny, insert

ALL: ALL

In /etc/hosts.allow, insert

portmap: 129.238.61
ALL: 127.0.0.1
sshd: 129.238.61.
sshdfwd-X11: 129.238.61.

Make sure xinetd is running, and then all network services that it
controls are going to reject all incoming ssh if they are not in the
ip range 129.238.61.XXX.

Again, that appears to be old fashioned, we were doing that before
iptables was in the kernel.  But I still like it!

I still wish somebody would write up a simple "how to secure your new
FC5 system" without lots of technical jargon.  But, then again, I
still run xinetd. Oh, well.

pj


On 5/24/06, Steven W. Orr <steveo@xxxxxxxxxxx> wrote:

On Tuesday, May 23rd 2006 at 10:37 -0700, quoth Brian D. McGrew:

=>Good morning,
=>
=>I'm looking to tighten up my ssh configuration.  I have to have SSH open
=>on the box at home so I can get to it from the office.  I've found
=>several articles on securing ssh that include deny root access and
=>require 'wheel' group membership for su.
=>
=>Is changing the port to something non-standard a good idea?  What else
=>can I do; can someone point me to a good write up on it?
=>
=>Thanks,
=>
=>:b!
=>
=>Brian D. McGrew { brian@xxxxxxxxxxxxx || brian@xxxxxxxxxxxxxxxxxxx }

Brian, I have the same situation as you. I have a box running at home with
a *very* limited number of people who need to access it. Instead of
cluttering up my syslog with 3digits worth of scriptkiddies hitting my
port 22, I just changed the port nr to something else. (Pick a number
between 1 and 0xFFFFFFFF) Problem solved. It's not a "security thrrough
obscurity" solution. ssh is already as tight as I need AFAICT. All we're
talking about is dealing with the loony robots.

--
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list




--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux